At Peninsula IT Consulting in Sydney, our customers increasingly adopt either a Bring Your Own Device (BYOD) program or a Choose Your Own Device (CYOD) program for their end user’s computer and mobile device needs. Our customers who offer high quality on-premise and cloud services to their staff can now attract dynamic employees who can get their job done securely and efficiently, from any location using their favourite endpoint device. As a result, we are seeing a far more mainstream adoption of Apple MacOS with businesses of all sizes.
Apple MacOS Devices and Active Directory
By connecting an Apple MacOS device like a MacBook to a customers Active Directory, our digital workspace team ensures that access to the corporate network via these devices follows typical organisational policies such as authentication and access to password-protected network resources. Staff can use their normal Windows Active Directory username and password to log into their Apple MacOS device, and then access their corporate network resources such as shared drives, intranet sites and other Active Directory aware applications without the need to enter their credentials again.
Joining Apple MacOS High Sierra to Active Directory
On a recent consulting engagement where our customers were deploying Apple MacOS devices to groups of users, we were stuck while trying to join the devices to a Windows Domain.
There are many excellent references on the internet such as Jamf Nation and the Apple website where this integration is discussed, however most if not all of these sites were not clear in what to do if problems occurred during the domain joining process. Most debugging of Active Directory domain join issues relates to Domain Name Server (DNS) configuration or availability issues. Our testing demonstrated no issues with DNS configuration at this particular customer.
What we did find, is that for MacOS High Sierra, there appears to be an undocumented requirement for additional user account permissions when joining the MacOS device to an Active Directory domain. In short, we needed to make sure that the following user permission was added, even to a Domain Administrator account, when joining the Apple MacOS device to the Active Directory domain:
- Account Operators
Once this permission was added to the account used for binding the MacOS device to the domain, the join process worked smoothly for rest of our customer project.