Active Directory Binding in the world of COVID-19

GabeShack
Valued Contributor III

Hey all,
So I'm sure there are bunch of ways to do this, however I've not explored this until now (and we are all working remotely).

With new machines we get purchased we are thinking of sending them to the staff directly and having them set it up, but currently I'm using DEP Notify to run a script at login after a local admin account is created.

We used to run this from our network so that the unit could bind to AD and get the right permissions and then we would help new users login before leaving our network to create their mobile accounts.

Is there a good way to continue to do this remotely or would I have to switch to a whole new method of imaging to remove the bind (which would not be great for when we get back due to wireless authentication and such requiring a bind)?

How is everyone doing binds these days? I assume NoMAD and JAMF connect are being used, but what alternatives are there?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools
1 ACCEPTED SOLUTION

kevin_v
Contributor

So... we're back to NoMAD and/or NoLoAD...or Jamf Connect

View solution in original post

8 REPLIES 8

kburns
New Contributor III

We're currently in the process of moving from on-prem Jamf Pro + AD Bind to Jamf Cloud with no AD Bind. As it stands right now, we have no way to bind to AD without the device being on site in one of our offices, as our VPN requires a machine certificate deployed via MS AD CS.

My recommendation would be to set up Jamf's AD CS Connector to deal with deploying WIFI certificates to machines not bound to AD. It may take some work to get your security team to approve deploying certs over the internet (securely) to machines not bound to AD, but that's your best bet.

https://docs.jamf.com/ad-cs-connector/1.0.0/Jamf_AD_CS_Connector_Overview.html

*This is all assuming you have either Jamf Cloud or a Jamf instance in your DMZ.

GabeShack
Valued Contributor III

@kburns Thanks, we have both a cloud instance and a box in the DMZ (since we have stalled on migrating to the cloud).

But using the AD-CS connector only allows the wifi certs to work without binding...it does nothing for an actual bind correct?
I guess I'm ok to move away from binding if that is where the major shift is to, I just want to be sure thats what the future holds since we do control everything through AD.

I'm also wondering though if Azure has cloud binding as a feature.
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

mm2270
Legendary Contributor III

Binding can still happen remotely, but the machine would need to connect over VPN to make it happen. A long long time ago, in another organization that I worked with, they developed a process where newly "imaged" Macs shipped to clients would boot up and run a script that would check to see if the Mac was on the company's internal network. If it was not, it would pop up the orgs VPN application and the user would connect with their credentials, and then the Mac would be joined to AD (among a lot of other steps in there).

It was an involved and complex process that I wouldn't even recommend trying to recreate these days. But if you are installing a VPN client and getting it setup as part of your DEPNotify workflow, then you may be able to do something at the end that would prompt the end user to connect to VPN and in the background, bind the Mac to AD.

Of course, this would require that they are logging in first with some local (non AD based) account on the Mac. I assume they are already doing this anyway though, since DEPNotify won't run until after logging in.

GabeShack
Valued Contributor III

@mm2270 Thanks, Yes my DEP Notify script creates a local admin login, but until now we had our tech assistances at each building setting the machines up and logging in as that admin user to trigger the workflow. I will have to rework it to have maybe another user that gets deleted after the setup, but our vpn is very limited (25 concurrent users at the moment).

I had thought there might be a way to patch into my DMZ jss to bind and pass Kerberos info, but I would suppose that would be quite a security issue. I keep hearing about Azure and machines being setup with intune much like Jamf Pro, but it seems to allow them to login with their full domain addresses(email), which would be different than our internal AD which just uses the usernames.

I guess I could run a process that had them log in with VPN (after it installs the app) then do the bind and all the commands and then right before the restart have it delete the vpn completely.

My problem right now is testing this since I dont have spare devices at home and we are now in remote learning world.
So much fun. Well thanks for the idea though!

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

sdagley
Honored Contributor III

@gshackney VMware Fusion Pro and vfuse are your friends. You can test your DEP workflow by creating a VM that has the same Model ID and serial number as a device enrolled in your ASM account (preferably one not already deployed).

kevin_v
Contributor

So... we're back to NoMAD and/or NoLoAD...or Jamf Connect

GabeShack
Valued Contributor III

Yea @kevin_v thats truly the only 3 answers that make sense.  Guess its time to start playing with those.

Gabe Shackney
Princeton Public Schools

kevin_v
Contributor

Alternatively - we are using Jamf Infrastructure Manager to connect Jamf Pro to LDAP. This allows us to enable PreStage authentication with LDAP credentials. Setting the account settings to Lock the primary account information ensures their org credentials are forced. The next step for us is to explore Kerberos SSO to maintain password sync. This allows for local accounts AND password sync - eliminating the need for NoMad or Jamf Connect (at least in our case)