Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Active Directory Schema Extension with OS X 10.8 Mountain Lion

Hello,


I didn't have success at all in the Mountain Lion forum, I guess it was because I didn't choose the best category, so I'll try again here. I am sorry for the cross-posting.


Can you suggest me another forum, it can be an external forum, to ask those technical questions if this isn't the best place ?


-----


We are looking to integrate in Active Directory a small number of Mac computers (about two dozens for now, will climb later) in a big Windows computer environment (thousands).


We looked at the Apple Technical White Paper about the Best Practices for Integrating OS X Lion with Active Directory : http://training.apple.com/pdf/wp_integrating_active_directory.pdf


We use GPO on Windows, so we need Managed Preferences on OS X. We discarded the "Do Nothing" option. We want to avoid using a Mac OS X Server due to our small initial deployment. We discarded the "Profile Manager Server", "Dual Directory (or magic triangle)".


We are left with "Extend the Active Directory Schema to Handle Management" and "Use a Third-Party Solution".


Extending the Schema made sense to us, nothing to purchase, no permanent Mac OS X Server to set up, no extra software, no extra hardware, low maintenance and little training. Not to mention nothing to install on the Domain Controllers, nothing to install on the Macs, no middleware. Just extend the schema and use native Workgroup Manager on any Mac to set up the Managed Preferences for all of them at once. That's not to say that using third-party is bad, but it looked that we could avoid it. Not to mention we don't have any Mac specialists in current staff, so asking one for help just for supervising the short "extending the schema" phase made sense, after that we fall back to current staff for basic maintenance.


Problem is, we found out a new revision of the document called Best Practices for Integrating OS X with Active Directory :

http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf


This new revision is about OS X 10.8 Mountain Lion and completely avoid talking about Extending the Schema, cutting down the White paper from 28 pages to 14.


Is there a new directive from Apple to stop Extending Active Directory Schemas ? Does Apple and/or Mountain Lion stopped supporting that way of integration ? If it's still supported, where can we find an updated paper about it ?


Since this is a technical white paper, I expect it to grow with more and more technical information, so seeing it halved with all that great information gone made me a bit nervous.


Can you help me or direct me to the right place ?


Thank you very much and have a nice day,

Kull57

MacBook Pro, OS X Mountain Lion (10.8.2)

Posted on Feb 8, 2013 8:38 AM

Reply
Question marked as Best reply

Posted on Feb 8, 2013 9:15 AM

General rule of thumb is do not extend schema. You are asking for trouble and Microsoft will likely stop talking to you.


The next challenge is that you are enforcing GPO. Have you defined which settings you want to enforce on OS X? If these settings are desktop background and other cosmetic features, then simply create a master image and make all these settings. If security specific, you can also bake most of that into an image.


In all the years of integrating OS X into Windows, I've found Apple's plugin has always been enough. It gets you authentication, authorization, single sign on, and password policy. That is what most organizations want.


Also, please note that the old magic triangle of injecting a Mac server between the clients and the windows server is being depreciated by Apple. MCX is effectively depreciated in Mountain so many of the tools and concepts related to extended schema and third party tools like Centrify no longer apply. Apple is moving to Profile Manager and this requires a lighter weight (depending on the angle you look) deployment model.


Before you do anything, just start by binding a Mac to your active directory. Use the Apple built in client. Use the machine. Find out what is working and what is not. You will be amazed at how many flaws in your Windows environment will be exposed by adding Macs to it.

11 replies
Question marked as Best reply

Feb 8, 2013 9:15 AM in response to Kull57

General rule of thumb is do not extend schema. You are asking for trouble and Microsoft will likely stop talking to you.


The next challenge is that you are enforcing GPO. Have you defined which settings you want to enforce on OS X? If these settings are desktop background and other cosmetic features, then simply create a master image and make all these settings. If security specific, you can also bake most of that into an image.


In all the years of integrating OS X into Windows, I've found Apple's plugin has always been enough. It gets you authentication, authorization, single sign on, and password policy. That is what most organizations want.


Also, please note that the old magic triangle of injecting a Mac server between the clients and the windows server is being depreciated by Apple. MCX is effectively depreciated in Mountain so many of the tools and concepts related to extended schema and third party tools like Centrify no longer apply. Apple is moving to Profile Manager and this requires a lighter weight (depending on the angle you look) deployment model.


Before you do anything, just start by binding a Mac to your active directory. Use the Apple built in client. Use the machine. Find out what is working and what is not. You will be amazed at how many flaws in your Windows environment will be exposed by adding Macs to it.

Feb 8, 2013 3:00 PM in response to Strontium90

Hello Strontium90,


Thank you very much for your time and for your answer.


Do you have more information about the troubles we may encounter about schema extension ?


It is true that schema modifications are irreversible and must be taken seriously, but if done carefully with the proper backups, usually it's OK. I mean Exchange, SharePoint and several other Microsoft tools do extend the schema at initial installation and even when migrating from a version to another.


We also asked our Premier Field Engineer for Microsoft to look into the matter, but I want to have both sides of the coin, so I want to see the Apple point of view too, especially because it was in 10.7 white paper and it was quite well explained, but completely disappeared from 10.8.


Now about the GPO - Managed Preferences. Well our organization like to enforce everything from automatic screensaver after a certain amount of time, password to unlock screensaver, disable hardware like USB ports or DVD drives, automatic lauching of applications at startup, background image, default webpage, default desktop theme, tweak application security in several applications, mounting default network shares at startup, blocking the opening of certain software, we have hundreds of them. We do not use computer imaging software, everything is in SCCM and most settings are GPO based, so that no matter what, even an administrator messing with the computer, most settings will be reset at next startup or after a certain delay. It seems like Microsoft support Macs in SCCM 2012 SP1, so I guess our organization will want to centralize everything there too, ideally.


We are in exploratory mode, I agree that the default OS X Mountain Lion plugin might be the final decision due to the troubles involved and after a cost to benefit analysis, but I was asked to look into everything.


I also saw that move to Profile Manager, even if Centrify and other third party are still mentionned in the new whitepaper because Apple quietly released Workgroup Manager for Mountain Lion, so you are right that probably with OS X 10.9 it will be hard to do it the "old way".


Problem with that new Profile Manager is the need of a Mac OS X server in our server farm, just to mostly idle to serve profiles to people. A bit hard to justify... Might be the only "good" way to do it on the other hand.


Thank you very much again,

Kull57

Feb 8, 2013 4:44 PM in response to Kull57

Glad to help. Apple is on a march toward the eschewing of directory services (OD and AD), as seen by the success of the the iPad which essentially doesn't even have a user account. This is the "power" (or lack there of) of profiles. Profiles are mostly device configuration, not user config. Granted, there is the ability to push e-mail settings but without a regex feature like that in mobile iron, this is incredible time consuming and tedious.


To your comment:


It is true that schema modifications are irreversible and must be taken seriously, but if done carefully with the proper backups, usually it's OK. I mean Exchange, SharePoint and several other Microsoft tools do extend the schema at initial installation and even when migrating from a version to another.


Yes. Anything done "carefully with proper backups" is safe 🙂 But not necessarily wise. Also note that all the other products mentioned are made by Microsoft and the expectation is that products from a like minded company should work together. I've been integrating Macs into AD for more than a decade (yes, I was one of those idiots using the LDAP plugin back in 10.3(?) if memory serves). In all that time I have not yet once found an valid reason for modifying schema, even when Apple was hot on the topic. Also, in that time, I've seen seen more companies invest in Centrify only to let it stagnant as the Windows admins struggle to figure out what to manage on a Mac. Granted, in the old days, this is when Macs were mostly small departments dedicated to content creation. Recently, this trend is shifting to mass deployments of Macs as general use systems. As this continues, we are seeing a renewed interest in "managing" the Macs. If this is a strict requirement, then the only answer at this point is to look into JAMF (Disclaimer: I/we are a reseller and integrator of the Casper Suite so make sure you do your independent research before accepting the advice of a mostly anonymous contributor on a public discussion forum).


And yes, SCCM is promising to support the Macs. But even after a Microsoft briefing, I get the feeling that this is going to be another Altiris "we support Macs" moment which basically translates into "if you can actually find the software and make it work, we will inventory the device for you." In which case, you have nothing of value. Again, I can only make a judgement based on an early briefing. It is possible with the depreciation of MCX, SCCM will be able to implement profile manager (after all, this is a publicly available structure from Apple). If this is the case, then it may be possible to use profiles to manage some of your settings. But once again, the new feature from Apple (profiles) are nowhere near as expansive as MCX was. And sadly, MCX is dead. We can only hope that Apple will expand profile manager's options. But if we are to believe the trend of blending the OS will trend with more input from iOS and less from OS X, then profile manager will never become as rich as MCX because there will be no perceived need.


This also goes along with Apple's push to thin imaging and BYOD. Apple plays well into this space due to limited product options. Companies considering BYOD see the Windows PC market and begin to tremble as the shear volume of configurations and versions. Then they look at Apple and see the same product with different screen sizes and have a sigh of relief.


Now about the GPO - Managed Preferences. Well our organization like to enforce everything from automatic screensaver after a certain amount of time, password to unlock screensaver, disable hardware like USB ports or DVD drives, automatic lauching of applications at startup, background image, default webpage, default desktop theme, tweak application security in several applications, mounting default network shares at startup, blocking the opening of certain software, we have hundreds of them. We do not use computer imaging software, everything is in SCCM and most settings are GPO based, so that no matter what, even an administrator messing with the computer, most settings will be reset at next startup or after a certain delay. It seems like Microsoft support Macs in SCCM 2012 SP1, so I guess our organization will want to centralize everything there too, ideally.


So this next section, I will ask this question: Do you have a mobile device management solution in place? If so, you might want to look at the vendors ability to support OS X. AirWatch is already doing it. Mobile Iron either is or is about to. JAMF started on Mac OS. This may allow you to avoid deploying a "mostly idle" server just for policy enforcement. Plus, if you are cloud hosting this and you are using mostly Apple laptops, then enforcement continues outside the LAN.


There are a lot of things to consider. As you may guess, many of us in the industry are anxious to see where Apple is going in 10.9. We know MCX will be dead which will take OS X out of many schools. We can assume that Profile Manager will once again expand to support more settings. But how much of OS X will end up in iOS 7 and how much of iOS 7 will end up in OS X remains a large unanswered question. I check my dev seed status daily for the answers.


My advice is to do everything you can to discover the benefits and needs of the organization. The AD plugin is free and already on every Mac. JAMF will give you a 30 day demo. Apple Profile Manager is built into Server.app. And it is $30 and can be installed on any Mac. You can clearly investigate these services and solutions will little to no cost.


And, a plug for the Consultants Network community and even Apple Pro Services. You are not alone on this quests. I spend my weeks in fortune 500 companies integrating Macs into their organizations. Reach out to the Consultants in your area (or beyond as some of us travel 🙂) by looking here: http://consultants.apple.com.consultantlocater.com Or reach out to your Apple rep and ask about a Pro Services Readiness Assessment. These are great ways of rapidly advancing the project.

Feb 8, 2013 6:04 PM in response to Strontium90

Hello again Strontium90,


Thank you very much for your time, again !


With all those wise words, I will have to reconsider and restart my search again and weight all options.


We are looking to implement a MDM sooner than later, so that could be the good way to do it.


By the way, is here the best community to ask questions like this one I had ? I do not know much about the "professional" mac community.


Thanks,

Kull57

Feb 9, 2013 4:43 AM in response to Kull57

This is probably the last best place. MacEnterprise.org is not really current. Xsanity is not used much because Apple effectively killed Xsan and the surrounding products. AFP548.com is still a valid source. And JAMF Nation is a good place to troll to get an idea about what is going on with Mac integration.


Enjoy the search. Binding your Macs to the domain is one of the best things you can do to gain acceptance and enforce compliance.

Feb 12, 2013 10:01 AM in response to Kull57

Tip:

If you want to have the ability to have users log in if there is no network server available, make sure you define a Home directory in ADUC for the user(s) and turn on Mobile accounts on the Apple computers.


This is especially important if you have remote users or MacBooks that are logged into outside of the network/domain.


...it can also speed up the login process from within the network too, since you're not necessarily dependent on the "Network Accounts Unavailable" message going away before logging into the mac.

May 14, 2015 1:25 PM in response to Strontium90

Hi. I am having a problem waking my laptop from sleep. Your previous answer said that your organization could help with this type of issue. I am locked out because the password I have been using will not work since I changed my Apple ID password two days ago. I have tried using the new Apple ID password, but that doesn't work either. Apple Support page brought me to you. I don't understand a lot of the technical language that you have used. I don't know what the acronyms mean. If you can help me I'd be very grateful. Thanks!

May 14, 2015 7:10 PM in response to hellesos

So we likely could help but I will be honest is saying that your best mode of attack is to take the unit to your nearest Apple store. I (we) tend to support businesses (particularly enterprise) and, not to denigrate your need, it sounds like you are an individual with a single Mac and an Apple ID. The Apple store will provide assistance free of charge. As a small business owner I can not compete with that.


All that being said, you can try booting the machine into the Recovery partition and reseting the local password. Search for "recovery partition password reset mac" in your favorite search engine to find the procedure.


Again, you are welcomed to reach out to us for assistance but you likely have cheaper and more localized assistance available. Now, obviously if you are local to us, you are more than welcome to bring the unit in.


I hope this helped.

Jun 10, 2016 5:14 PM in response to Strontium90

Very late response...but there is a misstatement above:


It is true that schema modifications are irreversible and must be taken seriously,


Depending on the version of Windows Server, flexibility increased as the product matured:


  • Can not disable or delete Active Directory schema extensions.
  • Can disable but not delete Active Directory schema extensions.
  • Can disable or delete Active Directory schema extensions.


My colleagues in large environments often extend Active Directory schema extensions to accommodate the needs of special applications or platforms.


Asking whether Microsoft supports Active Directory schema extensions is like asking Apple if they support adding a field to a FileMaker database, or like asking JAMF Software if they support adding an Extension Attribute to JSS.


Seems like Apple is walking away from stuff they have no business trying to support, since another entity already supports it.


Don

Jun 13, 2016 3:40 AM in response to Kull57

I also am extremely loathe to consider extending the Active Directory schema, it should be noted that in many organisations the Mac department has to work with a much bigger PC department and the PC department which of course will be more involved with Windows servers will be often very unwilling to consider this.


Option 1 - Firstly lets look at solutions to integrate Macs with AD and allow AD to manage those Macs via GPO.


Centrify - https://www.centrify.com/products/identity-service/mac-management/

ADmitMac - http://www.thursby.com/products/admitmac


I have not looked at the later but have previously looked at Centrify, I got the very strong impression that in order for it to work not only did you have to install a plugin which replaces Apple's own AD plugin but that Centrify also needs to populate your AD with schema extensions. Therefore as discussed I consider this to be a bad approach on two fronts.


Option 2 - Historically the most popular approach has been to have a Mac server running Open Directory in as you referred to a 'Magic Triangle' configuration. The AD schema will then be untouched and the Mac OD server will be used to manage Macs using Managed Preferences i.e. MCX. As you may be aware Apple are encouraging people to move away from using MCX i.e. Managed Preferences and you yourself indicated a desire not to add a Mac server. However this approach would still be preferable to Option 1 above.


Option 3 - Mobile Device Management aka. MDM. Despite its name this can also be applied to desktop computers as well as mobile devices. This is a still supported and recommended method for managing Macs. With this approach you would 'enrol' your Macs to a MDM server which could be Apple's Profile Manager or a third-party equivalent like JAMF Casper Suite.


Note: Some MDM solutions have very poor support for managing Macs and focus instead on managing iOS devices i.e. iPhones and iPads. So pick an MDM solution carefully.


An MDM solution does not require a Mac server unless you choose Apple's own Profile Manager and does not require modifying the AD schema. It is however likely going to require buying a commercial MDM solution. (Even Apple's Profile Manager is not completely free.)


As an addendum to using an MDM solution there is now DEP - Device Enrolment Program, this is a way of pre-registering brand new Macs to your MDM server so that they automatically enrol themselves when first turned on. The user then does not need to know how to enrol the Mac as this will be done automatically when they unbox the Mac. You will still be using an MDM server to do the management.



As a final and important comment I would say that in general it is best to look for a Mac specific solution to manage Macs, and a PC specific solution to manage PCs. Trying to use a PC solution to manage Macs usually results in an inferior result and as we have been discussing many additional complexities. Not only is this the widely shared opinion of Mac consultants and administrators but also of more independent and multi-platform consultancy firms.

Active Directory Schema Extension with OS X 10.8 Mountain Lion

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.