Hi there! Today let’s talk about how you can AD Bind Mac devices easily with Microsoft Intune a.k.a Microsoft Endpoint Manager.
Table of Contents
Prologue
The fun part of working on projects is the opportunity to face new challenges which makes us go back to our lab.
Recently while working on one such project which involves Mac management using Intune natively (no JAMF), I came across a similar situation.
Client Requirement – End-user to be able to sign-in to company-provided Mac devices using their corporate credentials.
Now JAMF solves this with JAMF Connect which allows provisioning a Mac device with a cloud identity and you can also configure if the account provisioned should have local admin rights or not. (Similar to Windows Autopilot experience)
Then there is JumpCloud, an open cloud directory platform with unified endpoint management capabilities, which has its own way of provisioning a Mac with JumpCloud managed identity.
Lastly, there is Apple Business Manager with Federated Authentication support which allows end-users to sign-in to ADE (a.k.a DEP) provisioned Mac devices using their Azure AD credentials.
What if you are not using either of the three as mentioned above?
The only option then that you are left with is to bind those Mac devices to Active Directory to let end-users sign-in using their corporate AD credentials.
But there is still one more problem left…
Microsoft Intune does not have any native configuration to bind Mac devices to Active Directory.
However, it is not entirely impossible! So let’s get started.
What is Directory Binding in Mac?
For a simpler understanding, AD Binding a Mac is essentially the same as what Domain Join is for Windows.
The immediate benefits to this are:
- Users can use their AD account to sign-in to their Mac devices
- Users can use the same AD credentials to authenticate and gain authorization to secure resources
- Users are subjected to the organization’s domain password policies
Why and When to bind Mac devices to Active Directory?
Let’s start with an analogy to Windows 10 in enterprise landscape as a reference.
Windows 10 has the ability to join to
- Active Directory (for enterprise with on-premise infrastructure), or
- Azure Active Directory (for cloud-only setups), or even do a
- Hybrid Azure AD Join during initial setup.
Windows 10 provisioning for enterprise use-case using Windows Autopilot lets you further decide if the end-user account to be provisioned on the device should be a standard user or have local admin rights.
This ensures a single identity, that is either created in
- on-premise active directory,
- on-premise active directory and synced to Azure AD, or
- cloud only created in Azure AD
is used for both accessing the device as well as corporate applications, thereby eliminating the need for multiple accounts – a local account on the device to sign-in to the device itself and then using the corporate identity to access corporate resources.
This benefits the end-user with a streamlined device login experience with a single set of credentials that conforms to the organization restriction policy and can also be easily managed.
However, unlike Windows 10, a Mac device cannot be cloud joined to Azure Active Directory.
Without the involvement of any other tools (ref: JAMF with JAMF Connect or Apple Business Manager with Federated Auth and ADE provisioning), by default, you cannot use a corporate cloud identity to provision a Mac device.
Thus without a streamlined device provisioning process in place that supports the idea of a single identity, the general provisioning of Mac involves the creation of a local administrator account for the user setting up the device for the first time (similar to Windows 10).
The local account is the one that the end-user uses to sign-in to the Mac device and then follow the company instruction to bring the device into a managed state, post which, the SSO solution as implemented takes care of the user accessing corporate resources on the device.
Here you can cearly see the involvement of the two seperate accounts
- an unmanaged local account (that’s also a local admin) on the Mac used to sign-in to the device itself, and
- a managed corporate account that is used to access corporate resources.
The above scenario is quite similar to what we have in Windows 10 in the form of Azure AD Registration [for BYOD], where the end-user signing-in to the Windows 10 device can be a local account or an online personal Microsoft account (local admin) and then the user adds a work account to get access to corporate resources on the device.
Though you do have SSO solutions available for different IDPs that can be implemented to allow end-users to have access to corporate resources from a managed Mac without requiring any additional work by the end-user (the recommended way!), it still does not addresses the actual point – having a single identity.
This is when you decide whether you would want AD Bind your Mac devices or not.
Disclaimer: AD Binding a Mac should be the last resort that you would take to achieve the idea of having a single identity to use Mac devices in the corporate landscape due to the complexities involved and the additional overhead it demands from the IT Support Team in terms of troubleshooting and fixes.
If you decide to go ahead, then read below to know how you can AD Bind Mac devices easily with Microsoft Intune.
But before we get to that, you need to know…
What are the ways to bind a Mac to Active Directory?
As a Mac administrator, you can manually AD Bind a Mac using the Directory Utility Tool (GUI) and steps for the same are already explained by Prajwal Desai in his blog post.
Or, you can use the Terminal if you prefer command line. [Ref: dsconfigad].
Sample Command Format:
dsconfigad -f -a <Computer Name> -u <Service Account> -p <Password> -domain <FQDN> -ou <OU to which this Mac will be added> -preferred <FQDN of preferred DC> -mobile enable
However, both of the above methods as shown are manual which makes it difficult to scale Mac provisioning. However, the use of a Configuration Profile with MDM Directory payload helps to automate AD Binding Macs.
The Configuration Profile can be deployed manually to configure a single Mac or can be distributed via an MDM solution like Microsoft Intune to automate AD Binding of multiple managed Mac computers at once.
The Configuration Profile (.mobileconfig) can be created using Profile Manager which is part of the MacOS Server (paid app!) available in the Apple Store.
If you are intending to leverage complete Mac management using Microsoft Intune, you can use the Profile Manager to easily create Configuration Profiles (.mobileconfig) referencing the different MDM Payload settings available and then repurpose those configurations profiles to be distributed by Microsoft Intune as custom config profiles.
This can prove to be a great workaround to overcome the limitations in terms of features and manageability when it comes to Mac management with Intune.
This is exactly what this blog post will show you today.
Don’t worry. To save you from the cost of purchasing the MacOS Server for maybe a one-time use for testing purposes, this blog post includes a sample XML profile which you can use for free!
How you can AD Bind Mac devices easily with Microsoft Intune
Let’s start by checking the pre-requisites to AD Bind Mac with Intune.
Pre-requisites to AD Bind Mac with Intune
- An Organizational Unit (OU) in your AD to store Mac computer objects.
- Service account in AD which has rights to create, rename computer objects in specified OU.
- Connectivity to Domain Controller from the Mac device(s).
- Microsoft Endpoint Manager tenant with
- MDM authority set to Microsoft Intune, and
- Apple enrollment enabled and in Active state.
- Enrolled Mac device.
Create Configuration Profile with Directory payload using Profile Manager
Open MacOS Server and select Profile Manager on the left side menu.
Click on Open in Safari button beside Profile Manager. In Safari, from the left side menu of Profile Manager select Devices. There should be only one Mac here which is the one you are using. Select the Settings tab and then click on Edit button.
You can leave the General settings as is. On the left bar, scroll and find Directory under MacOS. Click on Configure.
Select Directory Type as Active Directory and from there it’s pretty straightforward. Fill up the details as per your environment. Once done, click on OK.
You will be returned to the initial screen. Click on Save and then you would get the option to Download enabled.
Click on Download and you now have the Configuration Profile (.mobileconfig) that is required.
The next step is to test it on a standalone Mac device by installing it manually to check if it installs successfully. This is because if the configuration profile as created fails to install manually, there is no way that Microsoft Intune would be able to deploy it successfully. As such, it is always a good idea to test the profile manually before deploying it from Intune to save yourself from troubleshooting afterward.
Test the Configuration Profile as created
Transfer the COnfiguration Profile (.mobileconfig) file to a standalone Mac device, double-click on it and you would have the profile available to install from System Preferences > Profiles. Click on the Install button.
The system will prompt to provide Admin credentials to proceed with the profile installation.
The profile installation proceeds once the admin credentials are entered.
Provided that the configuration profile is good and the installation did not encounter any errors, the profile install will complete and you will have the profile installed on the Mac.
Only if the profile gets installed succesfully, we can repurpose it to be deployed to managed Mac devices using an MDM solution like Microsoft Intune.
However, if you do get an error like this, wait for my next blog on the same to help you troubleshoot!
Create an XML from the Configuration Profile (.mobileconfig)
Now this step is optional.
I have seen that one can directly upload a .mobileconfig file to Intune to be used within a Custom profile. However, I have not tasted success in doing so.
As such I prefer to convert the .mobileconfig to an XML file to be used with Microsoft Intune.
For that, you can use any online XML editor, like I have used the one available at tutorialspoint.com
Upload the Configuration Profile (.mobileconfig) file. The XML view of the Configuration profile (.mobileconfig) with Active Directory payload (com.apple.DirectoryService.managed) should look like this.
Copy the section starting from <?xml> to </plist> and use it to create an XML file which we will use to create the profile in Intune.
Create Custom Profile for Mac in Intune
In MEM Admin Center, navigate to Devices > MacOS > Configuration profiles and click on Create Profile. Choose Profile Type as Custom and click on the Create button at the bottom of the page.
- Give a Name and Description as per organization naming convention and click on Next.
- Provide Profile Name to be displayed against the configuration profile to the end-users. This is the name of the profile as displayed on the Mac when you see installed profiles from System Preferences > Profiles.
- Browse to upload the XML file which you created corresponding to the Configuration Profile (.mobileconfig file). On successful upload, click on Next.
- Lastly, you would need to make the necessary assignments for the profile.
When you are done with the above, you can review what has been configured till now and if all seems fine, click on Create. That’s all.
Monitor Profile deployment status from Intune
You can check the status of profile deployment from the monitoring section as shown below.
End-User Experience
This is tested on my M1 Mac mini running Big Sur (11.1).
You can see the profile deployed from Intune (if successful) from System Preferences > Profiles.
Further, on the Mac device, you can check in System Preferences > Users and Groups from Login Options, if Network Account Server displays the correct Domain namespace.
Check in Active Directory Users and Computers, you should see the Mac computer object created in the OU as specified in the Directory payload.
End-user can now sign-in to the Mac device using their associated AD account credentials from the login screen by choosing Others.
In the Directory payload, you can configure and customize the User Experience to enable the creation of a Mobile Account signing-in with your AD account (at login).
The benefit of using a Mobile Account is Credential Caching which allows end-users to log-in to their Mac and work using their AD credentials even when the Mac cannot reach the AD Server.
Consider taking your office Mac back to your home where you connect to the public Internet and there is no corp LAN to provide AD connectivity. For more information, check Set up mobile user accounts.
The Directory payload I configured enables the creation of a Mobile Account at login. As such, you can see the account created for my domain user sign-in is a Mobile account.
Important Consideration
Considering the current remote working scenario, you can bind Mac devices to Active Directory over a VPN connection to provide connectivity to the Domain Controller which is required. However, post completing the directory bind using the local account, when you log-off from the local account to sign-in as a domain user, you will see that it will fail.
This is because the local account log-off causes the VPN connection to drop as a result of which the Mac fails to reach out to the AD to authenticate the domain user sign-in.
The issue is only for remote working scenarios where directory bind is performed over a VPN connection. The solution to this is as below
- Pre create account of domain user
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a <LocalAdminAccount> -U <'LocalAdminPassword'> -n <DomainUserAccount>
- Query AD to cache the user and password
dscacheutil -q user -a name <DomainUserAccount>
- Perform login to the domain user account
login <DomainUserAccount>
Now you can log-off from the local admin account and you should see the Domain Account listed on the login screen which you can use to sign-in.
In the below snap, you can see I am logged in with my domain account (pre-created and pre-cached) even though my Mac now has no connectivity to the domain as you can see from the ping output in Terminal.
The End
Well that was all for today. Happy testing!
If you liked the content, you can rate it on a scale of 1 to 5 with 1 being the lowest and 5 being the best.