DeployStudio 1.7.3 using configuration profiles for Active Directory binding on OS X El Capitan

As part of the release of DeployStudio 1.7.3, DeployStudio is now using an unsigned configuration profile to manage binding to an Active Directory domain for Macs running OS X 10.11.x.

This undocumented change currently appears to apply only to Macs running OS X El Capitan. Earlier versions of OS X are still being bound to AD using Apple’s dsconfigad tool. For more details, see below the jump.

The relevant changes are available via the links below:

DeployStudio AD binding script for OS X 10.11.x: https://github.com/timsutton/DeployStudioDiffs/blob/9c0f3a9366995f6371f79c76c10637397d5d1c92/Packages/Admin/DeployStudio%20Admin.app/Contents/Plugins/DSADBindingTask.bundle/Contents/Resources/Scripts/ds_active_directory_binding/ds_active_directory_binding.10.11.sh

Configuration profile header: https://github.com/timsutton/DeployStudioDiffs/blob/9c0f3a9366995f6371f79c76c10637397d5d1c92/Packages/Admin/DeployStudio%20Admin.app/Contents/Plugins/DSADBindingTask.bundle/Contents/Resources/Templates/ConfigurationProfileHeader.plist

Default configuration profile options: https://github.com/timsutton/DeployStudioDiffs/blob/9c0f3a9366995f6371f79c76c10637397d5d1c92/Packages/Admin/DeployStudio%20Admin.app/Contents/Plugins/DSADBindingTask.bundle/Contents/Resources/Templates/PayloadContent.plist

Based on observation, it appears that the configuration profile is assembled from the ConfigurationProfileHeader.plist and PayloadContent.plist files referenced in the above links, then named ds_active_directory_binding_uuid_goes_here.mobileconfig, with the UUID included in the filename to ensure that the profile’s filename is unique.

One thing to be aware of is that the .mobileconfig files generated by DeployStudio 1.7.3 do not appear to set all options for the Apple Active Directory plug-in correctly. I’ve posted about the issue in the DeployStudio forums and also notified the DeployStudio folks via Twitter:

To see what a DeployStudio 1.7.3-generated AD configuration profile looks like, please see the example below:

Hat tip to @tvsutton for discovering this change.