Directory service configuration (macOS device policy)

With the Directory service configuration you specify an Active Directory domain that a Mac joins when the policy is assigned to it.

Note If the Active Directory domain you configure here is the same domain you use for the Self Service Portal, the macOS user policy assigned to the Mac is applied to all Active Directory users that log in to the Mac.

General settings

Setting/Field

Description

Domain host name

The DNS host name of the Active Directory domain to join.

AD administrator name

The credentials of the user account used for connecting to the Active Directory server.

This user must have permissions to add devices to the Active Directory database.

Password

Organizational unit

The organizational unit (OU) within the Active Directory database where the joining computer is added.

User experience

Setting/Field

Description

Create mobile account

macOS creates a mobile account when a network user logs in for the first time.

With a mobile account, users can log in to the Mac with their Active Directory credentials even when the Mac is not connected to the Active Directory server.

Require confirmation before creating a mobile account

The user can decide whether to create a mobile account or not.

Force local home folder

Select this check box to force the creation of user profiles on the startup disk. This is required for mobile accounts.

If you clear the check box, pure network home directories are used.

Use UNC path from Active Directory

macOS mounts the home folder specified in the Active Directory user account.

Network protocol

The protocol for mounting the home folder.

Default user shell

The command-line shell for the user.

If you leave this field empty, /bin/bash is used.

Mapping

Setting/Field

Description

UID attribute

The Active Directory attribute that is mapped to the unique user ID (UID) in macOS.

User GID attribute

The Active Directory attribute that is mapped to the primary group ID in macOS user accounts.

Group GID attribute

The Active Directory attribute that is mapped to the group ID in macOS group accounts.

Important If you change these mapping settings later, users might lose access to previously created files.

Administrative

Setting/Field

Description

Preferred DC server

The Active Directory domain controller (DC) that is consulted first.

If you leave this field empty, macOS selects the domain controller by site information and controller responsiveness.

Password trust interval in days

Specify how often macOS changes the password of its Active Directory computer account.

If you leave this field empty, macOS changes its password every 14 days.

If you set a value of 0, macOS doesn’t change the password automatically.

Namespace

  • Forest

    Namespace support is turned on. Multiple users with the same login name that exist in different domains of the Active Directory forest can log in.

    Users must enter their login name as DOMAIN\name.

  • Domain

    Namespace support is turned off. Users must have a unique login name.

Packet signing

macOS can sign and encrypt the LDAP connections used for Active Directory communication.

  • Allow: macOS decides if to sign and/or encrypt the LDAP connections.
  • Disable: macOS doesn’t sign or encrypt the LDAP connections.
  • Require: macOS always signs and encrypts LDAP connections.
  • SSL/TLS: macOS always uses LDAP over SSL/TLS.

Packet encryption

Multi-domain authentication

Users from all domains in the Active Directory forest can log in.

Domain administrator groups

A list of Active Directory groups.

Members of these groups are granted administrative privileges on the Mac.

To enter more than one group, press Enter after each entry.

Restrict DDNS

A list of network interfaces.

By default, macOS uses Dynamic DNS (DDNS) for all network interfaces. To restrict DDNS to certain interfaces, enter their BSD names.

For example to restrict DDNS to the built-in Ethernet port, enter en0.

To enter more than one interface, press Enter after each entry.