How to List Active Directory Options Across All Macs
Using Kolide, you can easily view and query Mac Active Directory Options across your fleet.
Introduction
Macs that are managed by organizations can be connected to a user directory service called Active Directory (AD). Once a Mac is connected (known as "binding") authorized users listed in the directory can sign in to the Mac with their credentials and access shared resources on protected networks.
You can learn more about Active Directory support on macOS in Apple's Directory Utility User Guide
Macs that are bound to an Active Directory domain will save their configuration locally. An Active Directory Option is a single setting in that greater configuration. Macs that are bound to Active Directory will save many options and Macs that are not bound to Active Directory will not have any.
What Mac Active Directory Option Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac Active Directory Options from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac Active Directory Options Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| domain | Text |
Active Directory trust domain |
|
| name | Text |
Absolute and full Name.app path |
|
| option | Text |
Canonical name of option |
|
| value | Text |
Variable typed option value |
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
WITH
ad_forests AS (
SELECT
device_id,
MAX(CASE WHEN option = 'forest' THEN value END) AS ad_forest
FROM mac_active_directory_options
GROUP BY device_id
),
ad_forests_count AS (
SELECT
ad_forest,
COUNT(ad_forest) AS devices_in_forest
FROM ad_forests
GROUP BY ad_forest
ORDER BY devices_in_forest DESC
),
assemble_data AS (
SELECT adfc.*,
(SELECT COUNT(d.*) FILTER (WHERE d.type = 'Mac') FROM devices d) AS count_macs
FROM
ad_forests_count adfc
)
SELECT ROUND((100.0 * devices_in_forest) / (100.0 * count_macs)*100.0) AS membership_percentage,
ad_forest, devices_in_forest, count_macs
FROM assemble_data;
| ad_forest | total_macs | devices_in_forest | membership_percentage |
|---|---|---|---|
| acme.headquarters.com | 38 | 8 | 21.0 |
| poldomain.com | 38 | 1 | 3.0 |
| lievschreib.com | 38 | 1 | 3.0 |
| kreuner.clap.com | 38 | 1 | 3.0 |
| collab.matchbook.com | 38 | 1 | 3.0 |
Why Should I Collect Mac Active Directory Options?
Even when organization's do not use Active Directory, collecting this data is still useful. For example if a organization-owned Mac is bound to an Active Directory domain unfamiliar to the organization, this could be an indicator the Mac may have been compromised.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
When you use Kolide to list Mac Active Directory Option data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
