Magic Triangle (AD OSX Server implementation)

Which technology are you using for management? I assume Profile Manager at this point. But since you did not define the OS X version, you might still be trying to use MCX. The management solution impacts how to implement and what works with different versions of the OS.

So, the "magic triangle" still works. As you detailed you must bind your Mac server to AD then promote it to an OD Master. You should NOT create users in OD as that decentralizes the management of the user list. DNS is vitally important to make all this work as your Kerberos principals are all tied together based on naming. Once the server is setup, then you can bind focus on the workstations.

Now, if you are using MCX bind to both domains. Always bind to the master domain first. This is AD. Then bind to OD. In OD you can create OD proxy groups and add AD users. You can not manage at the user level.

If you are using Profile Manager, you need to bind to AD for authentication and then enroll into Profile Manager. If you are using Profile Manager, you must be able to support push notification on your network. If you are corporate and have proxy you are in trouble. Check out Push Diagnostics from Two Canoes for a simple tool to test your environment.

Hope this helps get you started.

Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

Profile Manager is generally where you want to be. MCX is depreciated. There remains some need for it but overall it is the past and likely should be avoided.

Start with something simple. Create a Device Group in Profile Manager. Add a single enrolled device into the the device group. Then apply only the Login Window policy, setting a Login Window message. This is a nice simple policy and one that has an immediate visual result. When you save the profile, look to the side bar. You should briefly see the payload show in the active tasks. Click on Active Tasks to watch it be delivered. If the task is not being delivered, try rebooting the client system. If it is still not being delivered, check to ensure your network can support push notification. If you have a lot of pending active tasks, you may have networking issues.

If the task completes, go back to the client and logout (or login and logout to refresh the loginwindow process). You should see the customization of the login window.

Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

I think we are getting mixed on our Terminology. The magic triangle is a term that came from the need to dual bind to both AD (the parent domain) and OD (the subordinate domain). The reasons for this back in the day was to provide management via MXC as the OD server provided a location to store MCX attributes without schema modification to AD. It was possible to manage OS X systems without the magic triangle by extending AD schema or by using tools like Centrify. But in most cases the prospect of schema extension was filled with dread and generally frowned upon by AD admins. And Centrify added significant cost to a deployment where OS X Server, even with the hardware, was a bargain.

Now MXC is dead. So the concept of the magic triangle may not make much sense or at the very least the term probably needs updating. However, there remains a need to store and manage settings. The settings are now configuration profiles and they are created on OS X Server (Profile Manager) or other MDM solutions. To make this work, the device must be enrolled into the MDM (Profile Manager, JAMF, Airwatch, etc) and your network must support Apple's push notification (or you an manually distribute for configuration profiles).

In your case you want to do the following:

• Keep users, groups, and passwords in AD

• Manage devices through Profile Manager (or another MDM)

Now, we get caught on semantics when talking about the magic triangle and binding. In reality, unless you need to create and use proxy groups in OD, there is no need to bind clients to an OD server. Instead, you would bind them to AD (for authentication and authorization) and then enroll the devices into your MDM to allow for device level management. Now with Profile Manager you can go right to enrollment if you have a binding profile created.

Start with a manual method. First, bind a machine to AD and make sure you can login. Next, get your server bound to AD and then promote to an OD Master so you can fire up Profile Manager. Enroll the workstation and then manage the device or create a device group and add the device to the group.

I hope that makes more sense. The concept of the magic triangle is a little dated due to its association to MCX.

Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

Might help to look at Pro tip: How to configure a Golden Triangle.

I think you are on the right track wrt the profiles. You have to install this new profile on the device as well to enrol the device.

Hope that helps.

Leo

For solving some problems resulting, these procedures have proven results in the past:

Bind OS X to an Active Directory domain

Troubleshoot any issues binding OS X to Active Directory

I could only advise you to also have a look at OS X Server to deploy settings to OS X clients and subsequently at Mobile Device Management (MDM) functions for iOS-based devices for Mobile Devices.

Have fun

Leo

PS. With Strontium90, you are in one of the best hands possible.

Jan Growe wrote:

Thanks for the fast respons...

My problem is exactly this, I can't install the enrollment profile, because of the authority error.

Everything else is working.

The three ways to install certificates on (i)OS(X) System devices are: -

• Make the certificate file(s) available to the ℹOS device e.g. via email attachment or web URL, when the (i)OS device opens the certificate it will offer to install it and if needed allow you to trust it
• Use Apple Configurator via a suitable connection to the (i)OS(X) device to install the certificate(s)
• Use Profile Manager or other similar MDM solution to push a profile containing the certificate(s)

Leo

The points actually belong to Strontium90, he did all the work.

Almost all that one needs to know wrt a quick implementation of MDM on OSX is contained in his couple of posts.

Have fun with OSX

Leo