We’ve been using Apple’s Enterprise Connect here instead of the popular NoMAD app as part of our Active Directory integration. It’s about time we used a proper configuration profile for it instead of manually making changes to the plist at com.apple.Enterprise-Connect.
Specifically, we’d like to make sure that users are not able to just quit the app whenever they want. We’ll build our config profile to target the com.apple.Enterprise-Connect payload with the following mcx preferences:
<key>mcx_preference_settings</key>
<dict>
<key>adRealm</key>
<string>FQDN</string>
<key>disableQuitMenu</key>
<true/>
<key>launchAtLogin</key>
<true/>
<key>passwordExpireOverride</key>
<integer>90</integer>
<key>pwReqComplexity</key>
<true/>
<key>pwReqLength</key>
<integer>12</integer>
<key>pwReqText</key>
<string>/usr/local/wba/passwd_req_text.rtf</string>
<key>syncLocalPassword</key>
<true/>
</dict>
The pwReqText key above will display a friendly message to the user with the password requirement rules whenever they initiate a password change.
The syncLocalPassword key will allow local users to sync the AD password to their login keychain.
We’ll leverage Apple’s own installer package to push out the latest version of Enterprise Connect along with our custom config profile. To do so, we’ll break apart their installer with pkgutil --expand. Within the expanded pkg, there’s a postinstall script inside a postinstall_actions folder. We’ll make changes at the end of this file to add our config profile.
Our install action can look like this:
# check os version and install config profile
os_vers=$(sw_vers -productVersion | cut -d '.' -f2)
if [ $os_vers -ge '13' ]; then
profiles install -path /tmp/EnterpriseConnect.mobileconfig
else
profiles -I -F /tmp/EnterpriseConnect.mobileconfig
fi
Once everything is in place, we’ll finalize the pkg with pkgutil --flatten to create the updated pkg. The deployed app will have all our custom settings:
