Binding Computers to Active Directory or Open Directory

By binding a computer to the directory service, the computer will comply with any domain policies and password security settings. Jamf School supports binding to Open Directory, Active Directory, and any other LDAP capable directory service.

Creating a Directory Profile

  1. In Jamf School, navigate to Profiles in the sidebar.

  2. Click +Create Profile.

  3. Select macOS as the platform.

  4. Use the Scope payload to add computers to the scope.

  5. Use the Directory payload to configure the settings.

  6. Click Save.
    The profile is distributed to all devices in the scope.

Open Directory and LDAP Settings



Directory Type

Choose "Active Directory" if you want to bind to a Microsoft Active Directory domain. Choose "Open Directory / LDAP" if you want to bind to an Open Directory or other LDAP-capable directory service.

Server Host Name or IP Address

(Required) Enter the directory server name.

Client ID

(Required) Enter the identifier associated with the device in the directory. Enter the Client ID in a format that is allowed by the directory you are attempting to bind. It is recommended you use the %SerialNumber% replacement variable.

Bind Credentials
(Optional) Enter the credentials of a privileged user to authenticate and bind the device to the server. The credentials should not include the domain. Use "username" only; do not use "domain\username"


(Optional) Enter the username of the user used to authenticate and bind the device to the server.


(Optional) Enter the password of the user used to authenticate and bind the device to the server.

Active Directory Settings



Organizational Unit

(Optional) The Organizational Unit (OU) where the joining computer object is added.

User Experience

Create Mobile Account at login

(Optional, defaults to false) Select this option to create a mobile account. When this option is selected, the user's data is stored locally and they are automatically logged into a mobile account.

Require confirmation before creating Mobile Account

(Optional, defaults to false) Sends a confirmation message to the end user.

Bypass the Secure Token Authentication prompt when creating a Mobile Account

(Optional, defaults to false) Bypasses the "Secure Token Authentication" prompt.

Note: Enabling this option may prevent Mobile Accounts from being able to unlock FileVault. This is available on macOS 10.13.5 or later.

Force local home directory on Startup disk

(Optional, defaults to false) Forces the local Home directory to be created on the Startup disk.

Use UNC path from Active Directory to derive network home location

(Optional, defaults to true) Select to determine the UNC specified in the Active Directory when mounting the network home.

Mount Style

(Optional, defaults to AFP) Choose either the AFP or SMB protocols.

Default User Shell

(Optional, defaults to "/bin/bash") Specify the default shell for the user after logging into the computer.


(Optional) Select the Mappings tab to specify an attribute to be used for equivalent acronym (GID). By default, these are derived from the domain server.


Preferred Domain Server

(Optional) Enter the name of the domain server to use for authentication.

Allow authentication from any domain in the forest

(Optional, defaults to true) Allow any domain in the forest to authenticate.

Allow Administration

(Optional) All members of these groups will have Administrator privileges on this computer.


(Optional, defaults to domain) Select the primary account naming convention based on forest or domain.

Packet Signing

(Optional, defaults to allow) Choose how to ensure data is secure.

Packet Encryption

(Optional, defaults to allow) Choose to encrypt data.

Restrict DDNS

(Optional) Restrict Dynamic DNS updates to the specified interfaces (for example: en0 and en1).

Password trust interval

(Optional, defaults to 14) Set to determine how often the computer trust is updated.

Unbinding a Computer

  1. In Jamf School, navigate to Profiles in the sidebar.

  2. Select the profile on the computers you want to unbind.

  3. Use the Directory payload to click Remove.

  4. Click Save.

The profile is redistributed to all computers in the scope. All computers will unbind from the directory. If there are more profiles with the Directory payload configured, you should remove them as needed.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.