Azure AD join Mac OS X
It would be really cool to be able to Azure AD join other devices, like Mac OS for example.
Thanks for your feedback. Azure AD Join is unique to Windows 10 as it uses Windows components to generate/store the artifacts used for subsequent logins and enable SSO to other resources. AADJ on Mac OS or any non-Windows OS is not a possibility currently
We are working on other approaches to enable conditional access from Mac OS devices
I think this feature is essential for a cloud-only company that relies on office365 and Azure
I tried you solution, but the server is always not responding. 'Cannot connect to node ...' In a Directory browser it worked fine.
Anyone an idea?
mark zigadlo commented
How to Configure LDAP Authentication for Mac OS and Azure AD
1. Configure Secure LDAP (LDAPS) for an Azure AD Domain Services managed domain
Network Account Server Setup
1. System Preferences > Users & Groups > Login Options > click Lock Icon to allow changes
2. Network Account Server > Join > Open Directory Utility > click Lock Icon to allow changes
3. LDAPv3 > edit Pencil > New > Server Name
• Enter FQDN of your LDAPs end point, Ie ldaps.mycompany.com
• Check Encrypt using SSL > Manual
4. Enter a Configuration Name of your choice > Edit
• Check Use custom port and enter 636
Search & Mappings Tab
1. Click the (+) button and add the Users record type
a. Enter your Search Base, ie dc=mycompany,dc=com
2. With Users highlighted click (+) and add the following Attribute Types and associated values:
• NFSHomeDirectory - #/Users/$sAMAccountName$
• PrimaryGroupID - #20
• RealName – cn
• RecordName – sAMAccountName
• UniqueID – uSNCreated
• UserShell - #/bin/bash
1. Check Use authentication when connecting and enter a Distinguished name
a. Ie cn=username,ou=AADDC Users,dc=mycompany,dc=com
2. OK > OK when done
Search Policy Tab
1. For Authentication and Contacts use the Search dropdown to select Custom path > (+) > ADD
a. Choose the Directory Domain you just created
2. Apply and close the Directory Utility
3. You should now see the Network Account Server you just created with a green dot next to it. If you see a red dot it either has not connected yet or something is wrong with your setup. A reboot sometimes helps
4. Logout and login as a valid Network user.
Create mobile account
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
After the mobile account is created you can make the network user a local admin and give them access to unlock the drive at boot time if using File Vault.
A mobile account will also be needed if the user needs to log into the Mac while not connected to the Internet.
Wireless is not available at the Mac OS login screen. 1st time users will have to login with an Ethernet connection.
Andy Saputra commented
I think that can be accomplished if Microsoft could provide something like contoso.azuread.onmicrosoft.com or adatum.azuread.onmicrosoft.com then we would be able to join any of our Macs or other devices to the Azure AD.
I'm currently managing 937 non-Windows, and most of them are Macs, would be great if Microsoft makes Azure AD available to non-Windows devices.
Yes, we also have a need for this -
Have a need for it (1k+ devices)
It would be really great to see Azure AD joining.
Morten Halaas / Intility AS commented
This would be perfect in combination with Apples Deploy Enrollment Program (DEP)
Yes, it would!