Add Active Directory payload options for Apple devices
The Directory payload for Mac computers can use some Active Directory options that may not appear in the user interface of a device management service.
The following Active Directory configuration keys can be added to the Directory payload, of type com.apple.DirectoryService.managed. Note that some settings are set only if the associated flag key is set to “true.” For example, ADPacketEncryptFlag needs to be set to “true” to set the ADPacketEncrypt key to “enable.”
Key | Type | Description |
|---|---|---|
HostName | string | The Active Directory domain to join. |
User name (optional) | string | User name of the account used to join the domain. |
Password (optional) | string | Password of the account used to join the domain. |
PromptForCredentials | boolean | Prompt the user for credentials to authenticate. |
Description | string | Description of the payload. |
ADOrganizationalUnit | string | The organizational unit (OU) where the joining computer object is added. |
ADMountStyle | string | Network home protocol to use: “smb” or “afp”. |
ADCreateMobileAccount AtLoginFlag | boolean | Turn on or off the ADCreateMobileAccountAtLogin key. |
ADCreateMobileAccount AtLogin | boolean | Create mobile account at login. |
ADWarnUserBefore CreatingMAFlag | boolean | Turn on or off the ADWarnUserBeforeCreatingMA key. |
ADWarnUserBeforeCreatingMA | boolean | Turn on or off the ADCreateMobileAccountAtLogin key. |
ADForceHomeLocalFlag | boolean | Turn on or off the ADForceHomeLocal key. |
ADForceHomeLocal | boolean | Force local home directory. |
ADUseWindowsUNCPathFlag | boolean | Turn on or off the ADUseWindowsUNCPath key. |
ADUseWindowsUNCPath | boolean | Use UNC path from Active Directory to derive network home location. |
ADAllowMultiDomainAuthFlag | boolean | Turn on or off the ADAllowMultiDomainAuth key. |
ADAllowMultiDomainAuth | boolean | Allow authentication from any domain in the forest. |
ADDefaultUserShellFlag | boolean | Turn on or off the ADDefaultUserShell key. |
ADDefaultUserShell | string | Default user shell; e.g. /bin/bash. |
ADMapUIDAttributeFlag | boolean | Turn on or off the ADMapUIDAttribute key. |
ADMapUIDAttribute | string | Map UID to attribute. |
ADMapGIDAttributeFlag | boolean | Turn on or off the ADMapGIDAttribute key. |
ADMapGIDAttribute | string | Map user GID to attribute. |
ADMapGGIDAttributeFlag | boolean | Turn on or off the ADMapGGIDAttributeFlag key. |
ADMapGGIDAttribute | string | Map group GID to attribute. |
ADPreferredDCServerFlag | boolean | Turn on or off the ADPreferredDCServer key. |
ADPreferredDCServer | string | Prefer this domain server. |
ADDomainAdminGroupListFlag | boolean | Turn on or off the ADDomainAdminGroupList key. |
ADDomainAdminGroupList | array of strings | Allow administration by specified Active Directory groups. |
ADNamespaceFlag | boolean | Turn on or off the ADNamespace key. |
ADNamespace | string | Set primary user account naming convention: “forest” or “domain”; “domain” is default. |
ADPacketSignFlag | boolean | Turn on or off the ADPacketSign key. |
ADPacketSign | string | Packet signing: “allow,” “disable,” or “require”; “allow” is default. |
ADPacketEncryptFlag | boolean | Turn on or off the ADPacketEncrypt key. |
ADPacketEncrypt | string | Packet encryption: “allow,” “disable,” “require,” or “ssl”; “allow” is default. |
ADRestrictDDNSFlag | boolean | Turn on or off the ADRestrictDDNS key. |
ADRestrictDDNS | array of strings | Restrict Dynamic DNS updates to the specified interfaces (e.g. en0, en1, etc). |
ADTrustChange PassIntervalDaysFlag | boolean | Turn on or off the ADTrustChangePassIntervalDays key. |
ADTrustChangePassIntervalDays | number | How often to require change of the computer trust account password in days; “0” can’t be used. |