Endpoint Services, Apple Enterprise Connect, What is Apple Enterprise Connect?
This article describes Apple Enterprise Connect and how it can be used on macOS devices.
Munki Mac Endpoint Management
Workspace ONE Unified Endpoint Management (UEM)
University of Illinois IT Pros leveraging Technology Services Endpoint Service Munki Mac Endpoint Management OR Workspace ONE UEM for macOS support
- General Information
- How does Apple Enterprise Connect work?
- Who can use Apple Enterprise Connect?
- Why should I use Apple Enterprise Connect?
- How do I deploy Apple Enterprise Connect to my Macs?
- What Does the Deployment Include?
- Getting Connected
Apple Enterprise Connect (AEC) is a client-side application allowing Macs to connect to the campus Active Directory without the need for binding, greatly reducing the incidence of keychain-related issues.
Apple Enterprise Connect is essentially a Kerberos agent with a GUI interface. Once a user has signed in, AEC maintains an Active Directory connection, reestablishing the single sign-on trust at each campus network (re)connection (VPN included).
All campus IT Pros are eligible to use Apple Enterprise Connect, with the following stipulations:
- The campus contract with Apple states that our AEC purchase may only be used with the ad.uillinois.edu domain.
- The EPS team will provide AEC support to EPS stakeholders who use Workspace ONE or Multi-Tenant Munki. Non-stakeholder support inquiries will be addressed on a best-effort basis.
A Mac configured with AEC, whether domain-joined or not, can use a campus netid password as the login password (allowing the machine to be in compliance with university security standards), leverage single sign-on capabilities, and auto-mount network shares, but isn't susceptible to locked login keychains and keychain sync issues following campus password changes.
Please note that AEC is only supported for one-to-one Mac deployments with a single primary user. It is not intended for shared or lab machines, and if deployed in such environments, may yield undesirable results.
Also note that users will still need to change any saved passwords in their login keychain after a password change--e.g. for email clients, Skype for Business, etc....
For Multi-Tenant Munki stakeholders:
- The AEC client and a configuration profile containing settings for the UIUC campus are available in Multi-Tenant Munki at the UIUC repository level.
- Add "Enterprise Connect UIUC Settings" to a manifest, and it will install both the client and the configuration profile.
- The installation requires a logout.
For Workspace ONE stakeholders who are not using Munki, and for non-EPS stakeholders: please contact the EPS team for client and profile access.
The deployment involves:
- The Apple Enterprise Connect client installed in /Applications
- A profile which:
- Pre-populates the ad.uilllinois.edu domain in the AEC connection dialogue
- Places a menulet in the Mac menu bar
- Syncs login and AD passwords
- Launches the NetID Password Management page when the user selects 'Change Password'
AEC preferences can be further configured, either manually or via additional profiles, to auto-mount kerberized network shares. (Note that auto-mounted shares enabled by a profile may not appear in Apple Enterprise Connect's 'Shares' tab.)
After the Apple Enterprise Connect client and profile have been installed, the primary user will sign in to finish the setup.
For Macs already bound to the AD, IT Pros may want to convert mobile accounts to local accounts. Apple recommends that existing mobile accounts be converted to local accounts, as password syncing works only with local accounts. Mobile accounts using AEC will therefore still encounter keychain issues following campus password changes. Apple has directed us to a third-party script that can be used to convert mobile accounts to local accounts. EPS has not tested this script extensively, so it does carry a 'your mileage may vary' disclaimer. If you are interested in using this script, we recommend testing in your own environment before applying to production machines.
Removing AD binding is optional, and may depend on a unit's IT support mechanism.