Active Directory Best Practices?

ChickenDenders
New Contributor III

Hey Friends -

We are replacing all our old Trashcans with new Mac Pro's with handles, running Catalina 10.15.7

In the past, we've just directly bound our machines to Active Directory. I get the impression this is not the best way to do this, and that people use Nomad now? At least, that's what I was seeing a few years ago - I don't know what's standard practice now.

6 REPLIES 6

sdagley
Honored Contributor II

@ChickenDenders NoMAD to sync a local account password with AD is definitely preferred over AD binding for logins these days. An exception to that would be if your environment uses ADFS file shares, in which case AD binding does make that experience better (or so it's rumored)

ChickenDenders
New Contributor III

@sdagley Thank you!

And I hear that it's now integrated into JAMF, with JAMF Connect? Does that make integration any easier?

Are you pretty much just... Prepopulating your AD details somewhere, and then hit deploy? Or is a pretty involved process?

sdagley
Honored Contributor II

@ChickenDenders Jamf Connect is an evolution of NoMAD that supports Cloud based IdP. NoMAD is still an option for on-prem AD authentication, but I don't have any direct experience with it.

My org currently uses Apple's Enterprise Connect tool for synchronizing a local account with a user's AD credentials. I don't know if it's still an option as support was supposed to end last year, but Apple announced it had been extended at least through macOS Big Sur

One reason it's being retired is macOS Catalina and later include a Kerberos Single Sign-on Extension (that's the link to the Apple guide for it) which will handle the local account sync with on-prem AD. Since your new Mac Pros came with Catalina you might want to try the Kerberos SSO first. In addition to the Apple guide, you might find this useful as well: A Guide for Configuring the macOS Catalina Kerberos Single Sign-On Extension

Tribruin
Contributor III
Contributor III

@ChickenDenders Why were you previously binding your Macs to AD? Was it just to use AD accounts on the Mac? If so, then you probably want to look at NoMAD or the Kerberos SSO extension as a replacement.

However, there are a still a couple of use cases for binding, probably the most common is if you use machine certificates for authentication.

dstranathan
Valued Contributor II

AD may be a factor for some establishments with 802.1x too.

gabester
Contributor III

Certainly a best practice is to follow Apple's guidelines, but in the span of almost two decades those guidelines seem to change every couple years, and Apple's support for AD connectivity/functionality is more often miss than hit. My organization recently migrated from a 3rd party AD integration kit with mobile user accounts - which have caused no end of pain for our support team with password changes esp propagating to Keychain and Filevault et cetera - to just using local accounts with the SSO extension in Catalina which seems to just work, except when there's DNS/AD issues with our environment. You'll have to figure out what's best for your environment, but our users are really happy about being able to change their password just about any way the Windows users have always been able to without getting locked out of their Mac in various weird ways. We still use a Jamf config profile for AD bind, too, as we have some automation that relies on certain directory services. Interestingly even if we name the local account to match the domain account, macOS doesn't seem to be having any issues consistently preferring the local account.

Good luck!