This article describes Apple Enterprise Connect and how it can be used on macOS devices.
Munki Mac Endpoint Management
Workspace ONE Unified Endpoint Management (UEM)
University of Illinois IT Pros leveraging Technology Services Endpoint Service Munki Mac Endpoint Management OR Workspace ONE UEM for macOS support
Apple Enterprise Connect (AEC) is a client-side application allowing Macs to connect to the campus Active Directory without the need for binding, greatly reducing the incidence of keychain-related issues.
Apple Enterprise Connect is essentially a Kerberos agent with a GUI interface. Once a user has signed in, AEC maintains an Active Directory connection, reestablishing the single sign-on trust at each campus network (re)connection (VPN included).
All campus IT Pros are eligible to use Apple Enterprise Connect, with the following stipulations:
A Mac configured with AEC, whether domain-joined or not, can use a campus netid password as the login password (allowing the machine to be in compliance with university security standards), leverage single sign-on capabilities, and auto-mount network shares, but isn't susceptible to locked login keychains and keychain sync issues following campus password changes.
Please note that AEC is only supported for one-to-one Mac deployments with a single primary user. It is not intended for shared or lab machines, and if deployed in such environments, may yield undesirable results.
Also note that users will still need to change any saved passwords in their login keychain after a password change--e.g. for email clients, Skype for Business, etc....
For Multi-Tenant Munki stakeholders:
For Workspace ONE stakeholders who are not using Munki, and for non-EPS stakeholders: please contact the EPS team for client and profile access.
AEC preferences can be further configured, either manually or via additional profiles, to auto-mount kerberized network shares. (Note that auto-mounted shares enabled by a profile may not appear in Apple Enterprise Connect's 'Shares' tab.)
After the Apple Enterprise Connect client and profile have been installed, the primary user will sign in to finish the setup.
For Macs already bound to the AD, IT Pros may want to convert mobile accounts to local accounts. Apple recommends that existing mobile accounts be converted to local accounts, as password syncing works only with local accounts. Mobile accounts using AEC will therefore still encounter keychain issues following campus password changes. Apple has directed us to a third-party script that can be used to convert mobile accounts to local accounts. EPS has not tested this script extensively, so it does carry a 'your mileage may vary' disclaimer. If you are interested in using this script, we recommend testing in your own environment before applying to production machines.
Removing AD binding is optional, and may depend on a unit's IT support mechanism.