LDAP Authentication with Apple DEP

Introduction

Using SimpleMDM, your organization can require devices enrolling via DEP to authenticate against a company directory service using LDAP. Without proper credentials, a user will not be able to enroll their device in MDM.

LDAP authentication is enabled on an individual DEP server basis. This allows for requiring LDAP authentication only for specific devices, if desired.

SimpleMDM authenticates by attempting to bind to the LDAP service with the credentials provided by the user. SimpleMDM requires that a username DN template or schema is configured by the administrator, which is used in conjunction with the user supplied credentials in order to bind to LDAP. 

LDAP Availability

During the enrollment process, SimpleMDM will connect to the directory server using LDAP to authenticate the user. Because SimpleMDM needs to communicate with the directory server, it is important that the directory server is accessible from the internet and is reliably available. If the directory server cannot be contacted during the enrollment process, the device will not be permitted to enroll in MDM nor complete the device setup process.

Setup Process

To enable directory service authentication, navigate to the DEP Account details screen and locate the Authentication section. The following configuration details must be provided:

  • Authentication prompt: This message is displayed at the top of the username and password message box when the user is prompted for their credentials. A good message advises users on what particular credential they should provide.
  • LDAP URI: This is the address that your directory service can be contacted at. 
  • LDAP username DN template: The username that SimpleMDM will use to bind against the directory. {{username}} must be included in the template. SimpleMDM will replace this value with the username provided by the user before connecting to LDAP. 

Example

The company "Example Org" has an LDAP server that they would like to authenticate their users against. The LDAP server is located at directory.example.org on port 636 and supports secure LDAP. 

Their user DNs take the following form:

  • uid=mjordan,ou=users,dc=example,dc=org
  • uid=spippen,ou=users,dc=example,dc=org

When configuring SimpleMDM, they will use the following settings:

  • LDAP URI: ldaps://directory.example.org:636
  • LDAP username DN template: uid={{username}},ou=users,dc=example,dc=org

When a user authenticates during enrollment, they will provide the username "mjordan" or "spippen" and their password. SimpleMDM will then transform this input according to the DN template provided before binding to LDAP.