Endpoint Services, Enterprise Connect, What is Apple Enterprise Connect?
This article describes Apple Enterprise Connect and how it can be used on Workspace ONE or Munki-enrolled macOS devices.
Munki Mac Endpoint Management
Workspace ONE Unified Endpoint Management (UEM)
University of Illinois IT Pros leveraging Technology Services Endpoint Service Munki Mac Endpoint Management OR Workspace ONE UEM for macOS support
- General Information
- How does Enterprise Connect work?
- Who can use Enterprise Connect?
- Why should I use Enterprise Connect?
- How do I deploy Enterprise Connect to my Macs?
- What Does the Deployment Include?
- Getting Connected
Apple's Enterprise Connect is a client-side application allowing Macs to connect to the campus Active Directory without the need for binding, greatly reducing the incidence of keychain-related issues.
Enterprise Connect is essentially a Kerberos agent with a GUI interface. Once a user has signed in, Enterprise Connect maintains an Active Directory connection, reestablishing the single sign-on trust at each campus network (re)connection (VPN included).
Currently, only EPS stakeholders using Workspace ONE or Multi-Tenant Munki (or both) are eligible. In addition, the campus contract with Apple stipulates that our Enterprise Connect purchase may only be used with the ad.uillinois.edu domain.
An unbound Mac configured with Enterprise Connect can use a campus netid password as the login password (allowing the machine to be in compliance with university security standards), leverage single sign-on capabilities, and auto-mount network shares, but isn't susceptible to locked login keychains and keychain sync issues following campus password changes.
Please note that Enterprise Connect is only supported for one-to-one Mac deployments with a single primary user. It is not intended for shared or lab machines, and if deployed in such environments, may yield undesirable results.
Also note that users will still need to change any saved passwords in their login keychain after a password change--e.g. for email clients, Skype for Business, etc....
For Multi-Tenant Munki stakeholders:
- The Enterprise Connect client and a configuration profile containing settings for the UIUC campus are available in Multi-Tenant Munki at the UIUC repository level.
- Add "Enterprise Connect UIUC Settings" to a manifest, and it will install both the client and the configuration profile.
- The installation requires a logout.
For Workspace ONE stakeholders who are not using Munki: please contact the EPS team for client and profile access.
The deployment involves:
- The Enterprise Connect client installed in /Applications
- A profile which:
- Pre-populates the ad.uilllinois.edu domain in the Enterprise Connection connection dialogue
- Places a menulet in the Mac menu bar
- Syncs login and AD passwords
- Launches the NetID Password Management page when the user selects 'Change Password'
Enterprise Connect preferences can be further configured, either manually or via additional profiles, to auto-mount kerberized network shares. (Note that auto-mounted shares enabled by a profile may not appear in Enterprise Connect's 'Shares' tab.)
After the Enterprise Connect client and profile have been installed, the primary user will sign in to finish the setup.
For Macs already bound to the AD, IT Pros may want to convert mobile accounts to local accounts. Apple has directed us to a third-party script that can be used to convert mobile accounts to local accounts. EPS has not tested this script extensively, so it does carry a 'your mileage may vary' disclaimer. If you are interested in using this script, we recommend testing in your own environment before applying to production machines.
Removing AD binding is optional, and may depend on a unit's IT support mechanism.