© Drew Smith 2020
D. SmithApple macOS and iOS System Administrationhttps://doi.org/10.1007/978-1-4842-5820-0_11

11. Microsoft Integration

Drew Smith1 
(1)
Cincinnati, OH, USA
 

Apple has continued to update their operating systems to work better in heterogeneous environments over the past decade. In this chapter, we are going to explore the various ways that a Mac or iOS device can integrate seamlessly into a corporate network that is based primarily on technologies from Microsoft Corp. Apple provides a number of built-in solutions that help with this multi-platform integration, but there are some third-party solutions available that go even further. In this chapter, we will discuss several of the built-in solutions and related strategies to support Apple products on a corporate network with minimal reconfiguration or cost.

Introduction to Apple-Microsoft Integration

Over the last several iterations of macOS and macOS Server, Apple has chosen to demote or completely remove first-party services in favor of industry standard solutions. For example, for decades AppleTalk was the standard networking protocol for the Mac. Apple File Protocol (AFP) was the file sharing standard in the Mac operating system. However, more recently Server Message Block (SMB) file sharing has taken over as the default file sharing protocol in macOS. AFP still exists, but it has been demoted to a solution that you can use if you need it, but the preference is to use the same file sharing solution as Linux and Windows clients do.

Pro Tip

Server Message Block (SMB) is a protocol for sharing data over the network. Microsoft adopted this protocol in Windows 95. Linux and macOS clients use an SMB-compatible solution called Samba to access SMB-shared resources.

Beyond adopting SMB file sharing in macOS instead of Apple File Protocol, we can see the continued demotion of Open Directory in favor of Active Directory and the removal of a DHCP server, mail, messaging, and CalDAV server solutions in macOS Server. Many of these services have been replaced with cloud-hosted versions like iCloud, Office 365 (O365), and Google Docs. This actually works to our favor as Mac system administrators, because we can more easily integrate Apple devices into existing systems instead of having to stand up special Apple-only technologies or implementing complex and expensive middleware.

My Microsoft Environment

Before we get too deep into the details of integrating Apple platforms into our enterprise Microsoft environment, it would be a good idea to give a quick overview as to what my current network looks like. Figure 11-1 provides a visual overview of the corporate network before I begin adding Macs and iOS devices to the mix.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig1_HTML.jpg
Figure 11-1

My Microsoft Network, services, printers, and shares

  • Microsoft Active Directory : On premises Windows domain named MyCompany.local. I have several organizational units (OUs) by location with a minimal Group Policy applied for the purposes of this demonstration.

  • User Accounts and Group Membership: I have several user accounts and a couple of groups to control access to various network file shares and printers. Each user authenticates to their PC with their domain account.

  • Group Policy: For the purpose of this demonstration, I have an OU with a basic Group Policy (GPO) applied that controls the default home page in my Internet Explorer (IE) browser.

  • DNS: I am running DNS server on my Windows server providing DNS to my network of PCs.

  • DHCP Server: I’m running Microsoft’s DHCP server and providing DNS to my network of PCs via this service.

  • File Sharing: I’m running file sharing services on my Windows server to share out a couple of network drives where PC users share files with each other.

  • Print Sharing: I’m running printer sharing services on my Windows server to share out workgroup printers to various users in the office.

  • In addition to the on premises solution, we also run Microsoft Office 365, and users have access to OneDrive and Microsoft Exchange in the cloud. Our email is delivered via Exchange on O365.

Now that we have our Microsoft environment defined, we need to plan our Apple platform integration and determine which services our Mac and iOS users will require.

Microsoft Services Required for Apple Users

We are going to add a MacBook Pro to our network for the company president. He will need access to the following services:
  • The ability to sign in on his Mac both in the office and remotely

  • Access to shared files in the main corporate office server

  • The ability to print to the shared HP LaserJet printer in his office

  • Access to Exchange email

  • Access to Microsoft OneDrive

  • The Microsoft Office suite (including Microsoft Outlook) natively on his Mac

  • Default access to the company Intranet when he opens Safari

  • Migration of his existing Internet Explorer Favorites, Outlook Personal Folders, and data from his old Windows laptop

We are going to provide an iPhone 11 to our company president as well. He will need access to these services from his iPhone:
  • Access to Microsoft OneDrive

  • Access to his Exchange email

  • Contacts from his Exchange account available in the Phone app

  • Access to open and edit Word and Excel documents on the iPhone

Finally, we are going to provide an iPad to our corporate sales manager, and she needs to be able to update a couple of reports every day on the main corporate office file server. She will need to be able to map the network drive from her iPad and update a couple of Excel files there:
  • Access to Microsoft Excel on the iPad

  • Access to shared files in the main corporate office server

Throughout this chapter, we will use these three scenarios to integrate an iPad running iPadOS, an iPhone, and a Mac into our existing corporate network.

Active Directory Integration for macOS

In this first section, we are going to focus on Active Directory authentication for macOS clients. Before getting started on this exercise, you should have a Mac with a clean OS install and a local Administrator account configured. Using the Sharing System Preference , go ahead and name this new Mac 101-2019MBP, which identifies it as a 2019 MacBook Pro in our main office 101. Open the Terminal and set the Local Hostname and hostname to match. For Active Directory integration to work properly, we need all three of the Mac’s names to be the same.

Pro Tip

You probably have some kind of corporate naming convention at your organization. While Apple devices will attempt to name themselves after the first user account that is created on the machine, you will want to name your Macs in the same fashion that you name your Windows PCs.

Our Mac is now ready to be joined to the MyCompany domain. Let’s switch over to our Domain Controller and open Active Directory Users and Computers to get started.

Prepare a Domain Controller For Mac Clients

As a best practice, I prefer to create records for my macOS clients in Active Directory prior to adding them to the domain. This serves a couple of purposes in that it guards against the Mac joining into the wrong OU and proactively avoids any odd errors where a Mac client is unable to write a new computer record in AD when it joins to the domain. In this exercise, we are going to prepare a place in Active Directory for our new MacBook Pro.

  1. 1.

    Open Active Directory Users and Computers. As shown in Figure 11-2, I have an OU called Main Office Computers. Inside that OU, I have a Windows 10 PCs OU that houses the computer records for all of my Windows PCs in the main office. This is also where I apply specific Windows 10 GPOs for the main office computers. Create a new OU here for our Macs and name it macOS PCs.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig2_HTML.png
Figure 11-2

Creating the macOS PCs organizational unit

  1. 2.

    Now that we have our OU created, we can populate it with computer records for our Macs. With the macOS PCs OU selected, right-click anywhere in the right-side panel and choose New ➤ Computer and name it 101-2019MBP as shown in Figure 11-3. Click OK to create the record.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig3_HTML.png
Figure 11-3

Add a new computer record in Active Directory

Now that we have created a record for our Mac client, we are ready to add it to the domain. Switch back to your MacBook Pro and open the Users & Groups System Preference to continue.

Adding a Mac to an Active Directory Domain
  1. 1.

    From the Users & Groups System Preference, click the padlock to authenticate as the local Administrator account and then click the Login Options button. Your dialog box should look similar to Figure 11-4.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig4_HTML.jpg
Figure 11-4

The Login Options pane in the Users & Groups System Preference

  1. 2.

    Click the Join… button next to the Network Account Server prompt.

     
  2. 3.

    Here we are going to enter the domain name of our AD domain. I will enter MyCompany.local as shown in Figure 11-5, and it will begin to search for the domain.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig5_HTML.jpg
Figure 11-5

Enter the name of the domain in the Server field

Pro Tip If you are experiencing an issue finding the domain, you should check your DNS settings on your Mac to make sure that it’s getting DNS from your Windows server and make sure you can resolve the IP and domain name both backward and forward. If you have multiple DNS servers, make sure that your Windows server is the primary DNS server.
  1. 4.

    Once it finds the domain, it will prompt you to enter a Computer Name and credentials. If we set up our Local Hostname and hostname properly, it will auto-fill the Computer Name that we want to use as shown in Figure 11-6. Enter your Domain Admin username and password into the next field and click OK.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig6_HTML.jpg
Figure 11-6

Confirm the Computer Name and authenticate with a Domain Admin account

  1. 5.

    Next, it will prompt you to modify the directory configuration on your Mac and ask you to enter your local Mac Administrator account username and password. Enter that information and click the Modify Configuration button to continue.

     
  2. 6.

    Your Mac will now begin configuring Active Directory, and after a minute or so, you will see a green dot next to the name of your Windows domain as shown in Figure 11-7. This indicates that your Mac is now successfully joined to the MyCompany domain.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig7_HTML.jpg
Figure 11-7

The green dot next to the domain name confirms that our Mac has successfully joined

Pro Tip If you are getting errors when joining to your domain, one thing to check is the time zone, date, and time of both your Domain Controller and your Mac. Often times your client or server is a few minutes off, and that will cause the domain binding to fail with various cryptic error messages.

Now that our Mac is on the domain, we should log out of the local Administrator account and log in as a Network Account user from our Windows Active Directory domain. Don President is the name of our lucky user who gets this brand-new MacBook Pro. Let’s test this login with his account as shown in Figure 11-8.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig8_HTML.jpg
Figure 11-8

Signing in with a Network user account

After stepping through the Setup Assistant, we are placed into the default new user’s home directory. Browsing with the Finder to Home reveals that we are in as the dpresident user. Your screen should look similar to Figure 11-9. Excellent! Go ahead and sign out and sign back in as Administrator.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig9_HTML.jpg
Figure 11-9

The default new user Desktop in macOS Catalina

Let’s try something. Go ahead and disable Wi-Fi and ensure that your MacBook Pro is no longer connected to the network. Log out and then attempt to sign in again with the Network user account. You are going to have a little problem. You won’t be able to authenticate because the domain is unreachable. There’s a red indicator button on the login screen in the top-right corner showing that we are disconnected from the network as shown in Figure 11-10.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig10_HTML.jpg
Figure 11-10

The red dot indicates that the Windows domain is unreachable

One of the requirements of setting up this laptop was the ability for Don President to sign in while off of the network. To fix this issue, we need to convert the dpresident account to a Mobile account on this Mac. Log in as the local Administrator account and re-enable network access. Sign out and make sure you can sign back in as the dpresident user. Once you are logged in as Don President, go to the Users & Groups System Preference as shown in Figure 11-11. Notice how the current user listed is a Network type? We need to convert this to a Mobile account type.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig11_HTML.jpg
Figure 11-11

Notice the user account type designation for Don President

Click the padlock and authenticate as the local Administrator. Then click the Don President user as shown in Figure 11-12. Click the Create… button next to the Mobile account prompt.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig12_HTML.jpg
Figure 11-12

Converting the Don President Network account to a Mobile account

Place the home directory in the Macintosh HD (Startup disk) option when prompted and click the Create button to continue. It will warn you that it is about to log you off to create a local home folder as shown in Figure 11-13. Click the Create button to continue.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig13_HTML.jpg
Figure 11-13

Follow the prompts to log out and create the Mobile account

Depending on the settings you have set for FileVault and others, it may ask you for the user’s Active Directory password and the local Administrator’s username and password during this process. Once it completes, you will be back to the login window.

Test this out by disconnecting from the network and waiting until the red indicator appears in the top-right corner of the screen. Now sign in as Don President and it will work. Open the Users & Groups System Preference, and you will see that this user is now a Mobile account type instead of a Network account type as shown in Figure 11-14.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig14_HTML.jpg
Figure 11-14

The user account is now listed as Mobile

Pro Tip

Please note that if multiple Network users need to access this Mac while it is offline, you would need to convert each user account on this Mac from Network to Mobile. Right now, the only Active Directory user who can sign into this MacBook Pro when it’s disconnected from the network is Don President.

As we have demonstrated, adding a Mac to a Windows domain requires almost no additional configuration on the Windows server and no extensions to Active Directory to simply allow for authentication and support for cached credentials using the Mobile user account type in macOS. We have added the Mac to the domain interactively, but we can also automate this task by using a Configuration Profile or via a script.

Using a Configuration Profile to Add a Mac to Active Directory

Before you begin this exercise, you should start with a clean install macOS on a test Mac. You should name it and create a computer record in Active Directory to match. Then using the method you prefer, you should enroll it in MDM and promote it to User Approved so we have full access to all of the Configuration Profile options.

I have built a test Mac called 101-2019MPRO and named it accordingly (including the Local Hostname and hostname). I have added it to Profile Manager, and I have created a computer record in AD for it, but have not yet joined it to the domain.

  1. 1.

    Open Profile Manager and browse to our 101-2019MPRO Mac in the Devices section. Click the Settings tab and then click the Edit button to apply a new Configuration Profile setting.

     
  2. 2.

    Configure the General payload as we have in the past, ensuring that Automatic Push is enabled, and enter an optional profile description.

     
  3. 3.

    Scroll down to the macOS section of the available payloads and choose the Directory payload and click the Configure button.

     
  4. 4.

    Customize the payload as shown in Figure 11-15. Note that we are provided with a few new options including one to create Mobile accounts at login for all of our domain users the first time they sign into this Mac. Because we already have a computer record in AD, we will not specify the path to the specific OU.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig15_HTML.jpg
Figure 11-15

Configure the Directory payload for binding to our Active Directory domain

Pro Tip There are some optional settings under Mappings and Administrative tabs that we will leave at the default for this exercise, but I encourage you and your Windows system administrator to look at these and determine the best settings for your particular environment. The option for how often the domain password changes (the default is every 14 days) on the client computer is particularly interesting if your machines will be off of the local area network for longer periods of time.
  1. 5.

    Once you have customized the payload, click the OK button to save the configuration and close out of the Configuration Profile editor. Click the Save button in Profile Manager to apply the settings to the 101-2019MPRO client as shown in Figure 11-16.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig16_HTML.jpg
Figure 11-16

Applying our domain payload to our test Mac using MDM

It should complete the Push Settings task successfully, and your Mac will now be configured to sign into the domain. Note that upon signing in for the first time, it is converting Don President to a Mobile account type on the machine automatically.

Pro Tip

You may also want to configure payloads for things like Active Directory certificates or the login window to further customize the user experience or apply any required security certificates and include those along with your Directory payload.

Using a Script to Bind a Mac to Active Directory

Apple also provides a command line tool called dsconfigad for scripting the Active Directory configuration. Using this command within Apple Remote Desktop’s Send Unix task can be effective for joining multiple Macs to the domain at once and further automates the process. This is particularly useful if you are not using an MDM solution at your organization.

Before you begin this exercise, you should start with a clean install macOS on a test Mac. You should name it and create a computer record in Active Directory to match. I have built a test Mac called 101-2013MPRO and named it accordingly, but this time I have left the hostname as unset so I can share a shortcut with you during this exercise. I have created a computer record in AD for it, but have not yet joined it to the domain.

  1. 1.

    We are going to interactively develop this script on our test Mac using the Terminal app, but once you have perfected it, you can create a template in Apple Remote Desktop and apply it to your entire Mac fleet. Open the Terminal on your 101-2013MPRO to get started.

     
  2. 2.
    We are going to write a quick little script that will capture the Mac’s Computer Name and save it as a variable, and then using the scutil --set command, it will set the hostname accordingly. So at the command prompt in the Terminal, type
    HOSTNAME=$(network setup -getcomputername) scutil --set HostName $HOSTNAME

    Press enter and then press enter again when prompted with the HostName [computer name] output and then enter the local Administrator password when prompted. Once it completes that change and you are at the command prompt again, enter scutil --get HostName, and it should now match the others as 101-2013MPRO. If you use this script in Apple Remote Desktop, it will always change the hostname on the Mac client to match the Computer Name. At this point, your Terminal window should look similar to Figure 11-17.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig17_HTML.jpg
Figure 11-17

Using the script to copy the Computer Name to the hostname

  1. 3.
    Now that our Computer Name and hostname are consistent, we are ready to join the domain using the dsconfigad command. You can look at the manual for dsconfigad to read more about what this command does and additional options, but for this exercise we will stick to the basics. We need to define four arguments:
    1. a.

      The Client ID (-c) represents the name we want to use to join the Mac to the domain.

       
    2. b.

      The Administrator account (-u) represents the username of a Domain Admin account.

       
    3. c.

      The Administrator password (-p) represents the password for that Domain Admin account.

       
    4. d.

      The Domain (-domain) represents the domain we are adding our Mac to.

       
     
Pro Tip One additional option that you can also define here is the OU that you want to assign the Mac client to. However, since we already created a computer record in the location we want, we can skip this argument. If you want to manually define the OU to place this Mac, you can use the -ou argument followed by a path in the “OU=, DC=, DC=” format, for example, “OU=macOS PCs, OU=Main Office Computers, DC=MyCompany, DC=local.”
  1. 4.

    Let’s start entering our dsconfigad command with the Client ID argument. Because we are going to use this same script on multiple computers, instead of specifying the exact name for this computer, we will use a token. We can use the "hostname -s" token so that it automatically applies the hostname of this Mac as the Client ID in the script. This will mimic the behavior of the GUI when we join a Mac to the domain using the Users & Groups System Preference.

     
  2. 5.

    Next, we will specify the username and password for the Domain Admin account for our MyCompany.local domain. Finally, we will add the argument that specifies the domain name. Your finished script with all of the arguments should look something like Figure 11-18.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig18_HTML.jpg
Figure 11-18

The full script that renames the computer and adds it to the domain

dsconfigad -c "'hostname -s'" -u Administrator -p noAcce$$ -domain MyCompany.local
  1. 6.

    It will prompt you to enter the password of the local Administrator account. After a minute or two, it will complete successfully. Open the Users & Groups System Preference and click the Login Options button to confirm that the Windows domain is now listed with a green indicator icon next to the Network Account Server as shown in Figure 11-19.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig19_HTML.jpg
Figure 11-19

After the script runs, we can confirm that our Mac is on the domain in the Users & Groups System Preference

Pro Tip There are additional commands that you can use with dsconfigad to set additional settings like -mobile enable to support the Mobile account options and -passinterval to adjust the frequency that the domain computer password changes so that systems that are off of the network for prolonged periods of time do not fall off of the domain. If you have questions about this, consult with your Windows system administrator to determine if there is a need for this or other options.

We have successfully configured Active Directory and joined our Mac using three different methods. Now that we have our Mac on the domain, we can access other resources on our Windows server.

Using Profile Manager to Mimic Microsoft Group Policy

We are starting to check off these various integration tasks for Don President’s MacBook Pro. He can sign in with his Active Directory credentials, and he can log in while his machine is offline. However, we still need to configure his Mac to conform to our corporate standards. That could include a number of things defined in our Windows Group Policy including the default wallpaper, how long it takes for a screen saver to begin, if a screen saver requires a password, energy saver settings like when to put the computer or display to sleep, and the default home page just to name a few.

Fortunately, most of these options are available to us in Profile Manager, and we can use a Configuration Profile to provide these settings to Don’s Mac and mimic the settings we have built into our company’s GPO. For the purposes of this demonstration, we will simply set the energy saver and some custom Safari settings. To do this, open Profile Manager and browse to our 101-2019MBP computer in Devices. Click the Settings tab and then click Edit.

Let’s configure the Energy Saver payload first. Click Energy Saver and then click the Configure button to define the settings for this payload. Your settings should look similar to mine in Figure 11-20.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig20_HTML.jpg
Figure 11-20

Configure the Energy Saver payload

Next, we need to do something a little more customized to configure Safari’s settings. We are going to add a new payload called Custom Settings , and we will configure it as shown in Figure 11-21. The way that this works is that we are going to override the local user’s settings with ours for a specific application—in this case, Safari. We are going to enter com.apple.Safari into the preference domain field, and then we can add items and define specific behaviors on a per-key basis as if we were creating our own custom ∗.plist xml file.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig21_HTML.jpg
Figure 11-21

Creating custom keys and values for Safari to customize the user experience

You may wonder where I found these options that I am using to override the default behavior of Safari. This is going to vary by application, but typically I look for the corresponding ∗.plist file in the ~/Library/Preferences/ directory. The easiest applications to modify are those that save their settings there, and then I can simply upload the modified ∗.plist file into the Custom Settings payload in Profile Manager using the Upload File button. Unfortunately, some applications (like Safari) are a bit trickier.

Safari has a file called com.apple.Safari.manifest in Safari.app bundle ➤ ContentsResourcescom.apple.Safari.manifestContentsResources. I know, it’s buried! If you open this xml file in TextEdit, you will see various keys and their matching options as shown in Figure 11-22.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig22_HTML.jpg
Figure 11-22

The key and value options for overriding the Safari preferences

I picked a few of these to add to my Custom Settings payload and manually added them by clicking the Add Item button and entering the values. As for the MyCompany home page, I used a string type to define the URL to www.msn.com. For the purposes of this demonstration, we will call that our company’s “Intranet home page.” You could put any URL in here and apply it as the new default home page in Safari.

Pro Tip

When you choose to upload a *.plist preference file for a specific application, it will allow you to adjust the Property List Values in a way that is similar to using a Group Policy Administrative Template. Creating Custom Settings payloads for applications can take a lot of time, but it is worth the effort if you have hundreds or thousands of Macs to manage.

Click the OK button to close the Configuration Settings window and then click the Save button to apply the settings to our Mac. Switch back over to Don’s MacBook Pro and launch Safari. You will see that our new window and new tab behavior is now set to load the home page instead of favorites, and the home page that loads is www.msn.com as we defined in our Custom Settings payload. Your screen should look similar to Figure 11-23.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig23_HTML.jpg
Figure 11-23

Our customized settings applied to Safari on our test Mac

Windows Printer Sharing Integration

The next item on our to-do list for Don is to map his network printer to his Mac. We have an HP LaserJet 9050 printer in the main office that is shared from our Windows server. Don has permission to print to the shared printer, and all we need to do is connect to it from his Mac. You can perform this task while signed in as Don.

Connect to a Windows Shared Printer
  1. 1.

    Open the Printers & Scanners System Preference and click the padlock and authenticate as the local Administrator account.

     
  2. 2.

    Click the + button on the left-side pane as shown in Figure 11-24.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig24_HTML.jpg
Figure 11-24

Add a new printer using the Printers & Scanners System Preference

  1. 3.

    The Mac will search for available network printers in the directory domain and will list them. We will select our printer from the list, and the under the Use pop-up menu, we will choose Select Software and then browse for the HP LaserJet Series PCL driver. Once your window looks like Figure 11-25, click the Add button to finish the process. Print a test page to make sure it worked.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig25_HTML.jpg
Figure 11-25

Find our network printer and select the proper driver

Windows File Sharing Integration

Next up, we have some Windows file sharing to configure. Don will need access to the Executive Shared drive on his Mac, and the sales manager will need to access the same network drive on her iPad so she can update the daily sales report that Don reviews. We will start with connecting to the network share on Don’s Mac.

macOS File Sharing

While signed in as Don, we can use the Go menu ➤ Connect to Server option to manually map the Exec Shared drive that is hosted on our Windows server. As shown in Figure 11-26, enter the entire path to the share. As a best practice, you may want to use the FQDN when defining the server name and note that on the Mac, we need to use the forward-slash instead of the back-slash when defining the network path.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig26_HTML.jpg
Figure 11-26

The Connect to Server dialog box

After entering the path to the network share, you can also click the + button to save it as a favorite server so Don won’t have to remember the path each time he needs to connect to it. Click the Connect button, and it should map the drive in a new window, and it should not require any additional authentication as we are already signed into the MacBook Pro with Don’s domain account.

Pro Tip

Most likely you will want to automatically map Don’s network drives at login like we do on Windows. To do this, you can go to the Users & Groups System Preference ➤ Login Items tab; and using the + button, you can add the network volume to the list as shown in Figure 11-27. That way upon logging into the Mac, it will attempt to connect to these drives automatically.

../images/492151_1_En_11_Chapter/492151_1_En_11_Fig27_HTML.jpg
Figure 11-27

Adding the Exec Shared volume to the Login Items for Don President

Pro Tip

You can also configure an MDM payload for mapping network drives automatically at login. As you can see in Figure 11-28, you can select to add an Authenticated Network Mount and then specify the file sharing protocol, the server name, and the name of the share.

../images/492151_1_En_11_Chapter/492151_1_En_11_Fig28_HTML.jpg
Figure 11-28

Adding a Mount Point in the Login Items payload via Profile Manager

iPadOS File Sharing

Now that Don is all set on his Mac, let’s switch over to Sally’s new iPad. Since she is running iPadOS, she has an additional option in the Files app that allows her to connect to a network share. To access this option, open the Files app from the Home Screen and then tap the button and select Connect to Server as shown in Figure 11-29.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig29_HTML.jpg
Figure 11-29

Accessing the Connect to Server option in the Files App

When it prompts for a server path, enter smb://PCSERVER01.mycompany.local (or the server’s IP address) into the Server field and tap the Connect button. It will prompt you to authenticate, so go ahead and enter the username and password for someone who has access to the Windows shares. I’m using sjones in Figure 11-30, but dpresident would also work. After entering the user’s credentials, click the Next button to continue.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig30_HTML.jpg
Figure 11-30

Enter a username and password to authenticate to the file server

It will connect you to the server and present all of the shares that your authenticated user has permission to access. Your screen should look similar to Figure 11-31. Sally can now browse to the Exec Shared folder and then find her sales report to open and edit with Microsoft Excel on her iPad.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig31_HTML.jpg
Figure 11-31

Browsing our network file share from the iPad

We have successfully configured local Windows file sharing on both macOS and iPadOS clients. Users of Apple devices can seamlessly share data with users on Windows PCs.

Microsoft Exchange Integration

Apple provides Microsoft Exchange integration at the operating system level on both macOS and iOS. You can use a Configuration Profile to configure the Exchange account settings for Mail, Contacts, Calendars, and Tasks. For Don’s new iPhone 11, we will simply configure the Exchange settings for his device remotely using Profile Manager. For his Mac, he wants to use Microsoft Outlook, so we will need to configure that manually after we download and activate the Office 365 applications in the next section.

Configure the Microsoft Exchange Account Using a Payload Variable

Before we begin this exercise, be sure to create a new user in Profile Manager for Don President, using dpresident as the username. Enroll a test iOS device and name it Don’s iPhone so that you can modify and push new Configuration Profiles to the device. Now that we have an account created, we are going to create an Exchange payload that will use his username as a payload variable to configure the account on his device.

  1. 1.

    Open Profile Manager, browse the Devices section, and find Don’s iPhone. Click it to select it and then click the Settings tab and Edit the Configuration Profile.

     
  2. 2.

    In the Configuration Profile editor, scroll down to the iOS section and choose the Exchange payload. Click the Configure button to specify the settings.

     
  3. 3.

    Enter the Exchange server information into the various fields as required by the Exchange payload as shown in Figure 11-32. For the username, we will use %short_name% instead of dpresident. What that will do is allow us to apply this payload to other users in our organization, and at the time that the Configuration Profile is applied, the %short_name% variable will resolve to the current user’s username, in this case dpresident.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig32_HTML.jpg
Figure 11-32

Setting the Exchange settings by using a payload variable

  1. 4.

    Scroll down to the Enabled Services section of the payload and ensure all of these are checked as shown in Figure 11-33. This will enable the entire iOS to access data from Microsoft Exchange, including the Phone app’s Address Book.

     
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig33_HTML.jpg
Figure 11-33

Configure which services are enabled

  1. 5.

    Click the OK button to save the configuration payload and then click Save to apply. It will prompt the user for their password when the Profile applies, and then Exchange will be completely configured.

     

Pro Tip Note that if your company is using some of the MDM features included in ActiveSync, those will also apply to the device. For example, things like minimum passcode requirements will apply to the device, and whichever payload has the greater restriction will take precedence over the others. For example, if you require a minimum passcode length of four characters in Profile Manager but ActiveSync is set to require a minimum of six characters, the device will prompt the user to set a new six-digit passcode before Exchange data will begin to sync to the device.

Whether you are using BYOD or you are managing company-owned devices in Profile Manager, you can see how using a Configuration Profile to apply specific settings like Microsoft Exchange would be preferable to manually configuring every individual device.

Microsoft Office 365 Applications and OneDrive

The next step is to install the Office 365 applications to Don’s MacBook Pro. While we are at it, we can install Word and Excel on his iPhone too. Using Profile Manager, browse to the specific device and use the Apps tab to apply copies of Word, Excel, PowerPoint, Outlook, and OneDrive to his Mac as shown in Figure 11-34.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig34_HTML.jpg
Figure 11-34.

Installing the Microsoft Office 365 applications on Don’s MacBook Pro

This is pretty simple and straightforward because it’s the same process we followed in Chapter 9. Set the Installation Mode to Automatic and click the Save button to push the configuration and begin the application installation process. It will take a fair amount of time to install all of these applications, and you can use the Active Tasks window to monitor the progress until they have completed.

Activating the Office 365 Applications

Once the Office applications have finished installing on Don’s MacBook Pro, we can launch one of them and use the activation wizard to authenticate with our O365 account and activate the software license as shown in Figure 11-35.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig35_HTML.jpg
Figure 11-35

Click the button to sign into an existing O365 account to activate

While we have Microsoft Outlook open, we can follow the prompts to configure the Exchange information and finish syncing with the mail server. We now have Don’s email fully configured and ready to go. We can let it sync his inbox in the background while we configure his OneDrive.

Pro Tip

If your user still has Personal Folders (*.pst) files, once you have migrated those files to the Mac, you can import them into Outlook for Mac using the Import function under the Outlook menu.

Configuring OneDrive for Business

While Outlook is busy refreshing his inbox in the background, we can open OneDrive from the /Applications folder. When prompted, enter Don’s email address and Office 365 password to continue. We will choose the /Users/dpresident/ directory for the location of our OneDrive folder as shown in Figure 11-36. Choose to Open at login to allow Don’s files to sync automatically and follow the prompts to complete the setup wizard.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig36_HTML.jpg
Figure 11-36

Select Don’s home directory as the location for his OneDrive folder

We have now finished configuring Office 365 and Microsoft OneDrive for Business on Don’s MacBook Pro.

Migrating Users from Windows to macOS

If he was using OneDrive to store all of his data and wasn’t using ∗.pst files on his Windows PC, there may not be much left to migrate. However, many users will still have data on their old PC that needs to be moved to their Mac. To check the last box on this PC to Mac migration for Don President, we need to migrate any remaining data over to his Mac.

Fortunately, Apple provides a pretty useful migration tool to assist in this process. To get started, make sure both his new Mac and his old PC are connected to the same network and then browse to the /Applications/Utilities/ folder on Don’s Mac and open the Migration Assistant utility.

Using the Migration Assistant

Upon launching the Migration Assistant, you will be warned that all open applications will be closed and to click Continue to begin. You will be prompted for local Administrator credentials to continue. After you authenticate, every application including the Finder will be closed, and the Migration Assistant will begin. When you are prompted to choose a computer to migrate from, you should choose From a Windows PC as shown in Figure 11-37.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig37_HTML.jpg
Figure 11-37

The Migration Assistant using the Windows PC option

On Don’s old Windows PC, open a browser and go to www.apple.com/migrate-to-mac and download the Windows Migration Assistant. When prompted, go ahead and run the setup.exe that downloads and step through the setup wizard to complete the installation and any additional components that are required. Once it is finished with the installation, open the Windows Migration Assistant application from the Start menu or the Windows Desktop. Follow the prompts to until you see the name of the PC appear on your Mac as shown in Figure 11-38.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig38_HTML.jpg
Figure 11-38

Selecting the PC to migrate from

When the computer you want to migrate from appears, select it and then click Continue. Switch back to the Windows PC and ensure that the security codes match between the Mac and Windows PC. Once you confirm that they do, click the Continue button on the Windows PC. It will begin gathering data and communicating with the new Mac. This may take several minutes.

When you are prompted to select various files and user accounts, select the relevant information as shown in Figure 11-39. Once you have selected the information to migrate, click the Continue button.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig39_HTML.jpg
Figure 11-39

Select the files and settings you wish to migrate

It will prompt you to authenticate as the Administrator on the Mac. Click the Authorize button when prompted and enter the local Administrator credentials. Then click the Continue button to proceed. It will now begin transferring the data over the network from the old PC to the new Mac as shown in Figure 11-40.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig40_HTML.jpg
Figure 11-40

Transferring the data over the network

Moving the Migrated Data into Place

By default there will be some cleanup to do after the data is migrated if you use the Migration Assistant. When it completes, you’ll be able to sign in with the new local user account, and all of the data will be available in the new home directory. To finish with the migration, we will need to use the Get Info settings on the migrated user’s home directory and then apply read-only permissions to the entire directory for the Everyone group on this computer. You can do this using the Sharing & Permissions section of the Get Info dialog box and choosing to apply to enclosed items from the Advanced Settings pop-up menu as shown in Figure 11-41.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig41_HTML.jpg
Figure 11-41

Using the Get Info ➤ Sharing & Permissions option to change permissions to the migrated folders

Now we can sign in as Don President and browse the old user folder and collect any data we may want including files in the migrateduser/Library/Safari/ directory which includes our old Internet Explorer Favorites shown in Figure 11-42. Drag and drop that directory into dpresident/Library/Safari folder to restore access to them.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig42_HTML.jpg
Figure 11-42

Moving Safari data from the migrated Library folder

Once we have copied all the user data, confirm that the migrated data is user accessible as shown in Figure 11-43. Next, we can open the Users & Groups System Preference and delete the migrated user account from the Mac. The migration is now complete.
../images/492151_1_En_11_Chapter/492151_1_En_11_Fig43_HTML.jpg
Figure 11-43

Confirming that the migrated IE Favorites are available in Don’s Safari Bookmarks menu

Pro Tip

Unless I have a lot of data to migrate, I prefer to use OneDrive to move the user’s data off of the old PC and onto the new one. I will export the Internet Explorer Favorites using the File ➤ Export option in IE and then save them to a single directory. I can then import them into Safari on the new Mac. This method backs up the user’s data in Microsoft’s cloud and speeds up the restore process because I don’t have to copy data between two home directories and delete the user account that was created by the Migration Assistant.

Summary

In this chapter, we learned how to integrate Apple solutions into a corporate enterprise network comprised of Microsoft solutions. We migrated an executive user from a Windows PC to a MacBook Pro while allowing them to continue using the printers, file shares, and applications they were accustomed to without any loss of productivity. Using the same tools and strategies you learned in this chapter, you should be able to easily integrate a Mac, iPhone, or iPad into your existing Microsoft environment with minimal effort or extensive IT infrastructure changes.