Endpoint Services, Apple Enterprise Connect, What is Apple Enterprise Connect?
Systems
Munki Mac Endpoint Management
Workspace ONE Unified Endpoint Management (UEM)
Affected Customers
University of Illinois IT Pros leveraging Technology Services Endpoint Service Munki Mac Endpoint Management OR Workspace ONE UEM for macOS support
Actions
- General Information
- How does Apple Enterprise Connect work?
- Who can use Apple Enterprise Connect?
- Why should I use Apple Enterprise Connect?
- How do I deploy Apple Enterprise Connect to my Macs?
- Getting Connected
General Information
Apple Enterprise Connect (AEC) is a client-side application allowing Macs to connect to the campus Active Directory without the need for binding, greatly reducing the incidence of keychain-related issues.
PLEASE NOTE: Apple has replaced Enterprise Connect with a native single sign-on (SSO) extension.
The SSO extension can be configured on Workspace ONE-enrolled Macs running macOS 10.15 and higher.
macOS 11 (Big Sur) is the last version of macOS on which Enterprise Connect is supported by Apple.
How does Apple Enterprise Connect work?
Apple Enterprise Connect is essentially a Kerberos agent with a GUI interface. Once a user has signed in, AEC maintains an Active Directory connection, reestablishing the single sign-on trust at each campus network (re)connection (VPN included).
Who can use Apple Enterprise Connect?
All campus IT Pros are eligible to use Apple Enterprise Connect, with the following stipulations:
- The campus contract with Apple states that our AEC purchase may only be used with the ad.uillinois.edu domain.
- The EPS team will provide AEC support to EPS stakeholders who use Workspace ONE or Multi-Tenant Munki. Non-stakeholder support inquiries will be addressed on a best-effort basis.
Why should I use Apple Enterprise Connect?
A Mac configured with AEC, whether domain-joined or not, can use a campus netid password as the login password (allowing the machine to be in compliance with university security standards), leverage single sign-on capabilities, and auto-mount network shares, but isn't susceptible to locked login keychains and keychain sync issues following campus password changes.
Please note that AEC is only supported for one-to-one Mac deployments with a single primary user. It is not intended for shared or lab machines, and if deployed in such environments, may yield undesirable results.
Also note that users will still need to change any saved passwords in their login keychain after a password change--e.g. for email clients, Skype for Business, etc....
How do I deploy Apple Enterprise Connect to my Macs?
For Multi-Tenant Munki stakeholders:
- "Enterprise Connect" is available at the UIUC repository level.
- A configuration profile containing settings for the UIUC campus is available in Workspace ONE. The profile:
- Pre-populates the ad.uilllinois.edu domain in the AEC connection dialogue
- Places a menulet in the Mac menu bar
- Syncs login and AD passwords
- Launches the NetID Password Management page when the user selects 'Change Password'
- Once the Workspace ONE profile is in place on client machines, add "Enterprise Connect" to your unit Munki manifest(s).
For Workspace ONE stakeholders who are not using Munki, and for non-EPS stakeholders: please contact the EPS team for client and profile access.
AEC preferences can be further configured, either manually or via additional profiles, to auto-mount kerberized network shares. (Note that auto-mounted shares enabled by a profile may not appear in Apple Enterprise Connect's 'Shares' tab.)
Getting Connected
After the Apple Enterprise Connect client and profile have been installed, the primary user will sign in to finish the setup.
For Macs already bound to the AD, IT Pros may want to convert mobile accounts to local accounts. Apple recommends that existing mobile accounts be converted to local accounts, as password syncing works only with local accounts. Mobile accounts using AEC will therefore still encounter keychain issues following campus password changes. Apple has directed us to a third-party script that can be used to convert mobile accounts to local accounts. EPS has not tested this script extensively, so it does carry a 'your mileage may vary' disclaimer. If you are interested in using this script, we recommend testing in your own environment before applying to production machines.
Removing AD binding is optional, and may depend on a unit's IT support mechanism.