Skip to content

Directory service configuration (macOS device policy)

With the Directory service configuration you specify an Active Directory domain that a Mac joins when the policy is assigned to it.


If the Active Directory domain you configure here is the same domain you use for the Sophos Central Self Service Portal, the macOS user policy assigned to the Mac is applied to all Active Directory users that log in to the Mac.

General settings

Setting Description
Domain host name The DNS host name of the Active Directory domain to join.
AD administrator name

The credentials of the user account used for connecting to the Active Directory server.

This user must have permissions to add devices to the Active Directory database.

Organizational unit The organizational unit (OU) within the Active Directory database where the joining computer is added.

User experience

Setting Description
Create mobile account

macOS creates a mobile account when a network user logs in for the first time.

With a mobile account, users can log in to the Mac with their Active Directory credentials even when the Mac is not connected to the Active Directory server.

Require confirmation before creating a mobile account The user decides whether to create a mobile account or not.
Force local home folder

Select this check box to force the creation of user profiles on the startup disk. This is required for mobile accounts.

If you clear the check box, pure network home directories are used.

Use UNC path from Active Directory macOS mounts the home folder specified in the Active Directory user account.
Network protocol The protocol for mounting the home folder.
Default user shell

The command-line shell for the user.

If you leave this field empty, /bin/bash is used.



If you change these mapping settings later, users might lose access to previously created files.

Setting Description
UID attribute The Active Directory attribute that is mapped to the unique user ID (UID) in macOS.
User GID attribute The Active Directory attribute that is mapped to the primary group ID in macOS user accounts.
Group GID attribute The Active Directory attribute that is mapped to the group ID in macOS group accounts.


Setting Description
Preferred DC server

The Active Directory domain controller (DC) that is consulted first.

If you leave this field empty, macOS selects the domain controller by site information and controller responsiveness.

Password trust interval in days

Specify how often macOS changes the password of its Active Directory computer account.

If you leave this field empty, macOS changes its password every 14 days.

If you set a value of 0, macOS doesn’t change the password automatically.

  • Forest: Namespace support is turned on. Multiple users with the same login name that exist in different domains of the Active Directory forest can log in.

    Users must enter their login name as DOMAIN\name.

  • Domain: Namespace support is turned off. Users must have a unique login name.
Packet signing

macOS can sign and encrypt the LDAP connections used for Active Directory communication.

  • Allow: macOS decides if to sign and/or encrypt the LDAP connections.
  • Disable: macOS doesn’t sign or encrypt the LDAP connections.
  • Require: macOS always signs and encrypts LDAP connections.
  • SSL/TLS: macOS always uses LDAP over SSL/TLS.
Packet encryption
Multi-domain authentication Users from all domains in the Active Directory forest can log in.
Domain administrator groups

A list of Active Directory groups.

Members of these groups are granted administrative privileges on the Mac.

To add a group, enter the Active Directory domain name, a backslash, and the group account name. For example ADS\Domain Admins.

Entries are case-sensitive.

Restrict DDNS

A list of network interfaces.

By default, macOS uses Dynamic DNS (DDNS) for all network interfaces. To restrict DDNS to certain interfaces, enter their BSD names.

For example to restrict DDNS to the built-in Ethernet port, enter en0.

To enter more than one interface, press Enter after each entry.