Mac Internet Explorer Site Microsoft.com
Posted By admin On 07.04.20Jan 24, 2020 Find out which products will retire, reach end of support, or move from mainstream support to extended support in 2020. Mar 13, 2020 If you’re running Windows 7, the latest version of Internet Explorer that you can install is Internet Explorer 11. However, Internet Explorer 11 is no longer supported on Windows 7. Instead, we recommend you install the new Microsoft Edge. Jun 17, 2002 REDMOND, Wash., June 17, 2002 — Microsoft Corp. Today announced the availability of Microsoft® Internet Explorer 5.2 for Mac OS X, the latest update to the most popular browser available for the Macintosh operating system. Office 365 customers get the new Office for Mac first. You’ll have Office applications on your Mac or PC, apps on tablets and smartphones for when you're on the. IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for modern sites, and it uses the Trident MSHTML engine from Internet Explorer 11 (IE11) for legacy sites. When a site loads in IE mode, the IE logo.
Applies To: Windows 10, Windows 8.1, Windows Server 2012 R2, Windows Server 2016
You can use the Remote Desktop client for Mac to work with Windows apps, resources, and desktops from your Mac computer. Use the following information to get started - and check out the FAQ if you have questions.
Note
- Curious about the new releases for the macOS client? Check out What's new for Remote Desktop on Mac?
- The Mac client runs on computers running macOS 10.10 and newer.
- The information in this article applies primarily to the full version of the Mac client - the version available in the Mac AppStore. Test-drive new features by downloading our preview app here: beta client release notes.
Get the Remote Desktop client
Follow these steps to get started with Remote Desktop on your Mac:
- Download the Microsoft Remote Desktop client from the Mac App Store.
- Set up your PC to accept remote connections. (If you skip this step, you can't connect to your PC.)
- Add a Remote Desktop connection or a remote resource. You use a connection to connect directly to a Windows PC and a remote resource to use a RemoteApp program, session-based desktop, or a virtual desktop published on-premises using RemoteApp and Desktop Connections. This feature is typically available in corporate environments.
What about the Mac beta client?
We're testing new features on our preview channel on AppCenter. Want to check it out? Go to Microsoft Remote Desktop for Mac and click Download. You don't need to create an account or sign into AppCenter to download the beta client.
If you already have the client, you can check for updates to ensure you have the latest version. In the beta client, click Microsoft Remote Desktop Beta at the top, and then click Check for updates.
Add a Remote Desktop connection
To create a remote desktop connection:
In the Connection Center, click +, and then click Desktop.
Enter the following information:
- PC name - the name of the computer.
- This can be a Windows computer name (found in the System settings), a domain name, or an IP address.
- You can also add port information to the end of this name, like MyDesktop:3389.
- User Account - Add the user account you use to access the remote PC.
- For Active Directory (AD) joined computers or local accounts, use one of these formats: user_name, domainuser_name, or user_name@domain.com.
- For Azure Active Directory (AAD) joined computers, use one of these formats: AzureADuser_name or AzureADuser_name@domain.com.
- You can also choose whether to require a password.
- When managing multiple user accounts with the same user name, set a friendly name to differentiate the accounts.
- Manage your saved user accounts in the preferences of the app.
- PC name - the name of the computer.
You can also set these optional settings for the connection:
- Set a friendly name
- Add a Gateway
- Set the sound output
- Swap mouse buttons
- Enable Admin Mode
- Redirect local folders into a remote session
- Forward local printers
- Forward Smart Cards
Click Save.
To start the connection, just double-click it. The same is true for remote resources.
Export and import connections
You can export a remote desktop connection definition and use it on a different device. Remote desktops are saved in separate .RDP files.
- In the Connection Center, right-click the remote desktop.
- Click Export.
- Browse to the location where you want to save the remote desktop .RDP file.
- Click OK.
Use the following steps to import a remote desktop .RDP file.
- In the menu bar, click File > Import.
- Browse to the .RDP file.
- Click Open.
Add a remote resource
Remote resources are RemoteApp programs, session-based desktops, and virtual desktops published using RemoteApp and Desktop Connections.
- The URL displays the link to the RD Web Access server that gives you access to RemoteApp and Desktop Connections.
- The configured RemoteApp and Desktop Connections are listed.
To add a remote resource:
- In the Connection Center click +, and then click Add Remote Resources.
- Enter information for the remote resource:
- Feed URL - The URL of the RD Web Access server. You can also enter your corporate email account in this field – this tells the client to search for the RD Web Access Server associated with your email address.
- User name - The user name to use for the RD Web Access server you are connecting to.
- Password - The password to use for the RD Web Access server you are connecting to.
- Click Save.
The remote resources will be displayed in the Connection Center.
Connect to an RD Gateway to access internal assets
A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a corporate network from anywhere on the Internet. You can create and manage your gateways in the preferences of the app or while setting up a new desktop connection.
To set up a new gateway in preferences:
- In the Connection Center, click Preferences > Gateways.
- Click the + button at the bottom of the table Enter the following information:
- Server name – The name of the computer you want to use as a gateway. This can be a Windows computer name, an Internet domain name, or an IP address. You can also add port information to the server name (for example: RDGateway:443 or 10.0.0.1:443).
- User name - The user name and password to be used for the Remote Desktop gateway you are connecting to. You can also select Use connection credentials to use the same user name and password as those used for the remote desktop connection.
Manage your user accounts
When you connect to a desktop or remote resources, you can save the user accounts to select from again. You can manage your user accounts by using the Remote Desktop client.
To create a new user account:
- In the Connection Center, click Settings > Accounts.
- Click Add User Account.
- Enter the following information:
- User Name - The name of the user to save for use with a remote connection. You can enter the user name in any of the following formats: user_name, domainuser_name, or user_name@domain.com.
- Password - The password for the user you specified. Every user account that you want to save to use for remote connections needs to have a password associated with it.
- Friendly Name - If you are using the same user account with different passwords, set a friendly name to distinguish those user accounts.
- Tap Save, and then tap Settings.
Customize your display resolution
You can specify the display resolution for the remote desktop session.
- In the Connection Center, click Preferences.
- Click Resolution.
- Click +.
- Enter a resolution height and width, and then click OK.
To delete the resolution, select it, and then click -.
Displays have separate spacesIf you are running Mac OS X 10.9 and disabled Displays have separate spaces in Mavericks (System Preferences > Mission Control), you need to configure this setting in the remote desktop client using the same option.
Drive redirection for remote resources
Drive redirection is supported for remote resources, so that you can save files created with a remote application locally to your Mac. The redirected folder is always your home directory displayed as a network drive in the remote session.
Note
In order to use this feature, the administrator needs to set the appropriate settings on the server.
Use a keyboard in a remote session
Mac keyboard layouts differ from the Windows keyboard layouts.
- The Command key on the Mac keyboard equals the Windows key.
- To perform actions that use the Command button on the Mac, you will need to use the control button in Windows (e.g.: Copy = Ctrl + C).
- The function keys can be activated in the session by pressing additionally the FN key (e.g.: FN + F1).
- The Alt key to the right of the space bar on the Mac keyboard equals the Alt Gr/right Alt key in Windows.
By default, the remote session will use the same keyboard locale as the OS you're running the client on. (If your Mac is running an en-us OS, that will be used for the remote sessions as well.) If the OS keyboard locale is not used, check the keyboard setting on the remote PC and change it manually. See the Remote Desktop Client FAQ for more information about keyboards and locales.
Support for Remote Desktop gateway pluggable authentication and authorization
Windows Server 2012 R2 introduced support for a new authentication method, Remote Desktop Gateway pluggable authentication and authorization, which provides more flexibility for custom authentication routines. You can now try this authentication model with the Mac client.
Important
Custom authentication and authorization models before Windows 8.1 are not supported, although the article above discusses them.
To learn more about this feature, check out https://aka.ms/paa-sample.
Tip
Questions and comments are always welcome. However, please do NOT post a request for troubleshooting help by using the comment feature at the end of this article. Instead, go to the Remote Desktop client forum and start a new thread. Have a feature suggestion? Tell us in the client user voice forum.
-->Deploy Seamless Single Sign-On
Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.
To deploy Seamless SSO, follow these steps.
Step 1: Check the prerequisites
Ensure that the following prerequisites are in place:
Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:
You use version 1.1.644.0 or later of Azure AD Connect.
If your firewall or proxy allows DNS whitelisting, whitelist the connections to the *.msappproxy.net URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins.
Note
Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to password hash synchronization. If you don't intend to use password hash synchronization in conjunction with Pass-through Authentication, read the Azure AD Connect release notes to learn more.
Use a supported Azure AD Connect topology: Ensure that you are using one of Azure AD Connect's supported topologies described here.
Note
Seamless SSO supports multiple AD forests, whether there are AD trusts between them or not.
Set up domain administrator credentials: You need to have domain administrator credentials for each Active Directory forest that:
- You synchronize to Azure AD through Azure AD Connect.
- Contains users you want to enable for Seamless SSO.
Enable modern authentication: You need to enable modern authentication on your tenant for this feature to work.
Use the latest versions of Office 365 clients: To get a silent sign-on experience with Office 365 clients (Outlook, Word, Excel, and others), your users need to use versions 16.0.8730.xxxx or above.
Step 2: Enable the feature
Enable Seamless SSO through Azure AD Connect.
Note
You can also enable Seamless SSO using PowerShell if Azure AD Connect doesn't meet your requirements. Use this option if you have more than one domain per Active Directory forest, and you want to be more targeted about the domain you want to enable Seamless SSO for.
If you're doing a fresh installation of Azure AD Connect, choose the custom installation path. At the User sign-in page, select the Enable single sign on option.
Note
The option will be available for selection only if the Sign On method is Password Hash Synchronization or Pass-through Authentication.
If you already have an installation of Azure AD Connect, select the Change user sign-in page in Azure AD Connect, and then select Next. If you are using Azure AD Connect versions 1.1.880.0 or above, the Enable single sign on option will be selected by default. If you are using older versions of Azure AD Connect, select the Enable single sign on option.
Continue through the wizard until you get to the Enable single sign on page. Provide domain administrator credentials for each Active Directory forest that:
- You synchronize to Azure AD through Azure AD Connect.
- Contains users you want to enable for Seamless SSO.
After completion of the wizard, Seamless SSO is enabled on your tenant.
Note
The domain administrator credentials are not stored in Azure AD Connect or in Azure AD. They're used only to enable the feature.
Follow these instructions to verify that you have enabled Seamless SSO correctly:
- Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
- Select Azure Active Directory in the left pane.
- Select Azure AD Connect.
- Verify that the Seamless single sign-on feature appears as Enabled.
Important
Seamless SSO creates a computer account named AZUREADSSOACC
in your on-premises Active Directory (AD) in each AD forest. The AZUREADSSOACC
computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled, and that no other account in Active Directory has delegation permissions on the AZUREADSSOACC
computer account. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access.
Note
If you are using Pass-the-Hash and Credential Theft Mitigation architectures in your on-premises environment, make appropriate changes to ensure that the AZUREADSSOACC
computer account doesn't end up in the Quarantine container.
Step 3: Roll out the feature
You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:
Mac Internet Explorer 7 Download
https://autologon.microsoftazuread-sso.com
In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy.
Note
The following instructions work only for Internet Explorer and Google Chrome on Windows (if it shares a set of trusted site URLs with Internet Explorer). Read the next section for instructions on how to set up Mozilla Firefox and Google Chrome on macOS.
Why do you need to modify users' Intranet zone settings?
By default, the browser automatically calculates the correct zone, either Internet or Intranet, from a specific URL. For example, http://contoso/
maps to the Intranet zone, whereas http://intranet.contoso.com/
maps to the Internet zone (because the URL contains a period). Browsers will not send Kerberos tickets to a cloud endpoint, like the Azure AD URL, unless you explicitly add the URL to the browser's Intranet zone.
There are two ways to modify users' Intranet zone settings:
Option | Admin consideration | User experience |
---|---|---|
Group policy | Admin locks down editing of Intranet zone settings | Users cannot modify their own settings |
Group policy preference | Admin allows editing on Intranet zone settings | Users can modify their own settings |
'Group policy' option - Detailed steps
Open the Group Policy Management Editor tool.
Edit the group policy that's applied to some or all your users. This example uses Default Domain Policy.
Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.
Enable the policy, and then enter the following values in the dialog box:
Value name: The Azure AD URL where the Kerberos tickets are forwarded.
MacBook Air (Retina, 13-inch, 2018 - 2019). Microsoft office 365 mac os catalina.
Value (Data): 1 indicates the Intranet zone.
Microsoft platform update. The result looks like this:
Value name:
https://autologon.microsoftazuread-sso.com
Value (Data): 1
Note
If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks), set the preceding values to 4. This action adds the Azure AD URL to the Restricted zone, and fails Seamless SSO all the time.
Select OK, and then select OK again.
Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.
Enable the policy setting, and then select OK.
'Group policy preference' option - Detailed steps
Open the Group Policy Management Editor tool.
Edit the group policy that's applied to some or all your users. This example uses Default Domain Policy.
Browse to User Configuration > Preferences > Windows Settings > Registry > New > Registry item.
Enter the following values in appropriate fields and click OK.
Key Path: SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmicrosoftazuread-sso.comautologon
Value name: https.
Value type: REG_DWORD.
Value data: 00000001.
Browser considerations
Mozilla Firefox (all platforms)
Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps:
- Run Firefox and enter
about:config
in the address bar. Dismiss any notifications that you see. - Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox's trusted sites for Kerberos authentication.
- Right-click and select Modify.
- Enter
https://autologon.microsoftazuread-sso.com
in the field. - Select OK and then reopen the browser.
Safari (macOS)
Ensure that the machine running the macOS is joined to AD. Instructions for AD-joining your macOS device is outside the scope of this article.
Microsoft Edge based on Chromium (all platforms)
If you have overridden the AuthNegotiateDelegateAllowlist or the AuthServerAllowlist policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoftazuread-sso.com
) to them as well.
Microsoft Edge based on Chromium (macOS and other non-Windows platforms)
For Microsoft Edge based on Chromium on Mac OS and other non-Windows platforms, refer to the Microsoft Edge based on Chromium Policy List for information on how to add the Azure AD URL for integrated authentication to your allow-list.
Google Chrome (all platforms)
If you have overridden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoftazuread-sso.com
) to them as well.
Google Chrome (macOS and other non-Windows platforms)
For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URL for integrated authentication.
The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.
Known browser limitations
Seamless SSO doesn't work in private browsing mode on Firefox and Microsoft Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode. For the next version of Microsoft Edge based on Chromium, it will not work in InPrivate and Guest mode by design.
Step 4: Test the feature
To test the feature for a specific user, ensure that all the following conditions are in place:
- The user signs in on a corporate device.
- The device is joined to your Active Directory domain. The device doesn't need to be Azure AD Joined.
- The device has a direct connection to your domain controller (DC), either on the corporate wired or wireless network or via a remote access connection, such as a VPN connection.
- You have rolled out the feature to this user through Group Policy.
To test the scenario where the user enters only the username, but not the password:
- Sign in to
https://myapps.microsoft.com/
in a new private browser session.
To test the scenario where the user doesn't have to enter the username or the password, use one of these steps:
- Sign in to
https://myapps.microsoft.com/contoso.onmicrosoft.com
in a new private browser session. Replace contoso with your tenant's name. - Sign in to
https://myapps.microsoft.com/contoso.com
in a new private browser session. Replace contoso.com with a verified domain (not a federated domain) on your tenant.
Step 5: Roll over keys
In Step 2, Azure AD Connect creates computer accounts (representing Azure AD) in all the Active Directory forests on which you have enabled Seamless SSO. To learn more, see Azure Active Directory Seamless Single Sign-On: Technical deep dive.
Important
The Kerberos decryption key on a computer account, if leaked, can be used to generate Kerberos tickets for any user in its AD forest. Malicious actors can then impersonate Azure AD sign-ins for compromised users. We highly recommend that you periodically roll over these Kerberos decryption keys - at least once every 30 days.
For instructions on how to roll over keys, see Azure Active Directory Seamless Single Sign-On: Frequently asked questions. We are working on a capability to introduce automated roll over of keys.
Important
You don't need to do this step immediately after you have enabled the feature. Roll over the Kerberos decryption keys at least once every 30 days.
Next steps
Download Internet Explorer On Mac
- Technical deep dive: Understand how the Seamless Single Sign-On feature works.
- Frequently asked questions: Get answers to frequently asked questions about Seamless Single Sign-On.
- Troubleshoot: Learn how to resolve common problems with the Seamless Single Sign-On feature.
- UserVoice: Use the Azure Active Directory Forum to file new feature requests.