Directory

The Directory profile configuration allows you to configure directory services on your devices. You can apply multiple directory servers to your devices including Active Directory, LDAP, or Open Directory servers.

Note: If multiple profiles enforce separate policies on a single device, the most restrictive policy is enforced. If your password policy is being managed by your directory for network users logging into the devices, Apple does not recommend a password policy.

Directory

Directory Type Choose a directory type from the dropdown list.
  • Active Directory
  • Open Directory/LDAP
Organizational Unit Specify the organizational unit of the active directory server.
Note: This option is only applicable when configuring an Active Directory server.

Security

Server Hostname Enter the IP address or fully qualified domain name of the directory server.
Username Enter the username of the administrator that authenticates and binds the device to the server.

Do not include the domain. Use "administrator" only, not "domain\administrator".

Note: This field is mandatory for Active Directory connections.
Password Enter the password of the administrator used to authenticate and bind the device to the server.
Note: This field is mandatory for Active Directory connections.
Client ID Enter the identifier associated with the device in the directory. Enter the client ID in macro format.

Supported macros are:

  • %AUTONUM%
  • %MAC%
  • %MANUFACTURER%
  • %MODEL%
  • %PERSONALIZED_DEVICE_NAME%
  • %PLATFORM%
  • %SERIALNUM %

User Experience

Note: These settings are only supported for Active Directory servers.
Configure a mobile account at login When enabled, user data is hosted locally and device users can log into devices using Active Directory credentials even when not connected to the Active Directory server.
Require confirmation before creating mobile account When enabled, device users must confirm creation of the mobile account.
Note: This option is only available when Configure a mobile account at login is enabled.
Force Local home directory on startup disk When enabled, the Windows network home folder of the device user is mounted as the macOS home folder when the device user logs in. The device user can copy files between this network volume and the local home folder.
Use UNC path When enabled, you can specify a UNC path from Active Directory to derive the network home location and choose a network protocol (or mount style).
Mount Style Choose which network protocol to use to mount the home directory from the dropdown list.
  • smb: is the standard Windows protocol
  • afp: is the standard Mac protocol
Default user shell Enter a path to specify the default command-line shell that device users use when interacting with macOS in Terminal.

Mapping

Note: These settings are only supported for Active Directory servers.
Map UID to attribute Map the unique user ID to an Active Directory attribute
Map user GID to attribute Map the user group ID to an Active Directory attribute
Map group GID to attribute Map the group group ID to an Active Directory attributes

Administrative

Note: These settings are only supported for Active Directory servers.
Preferred domain server Enter the DNS hostname of the Active Directory server.
Allow administration Click Configure to add Active Directory group accounts whose members will have administrator privileges.
Allow authentication through any domain in the forest When enabled, the user is authenticated through any domain in the forest.
Namespace Choose the primary account naming convention based on forest or domain from the dropdown list.
  • domain
  • forest
Packet Signing Choose an option from the dropdown list to specify if all data to and from the Active Directory domain is protected.
  • Allow
  • Disable
  • Require
Packet Encryption Choose an option from the dropdown list to specify if all data to and from the Active Directory domain is protected.
  • Allow
  • Disable
  • Require
  • SSL
Restrict DDNS Click Configure to specify which network interface to use when updating the Dynamic Domain Name System (DDNS).
Password trust interval Specify how often (in days) the computer account password that is stored in the system keychain is automatically changed by the device.