Add Active Directory payload options for Apple devices
The Directory payload for Mac computers can use some Active Directory options that may not appear in the user interface of a device management service.
The following Active Directory configuration keys can be added to the Directory payload, of type com.apple.DirectoryService.managed. Note that some settings are set only if the associated flag key is set to “true.” For example, ADPacketEncryptFlag needs to be set to “true” to set the ADPacketEncrypt key to “enable”.
Key | Type | Description |
|---|---|---|
HostName | string | The Active Directory domain to join. |
Username (optional) | string | Username of the account used to join the domain. |
Password (optional) | string | Password of the account used to join the domain. |
PromptForCredentials | boolean | Prompt the user for credentials to authenticate. |
Description | string | Description of the payload. |
ADOrganisationalUnit | string | The organisational unit (OU) where the joining computer object is added. |
ADMountStyle | string | Network home protocol to use: “smb” or “afp”. |
ADCreateMobileAccount AtLoginFlag | boolean | Turn the ADCreateMobileAccountAtLogin key on or off. |
ADCreateMobileAccount AtLogin | boolean | Create mobile account at login. |
ADWarnUserBefore CreatingMAFlag | boolean | Turn the ADWarnUserBeforeCreatingMA key on or off. |
ADWarnUserBeforeCreatingMA | boolean | Turn the ADCreateMobileAccountAtLogin key on or off. |
ADForceHomeLocalFlag | boolean | Turn the ADForceHomeLocal key on or off. |
ADForceHomeLocal | boolean | Force local home directory. |
ADUseWindowsUNCPathFlag | boolean | Turn the ADUseWindowsUNCPath key on or off. |
ADUseWindowsUNCPath | boolean | Use UNC path from Active Directory to derive network home location. |
ADAllowMultiDomainAuthFlag | boolean | Turn the ADAllowMultiDomainAuth key on or off. |
ADAllowMultiDomainAuth | boolean | Allow authentication from any domain in the forest. |
ADDefaultUserShellFlag | boolean | Turn the ADDefaultUserShell key on or off. |
ADDefaultUserShell | string | Default user shell; e.g. /bin/bash. |
ADMapUIDAttributeFlag | boolean | Turn the ADMapUIDAttribute key on or off. |
ADMapUIDAttribute | string | Map UID to attribute. |
ADMapGIDAttributeFlag | boolean | Turn the ADMapGIDAttribute key on or off. |
ADMapGIDAttribute | string | Map user GID to attribute. |
ADMapGGIDAttributeFlag | boolean | Turn the ADMapGGIDAttributeFlag key on or off. |
ADMapGGIDAttribute | string | Map group GID to attribute. |
ADPreferredDCServerFlag | boolean | Turn the ADPreferredDCServer key on or off. |
ADPreferredDCServer | string | Prefer this domain server. |
ADDomainAdminGroupListFlag | boolean | Turn the ADDomainAdminGroupList key on or off. |
ADDomainAdminGroupList | array of strings | Allow administration by specified Active Directory groups. |
ADNamespaceFlag | boolean | Turn the ADNamespace key on or off. |
ADNamespace | string | Set primary user account naming convention: “forest” or “domain”; “domain” is default. |
ADPacketSignFlag | boolean | Turn the ADPacketSign key on or off. |
ADPacketSign | string | Packet signing: “allow”, “disable” or “require”; “allow” is default. |
ADPacketEncryptFlag | boolean | Turn the ADPacketEncrypt key on or off. |
ADPacketEncrypt | string | Packet encryption: “allow”, “disable”, “require” or “ssl”; “allow” is default. |
ADRestrictDDNSFlag | boolean | Turn the ADRestrictDDNS key on or off. |
ADRestrictDDNS | array of strings | Restrict Dynamic DNS updates to the specified interfaces (e.g. en0, en1, etc). |
ADTrustChange PassIntervalDaysFlag | boolean | Turn the ADTrustChangePassIntervalDays key on or off. |
ADTrustChangePassIntervalDays | number | How often to require change of the computer trust account password in days; “0” can’t be used. |