AD or Non AD and best practices in large companies

Tigerhaven
Contributor

1) Are they moving towards Non AD environment ( what are the pros and cons) 2) If yes how is security dealing with it 3) How is network – 802.1x being used in the environment. Is it a security issue if we only use user certs. 4) How is Jamf supporting this infracructure.

Kunal V
11 REPLIES 11

davidacland
Honored Contributor II

Working as an MSP, we're starting to see it be of interest, but not take hold yet. We've had one mid-sized organisation stop using AD on their MacBook fleet with good success.

There's a number of emerging open source tools that are starting to provide SSO and other elements for companies not joining their Macs to AD, but it's early days.

In the non AD environments with 802.1X, the users are still authenticating with their usernames and passwords from AD to connect to wireless.

franton
Valued Contributor III

Depends on the corporate environment and it's requirements. I've seen a publishing company using generic accounts but where I am is so tightly regulated that AD authentication is utterly required.

Tigerhaven
Contributor

thanks @davidacland and @franton

Kunal V

gachowski
Valued Contributor II

IBM

https://www.jamfsoftware.com/blog/mac-ibm-zero-to-30000-in-6-months/

If you still using AD you are "not holding it correctly"......It's time to stop.

C

Tigerhaven
Contributor

@gachowski i am leaving AD behind but i need to convince our security team so i am getting facts for them to see how can i run our wifi without AD binding.

Kunal V

cainehorr
Contributor III

Where I work, we are SAS, SOX, and HIPPA compliant. Needless to say, security is at the forefront.

We do bind to AD. This gives us a "chicken or the egg" scenario when trying to deploy with Apple DEP.

We did get around that hurdle though...

Here's our typical deployment workflow...

1 Apple DEP Enabled Mac - Still in shrink wrapped box
2 User powers on
3 User connects to Guest WiFi
4 User authenticates with AD/LDAP credentials
5 User creates local account - username is irrelevant
6 User gets desktop
7 JAMF deploys Self-Service
8 JAMF deploys MobileConfigs
9 JAMF auto-enrolls and triggers FileVault full disk encryption
10 System reboots within 1 minute
11 User logs in
12 User enables FileVault
13 System reboots
14 User logs in
15 User gets desktop
16 JAMF triggers install of Global Protect VPN software
17 JAMF triggers install of Apple Enterprise Connect
18 User logs into Global Protect
19 JAMF Triggers a Network State Change
20 JAMF installes 802.1x mobileconfig
21 JAMF initiats script to rename hostname to NetBIOS 15-character limit standards
22 JAMF binds to Active Directory
23 User logs into Apple Enterprise Connect using AD/LDAP username and password
24 User gets Kereros Ticket Granting Ticket
25 Deployment process is complete
26 Have a nice day!

There's more minutiae that takes place behind the scenes, but you get the high level idea...

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

Tigerhaven
Contributor

@cainehorr Thanks for taking time out for putting this list down. i appreciate it. What if we dont ad bind is there a way can get authentication for 802.1x , we use enterprise connect

Kunal V

cainehorr
Contributor III

@Tigerhaven

There is KerbMinder. It allows you to create a Kerberos Ticket and refresh it every time you're connected to your corporate network.

https://github.com/pmbuko/KerbMinder

I have also recently heard of NoMad - similar to Apple Enterprise Connect.

http://maclovin.org/blog-native/2016/nomad-get-ad-features-without-binding-your-mac

Cheers!

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

Tigerhaven
Contributor

Thanks @cainehorr

Kunal V

marklamont
Contributor III

If you have thousands of multi user devices, like we have, how could we not use AD binding? Interested to hear alternatives for this scenario

Tigerhaven
Contributor

@marklamont we are using non adbind machine 1000 and growing and thats the reason i wanted these details but recently i found more solutions on it, any specific questions you had .

Kunal V