By binding a device to the directory service, the device will comply with any domain policies and password security settings. Jamf School supports binding to Open Directory, Active Directory and any other LDAP capable directory service in version 5.3.7 and up.
Creating a Directory profile:
- In Jamf School navigate to Profiles and click on Create Profile. Select macOS as the platform and fill in the name, the description and assign one or more groups. Once done, click on Save.
- Select the Directory payload in the profile you've just created;
- Configure the settings as described below:
|Directory Type||Choose "Active Directory" if you want to bind to a Microsoft Active Directory domain. Choose "Open Directory / LDAP" if you wish to bind to a Open Directory or other LDAP capable directory service.|
|Server Host Name or IP Address||Enter the directory server name. Required|
Enter the identifier associated with the device in the directory. Enter the Client ID in a format that is allowed by the directory you're attempting to bind. We recommend using the %SerialNumber% replacement variable. Required
Note: When using pre-stage directory enrollment, this field is not required.
|Bind Credentials optional
Enter the credentials of a privileged user to authenticate and bind the device to the server. The credentials should not include the domain. Use "username" only, do not use "domain\username"!
|Username||Enter the username of the user used to authenticate and bind the device to the server. Optional|
|Password||Enter the password of the user used to authenticate and bind the device to the server. Optional|
Active Directory specific settings:
|Organizational Unit||The Organizational Unit (OU) where the joining computer object is added. Optional|
|Create Mobile Account at login||Select this option to create a mobile account. When this option is selected, the users' data is stored locally and they are automatically logged into a mobile account. Optional, defaults to false|
|Require confirmation before creating Mobile Account||Send a confirmation message to the end user. Optional, defaults to false|
|Bypass the Secure Token Authentication prompt when creating a Mobile Account||Bypasses the "Secure Token Authentication" prompt. Note: enabling this option may prevent Mobile Accounts from being able to unlock FileVault! Available on macOS 10.13.5 or higher, optional, defaults to false|
|Force local home directory on Startup disk||Forces the local Home Directory to be created on the Startup disk. Optional, defaults to false|
|Use UNC path from Active Directory to derive network home location||Select to determine the UNC specified in the Active Directory when mounting the network home. Optional, defaults to true|
|Mount Style||Choose either the AFP or SMB protocols. Optional, defaults to AFP|
|Default User Shell||Specify the default shell for the user after logging into the computer. Optional, defaults to "/bin/bash"|
Select the Mappings tab to specify an attribute to be used for equivalent acronym (GID). By default these are derived from the domain server. Optional
|Preferred Domain Server||Enter the name of the domain server to use for authentication. Optional|
|Allow authentication from any domain in the forest||Allow any domain in the forest to authenticate. Optional, defaults to true|
|Allow Administration||All members of these groups will have Administrator privileges on this computer. Optional|
|Namespace||Select the primary account naming convention based on forest or domain. Optional, defaults to domain|
|Packet Signing||Choose how to ensure data is secure. Optional, defaults to allow|
|Packet Encryption||Choose to encrypt data. Optional, defaults to allow|
|Restrict DDNS||Restrict Dynamic DNS updates to the specified interfaces (e.g. en0, en1, etc). Optional|
|Password trust interval||Set to determine how often the computer trust is updated. Optional, defaults to 14.|
4. Click on Save to push the profile to all devices in scope.
Unbind a computer:
- To unbind click on the Remove button in the Directory payload;
- Click on Save to push the profile to all devices in scope. All devices will unbind from the directory. If there are more profiles with a Directory payload you should remove them as well if needed.