Skip to main content

Active Directory Publisher - macOS

This script is the macOS version of the Active Directory Publisher script, designed to publish user certificates to the userCertificate attribute in Active Directory (AD). It supports both domain-joined and non-domain-joined macOS systems. If the machine is domain-joined, the certificate is published silently. For non-domain-joined systems, the script prompts the user to enter their Active Directory username and password to publish the certificate.

For a general overview and for Windows version details, refer to Active Directory Publisher - Windows.

Supported operating system and application

Operating system

Application

macOS (for specific version, refer to Prerequisites)

Active Directory (AD) on Windows Server 2022, 2025

Parameters

Domain: Optional. Domain name of your Active Directory domain. This is required if the macOS device is not domain-joined. It is used to authenticate users to the specified domain through a pop-up dialog, where the user enters their Active Directory username and password.

Example value: digicert.com

Prerequisite checks

Before proceeding with the certificate publishing, the script performs several checks to ensure the environment is ready:

  • Checks for required bash commands. Ensures that the commands such as klist, kinit, osascript, ldapsearch, ldapmodify, realpath, grep, awk, sed, cut, head, and dig are available by default on macOS.

  • Checks whether the domain's IP address can be resolved via DNS if If a domain is specified as a parameter in the certificate profile.

  • Checks whether the Key Distribution Center (KDC, TCP port 88) host can be resolved via DNS. The following command is used:

    dig +short "_kerberos._tcp.$domain" SRV

  • Checks whether LDAP host (TCP port 389) can be resolved through DNS. The following command is used:

    dig +short "_ldap._tcp.$domain" SRV

  • The user account must have the necessary permissions to write to the userCertificate attribute in Active Directory. By default, the AD user object typically has this permission. However, if you encounter any issues while executing the script, contact your administrator to ensure that the required permissions are set appropriately. For more information, refer to How to check permission for userCertificate.

Note

IP addresses for the domain controller must resolve in both directions. Ensure that you get the IP address from the domain controller's hostname, and also get the hostname from its IP address. Also, if IPv6 is enabled in your environment, make sure that IPv6 addresses can be resolved bidirectionally.

If you are using Windows Server DNS, refer to the Microsoft documentation for configuration details, or contact your DNS server administrator.

How it works

The script executes the following steps:

  1. Ensures that all the prerequisite checks are met.

  2. References the certificate installed during the enrollment process.

  3. Checks whether the user is already logged into the domain using command klist -s. If not, it opens a dialog box and and prompts the user to enter their Active Directory username and password to log into the domain specified in the certificate profile.

  4. Obtains user’s Distinguished Name (DN) using ldapsearch command establishing an LDAP connection with the Domain Controller.

  5. Publishes the certificate to the userCertificate attribute of the user's Active Directory object using ldapmodify command.

As an Administrator, you can check check whether the userCertificate attribute was properly populated in the Active Directory. For more details, refer to How to verify a user’s userCertificate attribute in Active Directory.

Troubleshooting

Refer to Common issues for more details to help you troubleshoot issues related to system post-processing scripts.

Refer to Active Directory Publisher - macOS for more details to help you troubleshoot issues related to Active Directory Publisher - macOS.

In this section: