06 Mar Use These 7 Steps to Create an Active Directory Login Policy for MacOS Users
Several weeks back I was on the phone with a school district who was interested in creating network share mounts as well as making applications easily accessible for their students when they login to any given machine within their network.
They explained to me that they have a bunch of Active Directory groups built out already and that they simply need to map a drive and make certain applications easily accessible to everyone that belongs to a specified group.
There question to me, was, can the LANDESK Management Suite solution help us with this?
My answer to them was, yes. With the assistance of Apple’s Profile Manager to create the configuration profile, you can build a LANDESK Agent Setting that can be delivered and enforced by LANDESK Management Suite.
Want to know how? My guess is that whether you’re a school district or a corporate entity, it’s likely you’ll want to provide certain resources to your users based on what groups they belong to, thus knowing how to do this can be very helpful. So let’s jump in and create one of these Active Directory group specific configuration profiles.
Step 1: Bind Your Apple Profile Manager Server to the Active Directory Domain
Before we get too far into this, you need to make sure your macOS Server is installed and configured for Profile Manager (see this video if it isn’t configured) and that your macOS Server is bound to your given domain. It does not matter if your Profile Manager instance is a virtual machine or on a physical box, in order for Profile Manager to create an Active Directory group-specific profile, it’ll need to have access to the Active Directory tree. So go bind your Mac to Active Directory and move on to the next step.
Step 2: Launch the Profile Manager Editor
OK, now that your machine is bound to the domain, we need to launch Profile Manager. Open up Safari and browse to https://nameofyourmachine/profilemanager. From the Library menu tree items, select the Groups option (not Device Groups). After selecting Groups, you should be presented with a list of all of the groups you have built inside of Active Directory. Find your desired group from the list, in my example we’ll use Engineering, and select it.
Now click on the Settings tab and subsequently click on the Edit tab in the Settings for “Group Name” area.
Step 3: Build Your Login Items Group Payload
Scroll down and find the payload named Login Items from the macOS only section. Within the Login Items payload you can select the Apps that will open at Login. Not, these do need to be installed on your Mac Server to pick from the list. I use my Mac Server as my patch source machine as well, so it works out well for me to have all of my applications I support installed on a single machine.
In the Authenticated Network Mounts area, set your specific sharing protocol, which is most likely going to be SMB, and then provide the share hostname and volume to map. Repeat for any additional authenticated mounts or standard network mounts that don’t require authentication.
Step 4: Configure Finder for Easier Network Mount Access (Optional)
I opted to configure Finder so that all Network Mounts I created with my Login Items payload automatically create a shortcut and display themselves on the desktop. This step is optional, but a nice touch to make it even easier for my users to access the resources I’m making available to them.
To make this change within your profile, scroll to the Finder payload in the macOS settings only area and select it. Once selected, all you need to check is the box for “Connected servers.”
Step 5: Save, Download and Transfer Your Configuration Profile to Your LANDESK Server
Assuming you have no further payloads to configure, click the OK button and then click the Save button on the configuration profile itself. So doing should change the greyed out “Download” button to an active button. Hit the Download button and go to your Downloads folder within Finder for your logged in user.
If macOS prompts you to install the profile, go ahead and can hit cancel. At this point, you need to mount a share and copy the .mobileconfig file to your Management Suite server or copy it to a share that your Management Suite server user has access to.
Step 6: Import Your Configuration Profile and Save as a LANDESK Agent Setting
- Launch your LANDESK Management Suite console
- Browse to Configuration > Agent Settings
- Right click on Mac Configuration Profile and select New
- Click the Import button, browse to where you copied your .mobileconfig file and provide an appropriate display name. Once you’ve done this step, you no longer need the .mobileconfig file as it is imported into the database.
- Highlight the name of your configuration you created and move it into the Select Configurations window.
- Provide a name for your entire agent setting. I used the same name as my configuration, Engineering Login Policy. But because you can add in multiple configurations to a single agent setting, you may choose a more fitting name. Hit save when finished.
Step 7: Create a Change Agent Settings Task and Deploy
- While still in the Agent Settings panel, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.
- Give your task an appropriate name, I once again named mine “Engineering Login Policy.”
- Find the “Mac Configuration Profile” type from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings window area.
- Find your newly created configuration and select it.
- Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended, optional). I used a policy-supported push and required.
- Add in your Target devices. Remember, only users that belong to the Active Director group will pull the settings, so you could essentially target every Mac in your environment.
- Schedule your Change Settings task.