Configure Group Policy Settings

When you install the Group Policy Management Console component during the AD Bridge install, the following Mac features are available in Group Policy Management Console. Use these features to manage macOS targets that are managed by AD Bridge.

  • Mac System Preferences: Offers a subset of the System Preferences available with the native Mac tools.
  • DS Plugin Settings: Offers policies that can be applied if you use Apple's directory services tools to manage users.
  • Profile Manager Settings: Allows you to upload configuration settings to deploy to macOS computers when they join the domain.

Access Mac System Preferences

Using Group Policy Management Console, you can deploy certain Mac System Preferences to target macOS systems that are managed by AD Bridge.

To access Mac System Preferences in Group Policy Management Console:

Mac System Preferences

  1. Create or edit a group policy for the organizational unit you want, and then open it with the Group Policy Management Editor.
  2. Expand Computer Configuration > Policies > Unix and Linux Settings > Mac Settings.
  3. Expand Mac System Preferences, and then configure a policy.

Security

The policies in Security preferences are inherited. The policies will merge with Local policies.

Group Policy Name Description
Secure system preferences with password Enable the policy to lock system preferences on target computers so that only administrators with the password can change the preferences.
Automatic logout from user inactivity

Turn on to automatically log a user off a target computer when the computer is idle. Use this policy to prevent unauthorized access to Mac computers that have been inactive for a set period of time.

If a document with unsaved changes is open on a target computer running Mac OS X 10.5 (and possibly other versions), the application cancels logout.

Firewall

The policies in Firewall preferences are inherited. The policies will merge with Local policies.

Group Policy Name Description
Use firewall protection Enable to turn on the built-in firewall on target computers.
Block all incoming connections Turn on to set the built-in firewall on target computers to block UDP traffic. Blocking UDP traffic can help secure target computers.
Use firewall stealth mode Turn on stealth mode to cloak the target computer behind its firewall. Uninvited traffic gets no response, and other computers that send traffic to the target computer get no information about it.

Bluetooth

Group Policy Name Description
Turn Bluetooth on or off Enable or disable Bluetooth power on target computers. When Bluetooth power is off, other Bluetooth devices, such as wireless keyboards and mobile phones, cannot connect to the computer.
Open Bluetooth Setup Assistant at startup when no input device is present

Turn on to open the Bluetooth Setup Assistant if an input device (such as a keyboard or mouse) is not detected when the computer starts.

This settings works with computers running Mac OS X 10.5.

Energy Saver

Group Policy Name Description
System Sleep Timer Turn on to put a target computer to sleep after it has been idle for a set number of minutes. To set the computer to never sleep, enter 0.
Display Sleep Timer Turn on to put the screen of a target computer to sleep after it has been idle for a set number of minutes. To set the computer to never sleep, enter 0.
Disk Sleep Timer Turn on to put the hard disk of a target computer to sleep when it is not in use.
Group Policy Name Description
Wake on LAN Turn on to wake up a target computer when a network administrator accesses it through a local area network Ethernet connection.
Sleep on Power button Turn on to set the power button to put a target computer to sleep. When the power button is pressed, the computer goes to sleep instead of shutting down.
Automatic restart on power loss Turn on to automatically restart a target Mac computer after it loses power. This policy can help recover a workstation or server after a power failure.

Mac DS Plugin Settings

If you are using Apple's directory services tools to manage users, you can use the DS Plugin Settings to apply policies on home directory and local administration settings.

Group Policy Name Description
Use UNC path from Active Directory to create home location

Connects the computer to the network share defined in the Active Directory user account. The UNC path is converted to SMB protocol when the target file server is running Windows or AFP protocol when the target file server is running macOS.

If the policy for forcing the home directory on the startup disk is enabled, the UNC path is used to create a folder in the user's dock, and the home directory is set to the user's local home directory path.

To set the path for the home directory, go to the Profile tab of the user's properties in Active Directory Users and Computers. Under the Home folder, select Connect, choose a drive (which is ignored by a macOS computer), and type the UNC path in the To box.

Path format: \\server\share\folder

Example: \\lwdemo01\homes\fanthony

Force home directory on startup disk

Sets a computer to use a local home directory path. When a user with a home folder connection defined in Active Directory logs on, the connection is created in the dock under /Network/Servers/homeFolderName. The home directory is set on the AD Bridge Cell Settings tab in Active Directory.

Allow administration by

Set the administrators included in the local admin group (group ID 80) on a target computer. Local entries are overwritten unless you also set the policy to Allow admins group local entries.

Select the Active Directory users and groups to add to the list of administrators. You can select users and groups, or you can enter a comma-separated list of short domain names with Active Directory account names or group names.

The users and groups that you select must be enabled in the AD Bridge cell containing the target computer.

Allow admins group local entries Preserves members of the admin group who are defined locally but are not specified in the Allow administration by policy.

Profile Manager Settings

You can upload Profile Manager configuration settings to Group Policy Management Console and deploy the settings to your macOS computers. When the macOS computer joins the domain, then the policies defined in the Profile Manager settings are deployed to the computer.

Profile Manager polices are applied on computers running Mac OS 10.7 and later. If both Profile Manager and Workgroup Manager policies are in place, then the group policy agent tries to apply both types of policy. Therefore, we recommend that you do not use Workgroup Manager and Profile Manager in the same AD Bridge environment, as results might not be reliable.

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Import a Policy

  1. In Group Policy Management Editor, go to the Mac Settings.
  2. Select Profile Manager Settings.
  3. Double-click the policy.
  4. Select the Define this policy check box.
  5. Click Import, and then navigate to the mobileconfig file.
  6. Click Apply.

Only one mobileconfig file is permitted per group policy.

If the policy is deployed but not applied, try restarting the computer and restarting gpagent.

Remove a Policy

  1. In Group Policy Management Editor, go to the Mac Settings.
  2. Select Profile Manager Settings.
  3. Double-click the policy.
  4. Clear the Define this policy check box.
  5. Click Apply.
  6. The next time you open the policy, the mobileconfig contents are no longer displayed. You can import a new or updated mobileconfig file if needed.