Jamf Nation Community

okasaundi · ‎12-28-2022

Hi everyone,

I'm a quite new mac System admin. We would like to manage properly identity on Apple devices. Because bind mac to AD bring some hassles and some are out of our network (don't reach AD).

So we're looking a product that provides identity from our hybrid environment (Active Directory + Azure Active Directory). Most of our environment is Microsoft but some VIP and departments ( Graphic Designer ) use Mac. We saw that one of last version of Jamf Connect can manage hybrid identity.

I found some feedback but not enough with hybrid environment. What do you think about this product ? Do you know an alternative because it's a bit pricey 2$ / month / Device.

Our environment:

- Hybrid (Active Directory + Azure Active Directory)

- Office 365

- Adfs 3.0 will upgrade 5.0 soon (may be not possible with 3)

- MFA Azure

- Active directory authority for local resources (Printers, file servers, wifi,...)

- Intune

- Apple Business Manager (just few Macs)

- Couple Macs bound to AD others are "Free"

I asked a trial to Jamf and give a try.

Thank you

192.168.0.1 router login 192.168.l.l

AJPinto · ‎12-28-2022

I think the first thing to understand to be able to successfully manage a Mac. MacOS is not Windows, and you cannot expect the same end result or same solutions when it comes to Management. The visions of a corporate environment vastly differ between Microsoft and Apple and account management is one of the areas where the two could not be further apart.

Before going too far in to the weeds of cost. Keep in mind AD/AAD costs somewhere around $5-10 per user per month. JAMF Connect and JAMF Pro are a bit cheaper than that. What you are paying "extra" for is to manage Mac users like PC users and use a federated account. Apples preferred solution is Managed AppleID's which are free, yes this solution is garbage but it shows how little apple cares about federating authentication. MacOS's Platform SSO is something to look in to, but dont expect it to be useful for a couple more years. There are free solutions like NoMad, but you get what you pay for and dont expect support or frequent updates or patches.

We are transitioning to JAMF Connect right now. We are 99% Windows and a similar setup to yours. We are moving from ADFS to Okta though. JAMF Connect has fully enabled our Macs to never see our corp network for anything. So far JAMF Connect has been very worth it.

TechSpecialist · ‎12-30-2022

We used to have Jamf Connect, and although it does what it says on the tin, there was ultimately one specific thing it can't do that made us cancel our subscription to Jamf Connect. Jamf Connect does NOT provide a solution for people to reset their own password in case they forget it before logging in to their computer. Even if you manage to reset the password on AAD/AD or O365, the Mac will still be set to the last password used, and it requires at least one log-in before it can re-synchronise it. This whole reset password and synchronise feature in Jamf Connect turned out to be too complex for basic users to understand the mechanics and was giving our IT department more work than without Jamf Connect, so we cancelled.

If your fleet is on Ventura, then Apple has just released something called "Platform SSO".

This shoud allow any IDP to use a true SSO set up. Microsoft has it available already in Preview mode.

This means that the local password can be synched over the cloud with AAD.

Essentially this is exactly what Jamf Connect does too. The only thing now that Jamf Connect can do that is somewhat 'unique' is to 'create accounts upon login'. But you can easily get away with that by designing an efficient zero-touch enrolment mechanism.