Active Directory Schema Extension with OS X 10.8 Mountain Lion

General rule of thumb is do not extend schema. You are asking for trouble and Microsoft will likely stop talking to you.

The next challenge is that you are enforcing GPO. Have you defined which settings you want to enforce on OS X? If these settings are desktop background and other cosmetic features, then simply create a master image and make all these settings. If security specific, you can also bake most of that into an image.

In all the years of integrating OS X into Windows, I've found Apple's plugin has always been enough. It gets you authentication, authorization, single sign on, and password policy. That is what most organizations want.

Also, please note that the old magic triangle of injecting a Mac server between the clients and the windows server is being depreciated by Apple. MCX is effectively depreciated in Mountain so many of the tools and concepts related to extended schema and third party tools like Centrify no longer apply. Apple is moving to Profile Manager and this requires a lighter weight (depending on the angle you look) deployment model.

Before you do anything, just start by binding a Mac to your active directory. Use the Apple built in client. Use the machine. Find out what is working and what is not. You will be amazed at how many flaws in your Windows environment will be exposed by adding Macs to it.

Glad to help. Apple is on a march toward the eschewing of directory services (OD and AD), as seen by the success of the the iPad which essentially doesn't even have a user account. This is the "power" (or lack there of) of profiles. Profiles are mostly device configuration, not user config. Granted, there is the ability to push e-mail settings but without a regex feature like that in mobile iron, this is incredible time consuming and tedious.

To your comment:

It is true that schema modifications are irreversible and must be taken seriously, but if done carefully with the proper backups, usually it's OK. I mean Exchange, SharePoint and several other Microsoft tools do extend the schema at initial installation and even when migrating from a version to another.

Yes. Anything done "carefully with proper backups" is safe 🙂 But not necessarily wise. Also note that all the other products mentioned are made by Microsoft and the expectation is that products from a like minded company should work together. I've been integrating Macs into AD for more than a decade (yes, I was one of those idiots using the LDAP plugin back in 10.3(?) if memory serves). In all that time I have not yet once found an valid reason for modifying schema, even when Apple was hot on the topic. Also, in that time, I've seen seen more companies invest in Centrify only to let it stagnant as the Windows admins struggle to figure out what to manage on a Mac. Granted, in the old days, this is when Macs were mostly small departments dedicated to content creation. Recently, this trend is shifting to mass deployments of Macs as general use systems. As this continues, we are seeing a renewed interest in "managing" the Macs. If this is a strict requirement, then the only answer at this point is to look into JAMF (Disclaimer: I/we are a reseller and integrator of the Casper Suite so make sure you do your independent research before accepting the advice of a mostly anonymous contributor on a public discussion forum).

And yes, SCCM is promising to support the Macs. But even after a Microsoft briefing, I get the feeling that this is going to be another Altiris "we support Macs" moment which basically translates into "if you can actually find the software and make it work, we will inventory the device for you." In which case, you have nothing of value. Again, I can only make a judgement based on an early briefing. It is possible with the depreciation of MCX, SCCM will be able to implement profile manager (after all, this is a publicly available structure from Apple). If this is the case, then it may be possible to use profiles to manage some of your settings. But once again, the new feature from Apple (profiles) are nowhere near as expansive as MCX was. And sadly, MCX is dead. We can only hope that Apple will expand profile manager's options. But if we are to believe the trend of blending the OS will trend with more input from iOS and less from OS X, then profile manager will never become as rich as MCX because there will be no perceived need.

This also goes along with Apple's push to thin imaging and BYOD. Apple plays well into this space due to limited product options. Companies considering BYOD see the Windows PC market and begin to tremble as the shear volume of configurations and versions. Then they look at Apple and see the same product with different screen sizes and have a sigh of relief.

Now about the GPO - Managed Preferences. Well our organization like to enforce everything from automatic screensaver after a certain amount of time, password to unlock screensaver, disable hardware like USB ports or DVD drives, automatic lauching of applications at startup, background image, default webpage, default desktop theme, tweak application security in several applications, mounting default network shares at startup, blocking the opening of certain software, we have hundreds of them. We do not use computer imaging software, everything is in SCCM and most settings are GPO based, so that no matter what, even an administrator messing with the computer, most settings will be reset at next startup or after a certain delay. It seems like Microsoft support Macs in SCCM 2012 SP1, so I guess our organization will want to centralize everything there too, ideally.

So this next section, I will ask this question: Do you have a mobile device management solution in place? If so, you might want to look at the vendors ability to support OS X. AirWatch is already doing it. Mobile Iron either is or is about to. JAMF started on Mac OS. This may allow you to avoid deploying a "mostly idle" server just for policy enforcement. Plus, if you are cloud hosting this and you are using mostly Apple laptops, then enforcement continues outside the LAN.

There are a lot of things to consider. As you may guess, many of us in the industry are anxious to see where Apple is going in 10.9. We know MCX will be dead which will take OS X out of many schools. We can assume that Profile Manager will once again expand to support more settings. But how much of OS X will end up in iOS 7 and how much of iOS 7 will end up in OS X remains a large unanswered question. I check my dev seed status daily for the answers.

My advice is to do everything you can to discover the benefits and needs of the organization. The AD plugin is free and already on every Mac. JAMF will give you a 30 day demo. Apple Profile Manager is built into Server.app. And it is $30 and can be installed on any Mac. You can clearly investigate these services and solutions will little to no cost.

And, a plug for the Consultants Network community and even Apple Pro Services. You are not alone on this quests. I spend my weeks in fortune 500 companies integrating Macs into their organizations. Reach out to the Consultants in your area (or beyond as some of us travel 🙂) by looking here: http://consultants.apple.com.consultantlocater.com Or reach out to your Apple rep and ask about a Pro Services Readiness Assessment. These are great ways of rapidly advancing the project.

This is probably the last best place. MacEnterprise.org is not really current. Xsanity is not used much because Apple effectively killed Xsan and the surrounding products. AFP548.com is still a valid source. And JAMF Nation is a good place to troll to get an idea about what is going on with Mac integration.

Enjoy the search. Binding your Macs to the domain is one of the best things you can do to gain acceptance and enforce compliance.

Tip:

If you want to have the ability to have users log in if there is no network server available, make sure you define a Home directory in ADUC for the user(s) and turn on Mobile accounts on the Apple computers.

This is especially important if you have remote users or MacBooks that are logged into outside of the network/domain.

...it can also speed up the login process from within the network too, since you're not necessarily dependent on the "Network Accounts Unavailable" message going away before logging into the mac.

Hi. I am having a problem waking my laptop from sleep. Your previous answer said that your organization could help with this type of issue. I am locked out because the password I have been using will not work since I changed my Apple ID password two days ago. I have tried using the new Apple ID password, but that doesn't work either. Apple Support page brought me to you. I don't understand a lot of the technical language that you have used. I don't know what the acronyms mean. If you can help me I'd be very grateful. Thanks!

So we likely could help but I will be honest is saying that your best mode of attack is to take the unit to your nearest Apple store. I (we) tend to support businesses (particularly enterprise) and, not to denigrate your need, it sounds like you are an individual with a single Mac and an Apple ID. The Apple store will provide assistance free of charge. As a small business owner I can not compete with that.

All that being said, you can try booting the machine into the Recovery partition and reseting the local password. Search for "recovery partition password reset mac" in your favorite search engine to find the procedure.

Again, you are welcomed to reach out to us for assistance but you likely have cheaper and more localized assistance available. Now, obviously if you are local to us, you are more than welcome to bring the unit in.

I hope this helped.

Very late response...but there is a misstatement above:

It is true that schema modifications are irreversible and must be taken seriously,

Depending on the version of Windows Server, flexibility increased as the product matured:

• Can not disable or delete Active Directory schema extensions.
• Can disable but not delete Active Directory schema extensions.
• Can disable or delete Active Directory schema extensions.

My colleagues in large environments often extend Active Directory schema extensions to accommodate the needs of special applications or platforms.

Asking whether Microsoft supports Active Directory schema extensions is like asking Apple if they support adding a field to a FileMaker database, or like asking JAMF Software if they support adding an Extension Attribute to JSS.

Seems like Apple is walking away from stuff they have no business trying to support, since another entity already supports it.

Don

I also am extremely loathe to consider extending the Active Directory schema, it should be noted that in many organisations the Mac department has to work with a much bigger PC department and the PC department which of course will be more involved with Windows servers will be often very unwilling to consider this.

Option 1 - Firstly lets look at solutions to integrate Macs with AD and allow AD to manage those Macs via GPO.

Centrify - https://www.centrify.com/products/identity-service/mac-management/

ADmitMac - http://www.thursby.com/products/admitmac

I have not looked at the later but have previously looked at Centrify, I got the very strong impression that in order for it to work not only did you have to install a plugin which replaces Apple's own AD plugin but that Centrify also needs to populate your AD with schema extensions. Therefore as discussed I consider this to be a bad approach on two fronts.

Option 2 - Historically the most popular approach has been to have a Mac server running Open Directory in as you referred to a 'Magic Triangle' configuration. The AD schema will then be untouched and the Mac OD server will be used to manage Macs using Managed Preferences i.e. MCX. As you may be aware Apple are encouraging people to move away from using MCX i.e. Managed Preferences and you yourself indicated a desire not to add a Mac server. However this approach would still be preferable to Option 1 above.

Option 3 - Mobile Device Management aka. MDM. Despite its name this can also be applied to desktop computers as well as mobile devices. This is a still supported and recommended method for managing Macs. With this approach you would 'enrol' your Macs to a MDM server which could be Apple's Profile Manager or a third-party equivalent like JAMF Casper Suite.

Note: Some MDM solutions have very poor support for managing Macs and focus instead on managing iOS devices i.e. iPhones and iPads. So pick an MDM solution carefully.

An MDM solution does not require a Mac server unless you choose Apple's own Profile Manager and does not require modifying the AD schema. It is however likely going to require buying a commercial MDM solution. (Even Apple's Profile Manager is not completely free.)

As an addendum to using an MDM solution there is now DEP - Device Enrolment Program, this is a way of pre-registering brand new Macs to your MDM server so that they automatically enrol themselves when first turned on. The user then does not need to know how to enrol the Mac as this will be done automatically when they unbox the Mac. You will still be using an MDM server to do the management.

As a final and important comment I would say that in general it is best to look for a Mac specific solution to manage Macs, and a PC specific solution to manage PCs. Trying to use a PC solution to manage Macs usually results in an inferior result and as we have been discussing many additional complexities. Not only is this the widely shared opinion of Mac consultants and administrators but also of more independent and multi-platform consultancy firms.