Active Directory and iCloud

lyfenetworks
New Contributor

I need to setup a few macs on a Windows eco-system. The Macs need to be connected to Active Directory but also the AD user must not be able to sign out of a managed apple id or create a local user account to sign in with their own personal apple id. Has anyone done this with Jamf?

8 REPLIES 8

AJPinto
Honored Contributor III
  1. Do not bind macs to Active Directory, Apple retired this workflow over a decade ago and you will only see more issues then benefits.
    1. Instead look into solutions like Jamf Connect, or Platform Single Sign On.
  2. Managed AppleID's are a mess.
    1. You either allow all AppleID's or allow no AppleID's. There is no way to force the usage of a Managed AppleID, while blocking personal AppleID's. There is also no way to prevent signing out of an AppleID while still allowing someone to sign in with an AppleID.
  3. Blocking the creation of User Accounts can be done with a configuration profile blocking the Users & Groups Preference Pane. 
    1. More crafty users can create user accounts with the DSCL terminal command, not giving admin access will close this gap.

Agree with you there - AD is ancient and you'll end up with more issues if you try to bind a Mac to AD.

 

We just block access to the Apple ID preference pane so users cannot sign in at all. Until Apple sort out Managed Apple IDs it's just not worth considering. I had a meeting with Apple in November 2023 and they said improvements to Managed Apple IDs is on the 2024 roadmap (as well as the ability to integrate them with an IdP)

AJPinto
Honored Contributor III

Ya, Managed AppleID's are basically pointless unless your organization uses iCloud services (pages, mail, etc). 

 

I'm at a loss for words that you got apple to commit to anything that could be considered a roadmap. I'm sure it's less a commitment and more so an offhand comment, but giving a timeline is impressive lol.

Yes I don't believe it for a second... they were at our head office and looking to get more business. I told them they were literally the only vendor left that we use who don't support our IdP (Okta). That's when they came out with the roadmap comment.

Pretty amazing in this day and age that critical platforms like Apple Business Manager cannot be hidden behind an IdP... but there you go.

jcarr
Release Candidate Programs Tester

Is there a chance that they used the word "federate" and not integrate (Federation now supports OIDC in addition to Azure AD & Google Workspace).

I've just spotted this and contacted our IdP about it - still in beta but definitely a step in the right direction.

Thank you for the insight. The CFO does not want MAC into a MS ecosystem unless it would be tied to Azure SSO. Also does not want end users to upload to icloud any data but still use iMessage using a corporate Apple Managed ID. I guess all of this is just screwed

It's possible via a Configuration Profile to restrict iCloud data (Drive, Mail, Keychain etc) but as mentioned before, Managed Apple IDs are just not fit for purpose and there's nothing stopping an end user from signing in with a personal Apple ID.

In regards to your CFO requirements it might be worth checking out Jamf Connect or in the very near future Platform SSO to bind your Macs to an IdP. Azure is not always the answer :-)