By binding a device to the directory service, the device comply with any domain policies and password security settings. You may bind a single device to multiple directories by sending multiple directory service profiles.

To create a directory profile for your devices: 

  1. Navigate to Devices > Profiles & Resources > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
  2. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  3. Select the Directory payload. Then, choose the Directory Type, Open Directory or Active Directory.

    Note:

    If multiple profiles enforce separate policies on a single device, the most restrictive policy is enforced. If your password policy is being managed by your directory for network users logging into the devices, Workspace ONE UEM does not recommend a passcode policy.

  4. Choose Authentication settings including:
    Setting Description
    Directory Type Choose Active Directory or Open Directory or LDAP from the drop-down menu
    Server Hostname Enter the directory server name.
    Username and Password

    Enter the credentials of the administrator used to authenticate and bind the device to the server. Administrator credentials should not include the domain. Use "administrator" only, do not use "domain\administrator."

    Client ID

    Enter the identifier associated with the device in the directory. Enter the Client ID in a format that is allowed by the directory you're attempting to bind. Workspace ONE UEM recommends using {SerialNumber}. Other lookup values (device asset number, etc.) may not generate computer names that comply with Netbios Naming Conventions.

  5. Choose User Experience settings for Active Directory Accounts:
    Setting Description
    Configure a mobile account at login Select this option to create a mobile account. When this option is selected, the users' data is stored locally and they are automatically logged into a mobile account.
    Require confirmation Send a confirmation message to the end user.
    Use UNC path Select to determine the UNC specified in the Active Directory when mounting the network home.
    Mount Choose either the AFP or SMB protocols.
    Default user shell Specify the default shell for the user after logging into the computer.
  6. Select the Mappings tab to specify an attribute to be used for equivalent acronym (GID). By default these are derived from the domain server.
  7. Select Administrative tab and configure settings including:

    Setting Description
    Group Names

    Specify groups to determine who has local administrative privileges on the computer.

    Preferred domain server Enter the name of the domain server.
    Namespace Select the primary account naming convention based on forest or domain.
    Packet signing Choose how to ensure data is secure.
    Packet Encryption Choose to encrypt data.
    Password trust interval Set to determine how often the computer trust is updated.
    Restricts DDNS Add interfaces to specify updates. Use the format: en0, en1, en2 etc.
  8. Select Save & Publish to push the profile to the device.