Best Practice wanted for AD usage without binding (neither users nor machines)

Hi Marcus,
Just out of curiosity, why do you not want the machines bound to AD? If they are going to be using the same credentials it seems easiest to bind them and just have one account. With ADPassMon to fix any Keychain issues that arise it is a pretty reliable system.

We're in UK but have EC - if you have a US office then you might be able to sort a way around to purchase then use everywhere.

Hi,

>Just out of curiosity, why do you not want the machines bound to AD?

We had a quite long discussions about the pro and cons, but finally decided not to bind them. Main reasons where:

-) easier DEP process as our internal network is protected by 802.1x certificates and you need to connect to the internal network to reach the AD for joining.
-) different (external) service providers for AD and Mac management and therefore certain security concerns about handing out a technical account that can join domains. Also, the AD service provider has nothing about Macs in his contract (as we didn't have them at the time we outsourced that service) and is not willing to accept Macs in his managed domains without an (expensive) contract change.
-) rather complex AD structure (our tree consists of 80+ domains)
-) a lot of self written bells and whistles in our AD setup, not sure if everything works with the Apple AD plugin.
-) no intention to use GPOs for Macs
-) actually we see the future of device management more in MDM than in AD (even for Windows devices) - and the Macs should be the first step in that direction

You can look at NoMAD, a relatively new tool on the block, that has a lot of the same functionality as Apple's Enterprise Connect, but gives you the ability to actually try it out before buying it, unlike EC (though the Apple enterprise folks do do demos often enough that you can get a good idea of how it works)
With one of these 2 utilities in place, I'm pretty sure you can get pretty close to the experience of being joined without being joined.

Hi,
Well, we looked at both tools. NoMAD seems not to work with our AD domain setup (I am not the expert, but it seems to have something to do with sites and how proper DCs are discovered). We tried to contact the developer to make it work in our environment (we are willing to pay for any modifications), but were not very successful so far.
Enterprise Connect seems to be the best solution, however, it is only available in the US. If you don't have some kind of subsidery in the states you can't buy that (again, we would be willing to pay). So, are there any other tools out there that could help us solve our usecases?
any hints appreciated!
Marcus.

@merber I'd suggest you go here and sign up for the Mac Admins Slack and join the #nomad channel and you can talk directly with the person responsible for NoMAD. The person you're looking for goes by the name of mactroll. He is very active on the channel and is very helpful.

@merber Hi Merber, Having read your post I'm very interested now after some 3 years have past.
How did things progress with this idea " we see the future of device management more in MDM than in AD"
Did you manage to move away succesfully from AD ? any stories to tell of the journey ? thnks D

@Carbon_Neutral I suggest unbinding from AD as soon as possible. Apple seems to be moving away from mobile account support with macOS Big Sur; as mobile accounts are now treated as network accounts. I suggest transitioning to Jamf Connect or Apple Enterprise connect. You'll have far less headaches with password resets and keychain management.

You can also choose to simply use local accounts without a third-party identity management software.