Help

AD Login & Smartcards

Go to solution
dlprentice
New Contributor III

Posted on ‎07-06-2020 01:57 PM

Hey Guys,

We did our Jumpstart last week, and really happy with things thus far. We'd like to now try and do some logins against Active Directory, but are unsure on how to do this. We use on-premises Active Directory with smartcards for our Windows machines.

In summary trying to accomplish the following:
1) Login to Mac using AD credentials.
2) Eventually do this with Smartcards.

Any info or direction would help. Thanks!

Labels:
0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
boberito
Valued Contributor

Posted on ‎07-06-2020 02:47 PM

Welcome!

What you're wanting to do is called Attribute Mapping and very easy to do!

In Terminal 

man SmartcardServices

https://resources.jamf.com/documents/technical-papers/macos-smart-card-overview.pdf - jamf has a document on it

https://developer.apple.com/documentation/devicemanagement/smartcard - the keys available for a configuration profile

https://support.apple.com/en-us/HT208372 - A bit of an Apple document on

https://www.jamf.com/resources/videos/dont-forget-your-badge/ - Useful JNUC Presentation on them

Also join the MacAdmins slack and #smartcards has many many people that'll help

View solution in original post

Reply
4 REPLIES 4

Go to solution
boberito
Valued Contributor

Posted on ‎07-06-2020 02:47 PM

Welcome!

What you're wanting to do is called Attribute Mapping and very easy to do!

In Terminal 

man SmartcardServices

https://resources.jamf.com/documents/technical-papers/macos-smart-card-overview.pdf - jamf has a document on it

https://developer.apple.com/documentation/devicemanagement/smartcard - the keys available for a configuration profile

https://support.apple.com/en-us/HT208372 - A bit of an Apple document on

https://www.jamf.com/resources/videos/dont-forget-your-badge/ - Useful JNUC Presentation on them

Also join the MacAdmins slack and #smartcards has many many people that'll help

Reply

Go to solution
dlprentice
New Contributor III

Posted on ‎07-06-2020 06:03 PM

Thanks for such an informative first reply! After looking at some of these resources I do have some questions.

  1. Everyone has told us not to bind, but from the looks of it if we do not bind we'll need a service like Enterprise Connect PKINIT for reliable AD integration. Is this true or could we get away with NoMAD and NoMAD Login for use with Kerberos smartcard logins? We really don't want to bind :) or buy more services if possible.

  2. Just made my first slack account today, do you got the link so I can join that MacAdmins group?

Thanks again!

0 Kudos
Reply

Go to solution
boberito
Valued Contributor

Posted on ‎07-06-2020 09:24 PM

  1. We bind at the organization I'm at. Plenty others do. You can bind or not. There's problems with binding and there's problems with not binding, so neither is perfect. The single sign on extension is the replacement for Enterprise Connect in Catalina. That'll do your PKINIT. I'd also suggest deploying it even if you bind because macOS is finicky about getting that kerberos ticket correctly when using a smart card. https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

  2. macadmins.slack.com

Reply

Go to solution
dlprentice
New Contributor III

Posted on ‎07-08-2020 10:59 AM

boberito, I cannot thank you enough for the resources you've lead me to thus far. The Catalina SSO extension is EXACTLY what we needed. The extension seems to work very well with smartcards too.

Also for anyone reading, this resource was very useful in configuring Kerberos using the Catalina SSO extension: https://hcsonline.com/images/PDFs/Jamf_Kerberos.pdf

I'll head over to the MacAdmins slack and ask some questions. Thanks for your time boberito!

Reply