Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Kull57
Kull57 Author
User level: Level 1
1 points

Active Directory Schema Extension with OS X 10.8 Mountain Lion

Hello,


We are looking to integrate in Active Directory a small number of Mac computers (about two dozens for now, will climb later) in a big Windows computer environment (thousands).


We looked at the Apple Technical White Paper about the Best Practices for Integrating OS X Lion with Active Directory : http://training.apple.com/pdf/wp_integrating_active_directory.pdf


We use GPO on Windows, so we need Managed Preferences on OS X. We discarded the "Do Nothing" option. We want to avoid using a Mac OS X Server due to our small initial deployment. We discarded the "Profile Manager Server", "Dual Directory (or magic triangle)".


We are left with "Extend the Active Directory Schema to Handle Management" and "Use a Third-Party Solution".


Extending the Schema made sense to us, nothing to purchase, no permanent Mac OS X Server to set up, no extra software, no extra hardware, low maintenance and little training. Not to mention nothing to install on the Domain Controllers, nothing to install on the Macs, no middleware. Just extend the schema and use native Workgroup Manager on any Mac to set up the Managed Preferences for all of them at once. That's not to say that using third-party is bad, but it looked that we could avoid it. Not to mention we don't have any Mac specialists in current staff, so asking one for help just for supervising the short "extending the schema" phase made sense, after that we fall back to current staff for basic maintenance.


Problem is, we found out a new revision of the document called Best Practices for Integrating OS X with Active Directory :

http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf


This new revision is about OS X 10.8 Mountain Lion and completely avoid talking about Extending the Schema, cutting down the White paper from 28 pages to 14.


Is there a new directive from Apple to stop Extending Active Directory Schemas ? Does Apple and/or Mountain Lion stopped supporting that way of integration ? If it's still supported, where can we find an updated paper about it ?


Since this is a technical white paper, I expect it to grow with more and more technical information, so seeing it halved with all that great information gone made me a bit nervous.


Can you help me or direct me to the right place ?


Thank you very much and have a nice day,

Kull57

MacBook Pro, OS X Mountain Lion (10.8.2)

Posted on Feb 5, 2013 2:23 PM

Reply
6 replies
User profile for user: Kull57
Kull57 Author
User level: Level 1
1 points

Aug 23, 2013 11:13 AM in response to gleep52

Hello gleep52,


I used the business I was working for to climb Apple Support up to someone who cares. It wasn't easy.


When I was with the proper level of support, I was told that Apple is completely discontinuing Schema Extension from OS X 10.8 Mountain Lion and up. I was told that this whitepaper will never be updated anymore. It's not supported anymore, at all. Even then, I had to read between the lines, because Apple doesn't discuss anything with anyone, especially business decision about the future. You can try, if you get a better answer than mine, I would like to know ! :-)


You can still do it, it will still work, but you are on your own.


I also did the opposite and contacted Microsoft. Our PFE and our TAM contacted multiple collegues, and no one knew of a documented success story with Schema Extension, they were a bit against it, well that's not unexpected from Microsoft. It's maybe because I'm from a foreign country too, maybe in the US you would have more success than me. Still, they contacted several businesses with several thousand users, all over our region.


Apple decided that MacBook Pro and Mac Pro are just another "mobile device" and they will be treated as such. You will have to manage them just like you manage your mobile phones.


What I suggest you, do not extend your schema, just do the basic integration already built in. Play with it a bit. If you want to go further then... MDM !


You now need an MDM (mobile device management) to take care of them. I suggest AirWatch, that's what we will be doing to support Android phones and we will maybe someday include the Macintosh computers in it, if we have time and money left.


That decision is really a PITA, but what can we do, this is the Apple I'm used to ! :-)


They don't seem to care about the computer business anymore, they discontinued the server line, they will only keep the pro computer business niche and spend all their money in mobile devices instead. It's a business decision, not really a bad one, but it's one that makes my life harder ! :-)


Thank you very much and have fun,

Kull57

Reply
User profile for user: Kull57
Kull57 Author
User level: Level 1
1 points

Aug 23, 2013 11:42 AM in response to gleep52

You could still try the basic integration following the updated guide. At least you will be able to manage passwords, home directory and have the SSO working.


Holding off is not a bad strategy either, that's what we are currently doing...


Don't forget to check the other thread. Strontium90 was really nice with me.

Reply

Active Directory Schema Extension with OS X 10.8 Mountain Lion

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up