Explore the full catalogue of Apple Mobile Device Management (MDM) and Declarative Device Management (DDM) policies for macOS and iOS. Use the interactive explorer to search, filter, and reference policy keys for use with Microsoft Intune, Jamf, or any standards-compliant MDM solution.
The payload that configures an Active Directory (AD) domain.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
HostName HostName The Active Directory domain to join. | string | required | — | ✓Yes | macOS (10.8+) |
UserName UserName The user name of the account for the domain. | string | optional | — | ✓Yes | macOS (10.8+) |
Password Password The password of the account for the domain. | string | optional | — | ✓Yes | macOS (10.8+) |
Client ID ClientID The client's identifier. | string | optional | — | ✓Yes | macOS (10.8+) |
Description Description The directory service description. | string | optional | — | ✓Yes | macOS (10.8+) |
ADOrganizationalUnit ADOrganizationalUnit The organizational unit to add the joining computer object to. | string | optional | — | ✓Yes | macOS (10.8+) |
ADMountStyle ADMountStyle The network home protocol to use: `afp` or `smb`. | string | optional | — | ✓Yes | macOS (10.8+) |
ADCreateMobileAccountAtLoginFlag ADCreateMobileAccountAtLoginFlag If `true`, the system enables the `ADCreateMobileAccountAtLogin` key. | boolean | optional | false | ✓Yes | macOS (10.9+) |
ADCreateMobileAccountAtLogin ADCreateMobileAccountAtLogin If `true`, the system creates a mobile account at login. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADWarnUserBeforeCreatingMAFlag ADWarnUserBeforeCreatingMAFlag If `true`, the system enables the `ADWarnUserBeforeCreatingMA` key. | boolean | optional | false | ✓Yes | macOS (10.9+) |
ADWarnUserBeforeCreatingMA ADWarnUserBeforeCreatingMA If `true`, the system enables the warning before creating the mobile account. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADForceHomeLocalFlag ADForceHomeLocalFlag If `true`, the system enables the `ADForceHomeLocal` key. | boolean | optional | false | ✓Yes | macOS (10.9+) |
ADForceHomeLocal ADForceHomeLocal If `true`, the system forces a local home directory. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADUseWindowsUNCPathFlag ADUseWindowsUNCPathFlag If `true`, the system enables the `ADUseWindowsUNCPath` key. | boolean | optional | false | ✓Yes | macOS (10.9+) |
ADUseWindowsUNCPath ADUseWindowsUNCPath If `true`, the system uses the UNC path from Active Directory to derive the network home location. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADAllowMultiDomainAuthFlag ADAllowMultiDomainAuthFlag If `true`, the system enables the `ADAllowMultiDomainAuth` key. | boolean | optional | false | ✓Yes | macOS (10.9+) |
ADAllowMultiDomainAuth ADAllowMultiDomainAuth If `true`, the system allows authentication from any domain in the namespace. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADDefaultUserShellFlag ADDefaultUserShellFlag If `true`, the system enables the `ADDefaultUserShell` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADDefaultUserShell ADDefaultUserShell The default user shell. | string | optional | — | ✓Yes | macOS (10.8+) |
ADMapUIDAttributeFlag ADMapUIDAttributeFlag If `true`, the system enables the `ADMapUIDAttribute` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADMapUIDAttribute ADMapUIDAttribute The map UID to attribute. | string | optional | — | ✓Yes | macOS (10.8+) |
ADMapGIDAttributeFlag ADMapGIDAttributeFlag If `true`, the system enables the `ADMapGIDAttribute` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADMapGIDAttribute ADMapGIDAttribute The map GID to attribute. | string | optional | — | ✓Yes | macOS (10.8+) |
ADMapGGIDAttributeFlag ADMapGGIDAttributeFlag If `true`, the system enables the `ADMapGGIDAttributeFlag` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADMapGGIDAttribute ADMapGGIDAttribute The map group GID to attribute. | string | optional | — | ✓Yes | macOS (10.8+) |
ADPreferredDCServerFlag ADPreferredDCServerFlag If `true`, the system enables the `ADPreferredDCServer` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADPreferredDCServer ADPreferredDCServer The preferred domain server. | string | optional | — | ✓Yes | macOS (10.8+) |
ADDomainAdminGroupListFlag ADDomainAdminGroupListFlag If `true`, the system enables the `ADDomainAdminGroupList` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADDomainAdminGroupList ADDomainAdminGroupList The list of Active Directory groups with admin access. 1 subkey | array | optional | — | ✓Yes | macOS (10.8+) |
└─ ADDomainAdminGroupListItem ADDomainAdminGroupListItem | string | — | ✓Yes | macOS (10.8+) | |
ADNamespaceFlag ADNamespaceFlag If `true`, the system enables the `ADNamespace` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADNamespace ADNamespace The primary user account naming convention; either `forest` or `domain`. | string | optional | — | ✓Yes | macOS (10.8+) |
ADPacketSignFlag ADPacketSignFlag If `true`, the system enables the `ADPacketSign` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADPacketSign ADPacketSign The packet signing policy. | string | optional | — | ✓Yes | macOS (10.8+) |
ADPacketEncryptFlag ADPacketEncryptFlag If `true`, the system enables the `ADPacketEncrypt` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADPacketEncrypt ADPacketEncrypt The packet encryption policy. | string | optional | — | ✓Yes | macOS (10.8+) |
ADRestrictDDNSFlag ADRestrictDDNSFlag If `true`, the system enables the `ADRestrictDDNS` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADRestrictDDNS ADRestrictDDNS An array of strings that represent the interfaces allowed for dynamic DNS updates, such as en0 and en1. 1 subkey | array | optional | — | ✓Yes | macOS (10.8+) |
└─ ADRestrictDDNSItem ADRestrictDDNSItem | string | — | ✓Yes | macOS (10.8+) | |
ADTrustChangePassIntervalDaysFlag ADTrustChangePassIntervalDaysFlag If `true`, the system enables the `ADTrustChangePassIntervalDays` key. | boolean | optional | false | ✓Yes | macOS (10.8+) |
ADTrustChangePassIntervalDays ADTrustChangePassIntervalDays The number of days before requiring a change of the computer trust account password. Set to `0` to disable the feature. | integer | optional | — | ✓Yes | macOS (10.8+) |
