apple-device-management-mdm/mdm/profiles/com.apple.DirectoryService.managed.yaml

title: Directory Service
description: Directory Service
payload:
  payloadtype: com.apple.DirectoryService.managed
  supportedOS:
    macOS:
      introduced: '10.8'
      multiple: true
      devicechannel: true
      userchannel: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
      userenrollment:
        mode: allowed
  content: In macOS 10.9 and later, a configuration profile can be used to configure
    macOS to join an Active Directory (AD) domain. Advanced AD options available via
    Directory Utility or the dsconfigad command line tool can also be set using a
    configuration profile.
payloadkeys:
- key: HostName
  title: HostName
  type: <string>
  presence: required
  content: The Active Directory domain to join.
- key: UserName
  title: UserName
  type: <string>
  presence: optional
  content: The user name of the account for the domain.
- key: Password
  title: Password
  type: <string>
  presence: optional
  content: The password of the account for the domain.
- key: ClientID
  title: Client ID
  type: <string>
  presence: optional
  content: The client's identifier.
- key: Description
  title: Description
  type: <string>
  presence: optional
  content: The directory service description.
- key: ADOrganizationalUnit
  title: ADOrganizationalUnit
  type: <string>
  presence: optional
  content: The organizational unit where the joining computer object is added.
- key: ADMountStyle
  title: ADMountStyle
  type: <string>
  presence: optional
  content: 'The network home protocol to use: ''afp'' or ''smb''.'
- key: ADCreateMobileAccountAtLoginFlag
  title: ADCreateMobileAccountAtLoginFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADCreateMobileAccountAtLogin' key.
- key: ADCreateMobileAccountAtLogin
  title: ADCreateMobileAccountAtLogin
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', creates a mobile account at login.
- key: ADWarnUserBeforeCreatingMAFlag
  title: ADWarnUserBeforeCreatingMAFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADWarnUserBeforeCreatingMA' key.
- key: ADWarnUserBeforeCreatingMA
  title: ADWarnUserBeforeCreatingMA
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the warning before creating the mobile account.
- key: ADForceHomeLocalFlag
  title: ADForceHomeLocalFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADForceHomeLocal' key.
- key: ADForceHomeLocal
  title: ADForceHomeLocal
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', forces a local home directory.
- key: ADUseWindowsUNCPathFlag
  title: ADUseWindowsUNCPathFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADUseWindowsUNCPath' key.
- key: ADUseWindowsUNCPath
  title: ADUseWindowsUNCPath
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', uses the UNC path from Active Directory to derive the network
    home location.
- key: ADAllowMultiDomainAuthFlag
  title: ADAllowMultiDomainAuthFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADAllowMultiDomainAuth' key.
- key: ADAllowMultiDomainAuth
  title: ADAllowMultiDomainAuth
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', allows authentication from any domain in the namespace.
- key: ADDefaultUserShellFlag
  title: ADDefaultUserShellFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADDefaultUserShell' key.
- key: ADDefaultUserShell
  title: ADDefaultUserShell
  type: <string>
  presence: optional
  content: The default user shell.
- key: ADMapUIDAttributeFlag
  title: ADMapUIDAttributeFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADMapUIDAttribute' key.
- key: ADMapUIDAttribute
  title: ADMapUIDAttribute
  type: <string>
  presence: optional
  content: The map UID to attribute.
- key: ADMapGIDAttributeFlag
  title: ADMapGIDAttributeFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADMapGIDAttribute' key.
- key: ADMapGIDAttribute
  title: ADMapGIDAttribute
  type: <string>
  presence: optional
  content: The map GID to attribute.
- key: ADMapGGIDAttributeFlag
  title: ADMapGGIDAttributeFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADMapGGIDAttributeFlag' key.
- key: ADMapGGIDAttribute
  title: ADMapGGIDAttribute
  type: <string>
  presence: optional
  content: The map group GID to attribute.
- key: ADPreferredDCServerFlag
  title: ADPreferredDCServerFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADPreferredDCServer' key.
- key: ADPreferredDCServer
  title: ADPreferredDCServer
  type: <string>
  presence: optional
  content: The preferred domain server.
- key: ADDomainAdminGroupListFlag
  title: ADDomainAdminGroupListFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADDomainAdminGroupList' key.
- key: ADDomainAdminGroupList
  title: ADDomainAdminGroupList
  type: <array>
  presence: optional
  content: The list of Active Directory groups that are granted admin access.
  subkeys:
  - key: ADDomainAdminGroupListItem
    type: <string>
- key: ADNamespaceFlag
  title: ADNamespaceFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADNamespace' key.
- key: ADNamespace
  title: ADNamespace
  type: <string>
  presence: optional
  content: The primary user account naming convention; either 'forest' or 'domain'.
- key: ADPacketSignFlag
  title: ADPacketSignFlag
  supportedOS:
    macOS:
      introduced: '10.8'
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADPacketSign' key.
- key: ADPacketSign
  title: ADPacketSign
  type: <string>
  presence: optional
  content: The packet signing policy.
- key: ADPacketEncryptFlag
  title: ADPacketEncryptFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADPacketEncrypt' key.
- key: ADPacketEncrypt
  title: ADPacketEncrypt
  type: <string>
  presence: optional
  content: The packet encryption policy.
- key: ADRestrictDDNSFlag
  title: ADRestrictDDNSFlag
  type: <boolean>
  presence: optional
  default: false
  content: If 'true', enables the 'ADRestrictDDNS' key.
- key: ADRestrictDDNS
  title: ADRestrictDDNS
  supportedOS:
    macOS:
      introduced: '10.8'
  type: <array>
  presence: optional
  content: An array of strings representing the interfaces that are allowed for dynamic
    DNS updates (for example, en0, en1, and so on).
  subkeys:
  - key: ADRestrictDDNSItem
    type: <string>
- key: ADTrustChangePassIntervalDaysFlag
  title: ADTrustChangePassIntervalDaysFlag
  type: <boolean>
  presence: optional
  default: false
  content: If true, enables the 'ADTrustChangePassIntervalDays 'key.
- key: ADTrustChangePassIntervalDays
  title: ADTrustChangePassIntervalDays
  type: <integer>
  presence: optional
  content: The number of days before requiring a change of the computer trust account
    password. '0' disables the feature.