Bind macOS to Open Directory or Active Directory

By binding a device to the directory service, the device will comply with any domain policies and password security settings. Xinca supports binding to Open Directory, Active Directory and any other LDAP capable directory service in version 5.3.7 and up.

Creating a Directory profile:

  1. In ZMS navigate to Profiles and click on Create Profile. Select macOS as the platform and fill in the name, the description and assign one or more groups. Once done, click on Save.
  2. Select the Directory payload in the profile you've just created;
  3. Configure the settings as described below:
Setting Description
Directory Type Choose "Active Directory" if you want to bind to a Microsoft Active Directory domain. Choose "Open Directory / LDAP" if you wish to bind to a Open Directory or other LDAP capable directory service. 
Server Host Name or IP Address Enter the directory server name. Required
Client ID Enter the identifier associated with the device in the directory. Enter the Client ID in a format that is allowed by the directory you're attempting to bind. We recommend using the %SerialNumber% replacement variable. Required
Bind Credentials optional
Enter the credentials of a privileged user to authenticate and bind the device to the server. The credentials should not include the domain. Use "username" only, do not use "domain\username"!
Username Enter the username of the user used to authenticate and bind the device to the server. Optional
Password Enter the password of the user used to authenticate and bind the device to the server. Optional


Active Directory specific settings:

Setting Description
Organizational Unit The Organizational Unit (OU) where the joining computer object is added. Optional
User Experience
Create Mobile Account at login Select this option to create a mobile account. When this option is selected, the users' data is stored locally and they are automatically logged into a mobile account. Optional, defaults to false
Require confirmation before creating Mobile Account Send a confirmation message to the end user. Optional, defaults to false
Force local home directory on Startup disk Forces the local Home Directory to be created on the Startup disk. Optional, defaults to false
Use UNC path from Active Directory to derive network home location Select to determine the UNC specified in the Active Directory when mounting the network home. Optional, defaults to true
Mount Style Choose either the AFP or SMB protocols. Optional, defaults to AFP
Default User Shell Specify the default shell for the user after logging into the computer. Optional, defaults to "/bin/bash"

Select the Mappings tab to specify an attribute to be used for equivalent acronym (GID). By default these are derived from the domain server. Optional

Preferred Domain Server Enter the name of the domain server to use for authentication. Optional
Allow authentication from any domain in the forest Allow any domain in the forest to authenticate. Optional, defaults to true
Allow Administration All members of these groups will have Administrator privileges on this computer. Optional
Namespace Select the primary account naming convention based on forest or domainOptional, defaults to domain
Packet Signing Choose how to ensure data is secure. Optional, defaults to allow
Packet Encryption Choose to encrypt data. Optional, defaults to allow
Restrict DDNS Restrict Dynamic DNS updates to the specified interfaces (e.g. en0, en1, etc). Optional
Password trust interval Set to determine how often the computer trust is updated. Optional, defaults to 14.

4. Click on Save to push the profile to all devices in scope. 

Unbind a computer:

  1. To unbind click on the Remove button in the Directory payload;
  2. Click on Save to push the profile to all devices in scope. All devices will unbind from the directory. If there are more profiles with a Directory payload you should remove them as well if needed. 


Have more questions? Submit a request


Article is closed for comments.