apple_device-management/mdm/profiles/com.apple.DirectoryService.managed.yaml

title: Directory Service
description: The payload that configures an Active Directory (AD) domain.
payload:
  payloadtype: com.apple.DirectoryService.managed
  supportedOS:
    iOS:
      introduced: n/a
    macOS:
      introduced: '10.8'
      multiple: true
      devicechannel: true
      userchannel: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
      userenrollment:
        mode: allowed
    tvOS:
      introduced: n/a
    visionOS:
      introduced: n/a
    watchOS:
      introduced: n/a
  content: In macOS 10.9 and later, a configuration profile can be used to configure
    macOS to join an Active Directory (AD) domain. Advanced AD options available via
    Directory Utility or the dsconfigad command line tool can also be set using a
    configuration profile.
payloadkeys:
- key: HostName
  title: HostName
  type: <string>
  presence: required
  content: The Active Directory domain to join.
- key: UserName
  title: UserName
  type: <string>
  presence: optional
  content: The user name of the account for the domain.
- key: Password
  title: Password
  type: <string>
  presence: optional
  content: The password of the account for the domain.
- key: ClientID
  title: Client ID
  type: <string>
  presence: optional
  content: The client's identifier.
- key: Description
  title: Description
  type: <string>
  presence: optional
  content: The directory service description.
- key: ADOrganizationalUnit
  title: ADOrganizationalUnit
  type: <string>
  presence: optional
  content: The organizational unit to add the joining computer object to.
- key: ADMountStyle
  title: ADMountStyle
  type: <string>
  presence: optional
  content: 'The network home protocol to use: `afp` or `smb`.'
- key: ADCreateMobileAccountAtLoginFlag
  title: ADCreateMobileAccountAtLoginFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADCreateMobileAccountAtLogin` key.
- key: ADCreateMobileAccountAtLogin
  title: ADCreateMobileAccountAtLogin
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system creates a mobile account at login.
- key: ADWarnUserBeforeCreatingMAFlag
  title: ADWarnUserBeforeCreatingMAFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADWarnUserBeforeCreatingMA` key.
- key: ADWarnUserBeforeCreatingMA
  title: ADWarnUserBeforeCreatingMA
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the warning before creating the mobile account.
- key: ADForceHomeLocalFlag
  title: ADForceHomeLocalFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADForceHomeLocal` key.
- key: ADForceHomeLocal
  title: ADForceHomeLocal
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system forces a local home directory.
- key: ADUseWindowsUNCPathFlag
  title: ADUseWindowsUNCPathFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADUseWindowsUNCPath` key.
- key: ADUseWindowsUNCPath
  title: ADUseWindowsUNCPath
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system uses the UNC path from Active Directory to derive
    the network home location.
- key: ADAllowMultiDomainAuthFlag
  title: ADAllowMultiDomainAuthFlag
  supportedOS:
    macOS:
      introduced: '10.9'
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADAllowMultiDomainAuth` key.
- key: ADAllowMultiDomainAuth
  title: ADAllowMultiDomainAuth
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system allows authentication from any domain in the namespace.
- key: ADDefaultUserShellFlag
  title: ADDefaultUserShellFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADDefaultUserShell` key.
- key: ADDefaultUserShell
  title: ADDefaultUserShell
  type: <string>
  presence: optional
  content: The default user shell.
- key: ADMapUIDAttributeFlag
  title: ADMapUIDAttributeFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADMapUIDAttribute` key.
- key: ADMapUIDAttribute
  title: ADMapUIDAttribute
  type: <string>
  presence: optional
  content: The map UID to attribute.
- key: ADMapGIDAttributeFlag
  title: ADMapGIDAttributeFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADMapGIDAttribute` key.
- key: ADMapGIDAttribute
  title: ADMapGIDAttribute
  type: <string>
  presence: optional
  content: The map GID to attribute.
- key: ADMapGGIDAttributeFlag
  title: ADMapGGIDAttributeFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADMapGGIDAttributeFlag` key.
- key: ADMapGGIDAttribute
  title: ADMapGGIDAttribute
  type: <string>
  presence: optional
  content: The map group GID to attribute.
- key: ADPreferredDCServerFlag
  title: ADPreferredDCServerFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADPreferredDCServer` key.
- key: ADPreferredDCServer
  title: ADPreferredDCServer
  type: <string>
  presence: optional
  content: The preferred domain server.
- key: ADDomainAdminGroupListFlag
  title: ADDomainAdminGroupListFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADDomainAdminGroupList` key.
- key: ADDomainAdminGroupList
  title: ADDomainAdminGroupList
  type: <array>
  presence: optional
  content: The list of Active Directory groups with admin access.
  subkeys:
  - key: ADDomainAdminGroupListItem
    type: <string>
- key: ADNamespaceFlag
  title: ADNamespaceFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADNamespace` key.
- key: ADNamespace
  title: ADNamespace
  type: <string>
  presence: optional
  content: The primary user account naming convention; either `forest` or `domain`.
- key: ADPacketSignFlag
  title: ADPacketSignFlag
  supportedOS:
    macOS:
      introduced: '10.8'
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADPacketSign` key.
- key: ADPacketSign
  title: ADPacketSign
  type: <string>
  presence: optional
  content: The packet signing policy.
- key: ADPacketEncryptFlag
  title: ADPacketEncryptFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADPacketEncrypt` key.
- key: ADPacketEncrypt
  title: ADPacketEncrypt
  type: <string>
  presence: optional
  content: The packet encryption policy.
- key: ADRestrictDDNSFlag
  title: ADRestrictDDNSFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADRestrictDDNS` key.
- key: ADRestrictDDNS
  title: ADRestrictDDNS
  supportedOS:
    macOS:
      introduced: '10.8'
  type: <array>
  presence: optional
  content: An array of strings that represent the interfaces allowed for dynamic DNS
    updates, such as en0 and en1.
  subkeys:
  - key: ADRestrictDDNSItem
    type: <string>
- key: ADTrustChangePassIntervalDaysFlag
  title: ADTrustChangePassIntervalDaysFlag
  type: <boolean>
  presence: optional
  default: false
  content: If `true`, the system enables the `ADTrustChangePassIntervalDays` key.
- key: ADTrustChangePassIntervalDays
  title: ADTrustChangePassIntervalDays
  type: <integer>
  presence: optional
  content: The number of days before requiring a change of the computer trust account
    password. Set to `0` to disable the feature.