Decision headache: startup deploying self-hosted AD in 2017

@Eid have a look at JumpCloud. They have a cloud directory product that hooks into GSuite and can integrate with Casper as well. It may be an option for you.

Thanks @mpermann - sorry to say, but are you guys paid by JC? I am not sure but so many replies with basically one liners.

I personally tried the product and thought it was awful. Apart from the company being quite shady and not having exposure, there's little documentation about the technical aspects and it just 'works'. Personally I felt like installing such basically hidden/anonymous cloud applications which hook up to the company's server felt really untrustworthy.

I thought about what I could add to the topic, and basically - in the end, I guess our main gripe is that we would like that wherever any staff member sits, he/she can login to an environment that's always the same (desktop, files, shares, apps, desktop wallpaper! wise).

I looked at a post from SpiceWorks https://community.spiceworks.com/topic/1251024-migrate-to-azure-active-directory-from-on-premise-ad , it's the second reply from 'Gregory' - and it seems that AD / AD DS is not good for this in the first place.

So what do you guys reckon, open WAN on-premise AD?

@Eid no, I'm not paid by JumpCloud to suggest you look at their product. I've been evaluating their product for a few months now. There are some shortcomings that may keep us from being able to use their product in our environment. But for some folks/environments it's probably going to be a good solution. You know your environment better than anyone else so you will have to determine what works best for your environment. Good luck in your search.

Don't do it... binding to any directory service brings nothing but issues to the Mac...

Apple and IBM have spoke and it's Configuration Profiles to manage password requirements.

https://www.youtube.com/watch?v=fSHTzJl9BW0

Most every security group is ok using Configuration Profiles to manage the "pin/password" on an phone, so they have no "real" argument against using Profiles on macOS.

If you start reading Apple tea leaves and really thinking about the future, the most likely plan they have for macOS is to lock it down as tight as iOS.

C

Thanks C,

How do you handle Macs in your corp environment then? Only via JAMF? What about file sharing from AD environment?
Thanks for the keynote, I will take a look at that today.

For us, we're happy to use 1Password for most of the non-SSO stuff, but yeah.. having the same account across OSX&Windows for remote&local workers would be nice. To have your desktop&files accessible.

We are hopefully moving away from AD to local passwords later this month early next and will mange the passwords with profiles. We have only used Jamf for the past 9 or 10 years. : ) AD password issues are the largest group of macOS tickets our help-desk receives.

Most of our users are using UNIX shares so that really isn't an issue, Also the ones that still use windows shares can just browse to them in the finder and log in manually. I have found that the whole Kerberos really didn't work in our environment and from what I have read most environment have an issues setting it up on everywhere. We have also moved to O365 so we are trying to get our users to use OneDrive. As for desktops synced I am not sure that it's possible anymore.. Apple has dropped support for portable home directories

https://derflounder.wordpress.com/2016/09/03/portable-home-directories-will-not-work-on-macos-sierra/

If you really need the SSO check out Enterprise Connect...

https://www.jamf.com/jamf-nation/discussions/17757/about-enterprise-connect

There is two IBM the one I linked is this year but there is one from 2015 too that you should watch it's on the Jamf YouTube channel too.

C

I would look at Enterprise Connect or Nomad (https://www.nomad.menu/). Both have features that let you use local accounts but still have control over them. Here is an article that covers binding vs unbound and them the differences between EC and Nomad.

http://macadminsdoc.readthedocs.io/Integration/Active_Directory/

I am going with Enterprise Connect but we are bound to AD. It will help with keeping the kerberos tickets updated and password reminders. If we were unbound I would still look at them to help stream line maintaining user accounts.

We have also been evaluating JumpCloud and it has seemed to work very well in our test lab environment. We had a good discussion going in JamfNation about it. Like @mpermann, it does have a lot of shortcomings... but most of the stuff you can get around. We don't use their binding client, in out discussion someone posted a nice scan of something they printed off about binding via the Users & Groups, then it is not require you as the admin to push down each user from the JumpCloud admin page.

Like you, I am using Meraki until we invest in JAMF Pro. If you have any questions, I have been using/testing it for the last two years heavily.

Jared

I see you want the users apps and everything to be the same when they login... usually when binding to AD, I like to have everything local. Nothing but issues migrating everything over when the user decides to login to a new computer. I like having the users store files on a network drive.