Directory
The Directory profile configuration allows you to configure directory services on your devices. You can apply multiple directory servers to your devices including Active Directory, LDAP, or Open Directory servers.
Note: If multiple profiles enforce separate policies on a single device, the most restrictive policy is enforced. If your password policy is being managed by your directory for network users logging into the devices, Apple does not recommend a password policy.
Directory
| Directory Type | Choose a directory type from the dropdown list.
|
| Organizational Unit | Specify the organizational unit of the active directory server.
Note: This option is only applicable when configuring an Active Directory server.
|
Security
| Server Hostname | Enter the IP address or fully qualified domain name of the directory server. |
| Username | Enter the username of the administrator that authenticates and binds the device to the server.
Do not include the domain. Use "administrator" only, not "domain\administrator". Note: This field is mandatory for Active Directory connections.
|
| Password | Enter the password of the administrator used to authenticate and bind the device to the server.
Note: This field is mandatory for Active Directory connections.
|
| Client ID | Enter the identifier associated with the device in the directory. Enter the client ID in macro format.
Supported macros are:
|
User Experience
Note: These settings are only supported for Active Directory servers.
| Configure a mobile account at login | When enabled, user data is hosted locally and device users can log into devices using Active Directory credentials even when not connected to the Active Directory server. |
| Require confirmation before creating mobile account | When enabled, device users must confirm creation of the mobile account.
Note: This option is only available when Configure a mobile account at login is enabled.
|
| Force Local home directory on startup disk | When enabled, the Windows network home folder of the device user is mounted as the macOS home folder when the device user logs in. The device user can copy files between this network volume and the local home folder. |
| Use UNC path | When enabled, you can specify a UNC path from Active Directory to derive the network home location and choose a network protocol (or mount style). |
| Mount Style | Choose which network protocol to use to mount the home directory from the dropdown list.
|
| Default user shell | Enter a path to specify the default command-line shell that device users use when interacting with macOS in Terminal. |
Mapping
Note: These settings are only supported for Active Directory servers.
| Map UID to attribute | Map the unique user ID to an Active Directory attribute |
| Map user GID to attribute | Map the user group ID to an Active Directory attribute |
| Map group GID to attribute | Map the group group ID to an Active Directory attributes |
Administrative
Note: These settings are only supported for Active Directory servers.
| Preferred domain server | Enter the DNS hostname of the Active Directory server. |
| Allow administration | Click Configure to add Active Directory group accounts whose members will have administrator privileges. |
| Allow authentication through any domain in the forest | When enabled, the user is authenticated through any domain in the forest. |
| Namespace | Choose the primary account naming convention based on forest or domain from the dropdown list.
|
| Packet Signing | Choose an option from the dropdown list to specify if all data to and from the Active Directory domain is protected.
|
| Packet Encryption | Choose an option from the dropdown list to specify if all data to and from the Active Directory domain is protected.
|
| Restrict DDNS | Click Configure to specify which network interface to use when updating the Dynamic Domain Name System (DDNS). |
| Password trust interval | Specify how often (in days) the computer account password that is stored in the system keychain is automatically changed by the device. |