- Jamf Nation Community
- Products
- Jamf Pro
- Re: AD or Non AD and best practices in large compa...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AD or Non AD and best practices in large companies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2016 08:16 PM
1) Are they moving towards Non AD environment ( what are the pros and cons) 2) If yes how is security dealing with it 3) How is network – 802.1x being used in the environment. Is it a security issue if we only use user certs. 4) How is Jamf supporting this infracructure.
Kunal V
Labels:
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-17-2016 12:13 AM
Working as an MSP, we're starting to see it be of interest, but not take hold yet. We've had one mid-sized organisation stop using AD on their MacBook fleet with good success.
There's a number of emerging open source tools that are starting to provide SSO and other elements for companies not joining their Macs to AD, but it's early days.
In the non AD environments with 802.1X, the users are still authenticating with their usernames and passwords from AD to connect to wireless.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-17-2016 02:16 AM
Depends on the corporate environment and it's requirements. I've seen a publishing company using generic accounts but where I am is so tightly regulated that AD authentication is utterly required.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-17-2016 07:05 AM
thanks @davidacland and @franton
Kunal V
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-17-2016 12:00 PM
IBM
https://www.jamfsoftware.com/blog/mac-ibm-zero-to-30000-in-6-months/
If you still using AD you are "not holding it correctly"......It's time to stop.
C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-17-2016 01:06 PM
@gachowski i am leaving AD behind but i need to convince our security team so i am getting facts for them to see how can i run our wifi without AD binding.
Kunal V
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-17-2016 01:32 PM
Where I work, we are SAS, SOX, and HIPPA compliant. Needless to say, security is at the forefront.
We do bind to AD. This gives us a "chicken or the egg" scenario when trying to deploy with Apple DEP.
We did get around that hurdle though...
Here's our typical deployment workflow...
1 Apple DEP Enabled Mac - Still in shrink wrapped box
2 User powers on
3 User connects to Guest WiFi
4 User authenticates with AD/LDAP credentials
5 User creates local account - username is irrelevant
6 User gets desktop
7 JAMF deploys Self-Service
8 JAMF deploys MobileConfigs
9 JAMF auto-enrolls and triggers FileVault full disk encryption
10 System reboots within 1 minute
11 User logs in
12 User enables FileVault
13 System reboots
14 User logs in
15 User gets desktop
16 JAMF triggers install of Global Protect VPN software
17 JAMF triggers install of Apple Enterprise Connect
18 User logs into Global Protect
19 JAMF Triggers a Network State Change
20 JAMF installes 802.1x mobileconfig
21 JAMF initiats script to rename hostname to NetBIOS 15-character limit standards
22 JAMF binds to Active Directory
23 User logs into Apple Enterprise Connect using AD/LDAP username and password
24 User gets Kereros Ticket Granting Ticket
25 Deployment process is complete
26 Have a nice day!
There's more minutiae that takes place behind the scenes, but you get the high level idea...
Kind regards,
Caine Hörr
A reboot a day keeps the admin away!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-17-2016 11:39 PM
@cainehorr Thanks for taking time out for putting this list down. i appreciate it. What if we dont ad bind is there a way can get authentication for 802.1x , we use enterprise connect
Kunal V
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2016 07:20 AM
There is KerbMinder. It allows you to create a Kerberos Ticket and refresh it every time you're connected to your corporate network.
https://github.com/pmbuko/KerbMinder
I have also recently heard of NoMad - similar to Apple Enterprise Connect.
http://maclovin.org/blog-native/2016/nomad-get-ad-features-without-binding-your-mac
Cheers!
Kind regards,
Caine Hörr
A reboot a day keeps the admin away!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2016 11:29 AM
Thanks @cainehorr
Kunal V
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2016 09:20 AM
If you have thousands of multi user devices, like we have, how could we not use AD binding? Interested to hear alternatives for this scenario
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-31-2016 11:45 AM
@marklamont we are using non adbind machine 1000 and growing and thats the reason i wanted these details but recently i found more solutions on it, any specific questions you had .
Kunal V
