Skip to main content

In the ol' Windows day, everything was bound to AD. Everyone did it from 5 person companies to 5k. It was just the way of the world. But now is the time of the Mac and The Cloud. If a majority (or maybe all) of your software is SaaS, the device becomes disposable (just don't tell accounting that).

So I'm curious. Are people still binding to AD/LDAP/OD for central authentication? If not, why? Or more interestingly how are you handling user authentication?

Personally, I don't bind to anything. I treat the device as disposable. The users login with a local account and JAMF keeps an admin account in play for IT to use. I'm curious if this is normal and/or if there are better options.

Cant you still just use AD credentials to login to Macs without having to physically bind them now? We were going to bind our macs with AD since we recently setup OKTA and that syncs with AD passwords but we are really trying not to bind the macs at all to an AD server.

@dubprocess For you, I prescribe NoMAD.

This is my personal opinion, and does not reflect the opinions of my current or any past employer. So please take this as my personal opinion based off my experiences in IT over the years.

There are really only a few niche reasons you should BIND to an LDAP directory anymore, and they are these:

  1. You heavily rely on Kerberos and you use Kerberos tickets as authentication to other services, AD/LDAP can do this
  2. You have multiple humans to a single computer - like a call center type environment or a lab

Really those two reasons are the best reasons to BIND. Otherwise you can do everything else with out it and it is much less of a headache. Here goes some things to consider.

  • Password compliance and rotation can be done with either a Passcode Profile or using the pwpolicy binary
  • Mapping network shares is not really a good practice, and it is a huge attack vector of most crypto-viruses. Look at migrating to a web app based file share system. Bonus those are cross platform since the are web based. Box, Dropbox, Google Drive, etc.
  • Apps like Enterprise Connect and NoMAD exist, which help mitigate the need to BIND, they can also supply K-tickets
  • You won't get any management features extending the AD schema to a Mac
  • if your reasons are inventory asset management just go get an actual asset management tool that does everything for that. AD/SCCM inventory isn't really that great, nor really that easy to setup or maintain. Plus it doesn't do anything for iOS or Android devices. To me this might be the worst reason to BIND
  • mobile accounts while easier to manage still can be a pain so why use them, plus they are identical to local accounts but with added complexities.
  • if AD still requires unique computer names, now you have to maintain naming convention of your Macs which is yet another thing you have to do

I just really don't see much of a benefit sans the kerberos ticket and the many humans to a single device scenario. These are just my opinions.

Terms & ConditionsCookie settingsAccessibility statement