Binding macOS to Active Directory or Open Directory

By binding a device to the directory service, the device will comply with any domain policies and password security settings. Jamf School supports binding to Open Directory, Active Directory and any other LDAP capable directory service in version 5.3.7 and up.

Creating a Directory Profile

  1. In Jamf School, navigate to Profiles and click + Create Profile.

  2. Select macOS as the platform, fill in the name and description, and assign one or more groups. Once done, click Save.

  3. Select the Directory payload in the profile you just created.

  4. Configure the settings as described in the tables below.

  5. When finished, click Save to push the profile to all devices in scope.



Directory Type

Choose "Active Directory" if you want to bind to a Microsoft Active Directory domain. Choose "Open Directory / LDAP" if you wish to bind to an Open Directory or other LDAP capable directory service.

Server Host Name or IP Address

(Required) Enter the directory server name.

Client ID

(Required) Enter the identifier associated with the device in the directory. Enter the Client ID in a format that is allowed by the directory you're attempting to bind. We recommend using the %SerialNumber% replacement variable.

Note: When using pre-stage directory enrollment, this field is not required.

Bind Credentials
(Optional) Enter the credentials of a privileged user to authenticate and bind the device to the server. The credentials should not include the domain. Use "username" only, do not use "domain\username"


(Optional) Enter the username of the user used to authenticate and bind the device to the server.


(Optional) Enter the password of the user used to authenticate and bind the device to the server.

Active Directory Settings



Organizational Unit

(Optional) The Organizational Unit (OU) where the joining computer object is added.

User Experience

Create Mobile Account at login

Select this option to create a mobile account. When this option is selected, the users' data is stored locally and they are automatically logged into a mobile account. Optional, defaults to false

Require confirmation before creating Mobile Account

(Optional, defaults to false) Send a confirmation message to the end user.

Bypass the Secure Token Authentication prompt when creating a Mobile Account

(Optional, defaults to false) Bypasses the "Secure Token Authentication" prompt. Note: Enabling this option may prevent Mobile Accounts from being able to unlock FileVault. This is available on macOS 10.13.5 or higher.

Force local home directory on Startup disk

(Optional, defaults to false) Forces the local Home Directory to be created on the Startup disk.

Use UNC path from Active Directory to derive network home location

(Optional, defaults to true) Select to determine the UNC specified in the Active Directory when mounting the network home.

Mount Style

(Optional, defaults to AFP) Choose either the AFP or SMB protocols.

Default User Shell

(Optional, defaults to "/bin/bash") Specify the default shell for the user after logging into the computer.


(Optional) Select the Mappings tab to specify an attribute to be used for equivalent acronym (GID). By default these are derived from the domain server.


Preferred Domain Server

(Optional) Enter the name of the domain server to use for authentication.

Allow authentication from any domain in the forest

(Optional, defaults to true) Allow any domain in the forest to authenticate.

Allow Administration

(Optional) All members of these groups will have Administrator privileges on this computer.


(Optional, defaults to domain) Select the primary account naming convention based on forest or domain.

Packet Signing

(Optional, defaults to allow) Choose how to ensure data is secure.

Packet Encryption

(Optional, defaults to allow) Choose to encrypt data.

Restrict DDNS

(Optional) Restrict Dynamic DNS updates to the specified interfaces (for example, en0, en1, etc).

Password trust interval

(Optional, defaults to 14) Set to determine how often the computer trust is updated.

Unbind a Computer

  1. To unbind, click on Remove in the Directory payload.

  2. Click Save to push the profile to all devices in scope. All devices will unbind from the directory. If there are more profiles with a Directory payload, you should remove them as needed.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.