macOS Active Directory Configuration

macOS Active Directory Profile Support increases security by allowing admins to give domain users full access to a FileVault-encrypted macOS device using bootstrap tokens.

New macOS Active Directory configurations can be created in the library, then applied to devices. Active Directory configurations can also be applied to one or more devices using a policy.

Create an Active Directory Configuration

  1. Select Libraries in top navigation.
  2. Click the Active Directory icon.
  3. Click Add New.
  4. Fill in required information.
  5. Click Save.

Mandatory Fields

  • Name - The name of the configuration, so tht a list of possible configurations can be filtered.
  • Server Name - The name of the domain controller; for example: dc1.test.quest.com.
    • The domain name can also be used here; for example: TEST.QUEST.
  • Username - The name of the account used to join the macOS device to the domain.
  • Password - The password of the account used to join the macOS device to the domain.

IMPORTANT: Once a configuration has been applied to a device, it can still be changed, but this could result in remote devices being unable to connect to the domain.


With the release of macOS 10.15 (Catalina), bootstrap tokens will be added to all DEP devices. These tokens give all network users (e.g., Active Directory users) automatic access to FileVault.

Confirm FileVault Encryption and Bootstrap Token

To confirm successful enabling of FileVault encryption and the recording of bootstrap tokens in KACE Cloud MDM, an admin can start by checking device inventory for the macOS 10.15 update.

  1. Select the Devices section in top navigation.
  2. Filter inventory by the OS Name (macOS and OS Version (10.15).

To add an existing macOS 10.15 DEP device's bootstrap token to KACE Cloud MDM:

  1. Run an inventory on the device.
    • This ensures that the enabled bootstrap token command is executed.
  2. Open a terminal prompt and enter the following text:
    • sudo profiles install -type bootstraptoken.

To confirm that a token is working on a device:

  1. Log in to the device as an admin user.
  2. Open a terminal prompt and enter the following text:
    • sudo profiles status -type bootstraptoken.

Example of command confirmation:

To confirm successful storage in KACE Cloud MDM:

  • From the Devices section, select a device.
  • Under the General tab, scroll to the Security section.
  • Confirm Yes or No status for 'FileVault Encryption Enabled' and 'Bootstrap Token Recorded'.

Apply Active Directory Configuration To A Device

To ensure successful profile installation, be sure that the device can connect to the domain and that all settings are correct. If encountering an error, the device history keeps a record of the main errors reported from the macOS device. For troubleshooting domain joins, it is recommended that the macOS console be open when applying the profile.

Note: If an Active Directory configuration is removed from a macOS device, it will automatically unbind from the domain.

Troubleshoot Administration Groups Issue

Since the release of 10.13, the option to add administration groups to an active directory configuration is unavailable. If a device admin wants to grant admin rights to domain users, there are two manual options:

To grant access to groups using a terminal prompt:

  1. Open a terminal window.
  2. Enter the command:
    • sudo dsconfigad -groups "TESTDOMAIN\Test Group 1, TESTDOMAIN\Test Group 2".

Once the command is applied, domain users who are members of these groups will have admin rights the next time they log into the device.

Note: When running the terminal command, admin rights will be successfully granted the next time a user in one of the groups logs in.

To grant access to groups using system preferences:

  1. Go to System Preferences.
  2. Scroll to the Users and Groups section.
  3. Check 'Allow user to administer this computer'.

IMPORTANT: When using System Preferences > Users & Groups, admin rights will be successfully granted provided the user had previously logged in to and rebooted the device.