Help

Are you using Jamf + Centrify for MFA and Smart Card login?

Go to solution
obi-k
Valued Contributor III

Posted on ‎08-16-2018 11:00 AM

Hi Jamf Nation,

Is anyone using Jamf and Centrify, particularly leveraging Centrify GPOs to enforce Smart Card login on Macs 10.11 to 10.13?

I've read that others have had their fair of issues with Centrify (UUID permissions and network login issues). Everybody seems happy to move away from Centrify to Jamf.

Our ORG is currently on 10.12 & 10.11. Until the CIS 10.13 benchmark comes out, we can't upgrade to 10.13 to enforce Smart Card login. Plus, Centrify says that Multi-Factor Authentication for Macs is still in beta. Is anyone usin multi-factor login on Macs?

Ideally, I'd like to wait for the CIS 10.13 benchmark, then upgrade our ORG and force Smart Card login that way. But I've been given a quick deadline now to make it happen.

Can anybody share their experience with Jamf and Centrify? I'm a bit worried about an admin applying their GPOs and other weirdness.

To get Centrify to work, I'd have to unbind and re-bind using Centrify's tool. I saw some scripts and I know Jamf supports Cenrtify binding in the JSS. But the whole process and ensuing troubles worries me.

Thanks for any of your thoughts and experiences!

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
Taylor_Armstron
Valued Contributor

Posted on ‎08-16-2018 01:05 PM

My pleasure. Not using MFA beyond the smart card aspect. Not using cloud either, so that may be the wrinkle that caused them to claim it was beta. We're strictly smart card/PIN here for local logins.

The goal would be to eliminate Centrify. No issues with it, but if we can get rid of one cost, and a bit of complexity of having another agent running, I think it would be worth it. We've been satisfied overall with Centrify for our needs.

View solution in original post

0 Kudos
Reply
7 REPLIES 7

Go to solution
Taylor_Armstron
Valued Contributor

Posted on ‎08-16-2018 12:47 PM

We are, although still only in "Testing" status on 10.13 for the same reasons as you are.

That being said, CIS 10.13 should be out within the week.

Not clear why Centrify would claim MFA is in beta, the've been marketing that as one of the main features of Centrify for the past 5+ years. I think they mis-understood what you were asking. I CAN say that we've had lousy luck using multiple identities on a single card (standard + admin users, for example) but for your routine smart card/PIV authentication, it works just fine. We no longer use any other GPOs beyond the smart card auth, although before going with Jamf we used them a fair bit.

Having said all of that....

CIS 10.13 will be out in days. We're seriously looking at going with native smart-card support in 10.13 just to eliminate one additional component on our systems.

0 Kudos
Reply

Go to solution
obi-k
Valued Contributor III

Posted on ‎08-16-2018 12:59 PM

Thanks a lot @Taylor.Armstrong for your helpful response.

Are you using MFA on your Macs now in addition to Smart Card login? The Sr. System Engineer said the "MFA login at Desktop" from our cloud tenant is only available on Windows and Linux. So not sure there.

If you guys use the native smart-card support in 10.13, will you eliminate Centrify completely?

0 Kudos
Reply

Go to solution
Taylor_Armstron
Valued Contributor

Posted on ‎08-16-2018 01:05 PM

My pleasure. Not using MFA beyond the smart card aspect. Not using cloud either, so that may be the wrinkle that caused them to claim it was beta. We're strictly smart card/PIN here for local logins.

The goal would be to eliminate Centrify. No issues with it, but if we can get rid of one cost, and a bit of complexity of having another agent running, I think it would be worth it. We've been satisfied overall with Centrify for our needs.

0 Kudos
Reply

Go to solution
obi-k
Valued Contributor III

Posted on ‎08-16-2018 01:12 PM

Final question. When you went with Centrify, did you start from Macs already bound to AD using the built-in plugin? I'm a bit concerned about unbinding all of our users then re-binding with Centrify's tool, which I'm told is required.

I've already run into some weirdness.

0 Kudos
Reply

Go to solution
Taylor_Armstron
Valued Contributor

Posted on ‎08-16-2018 01:20 PM

Yes, we were using AD for years first.

No major issues, although we did occasionally have to go in and fix permissions. It's one of those things where "if all goes smoothly", you should be able to script it and have it transparent to the users... but if NOT smoothly, usually just SSH in and chown their user folder will fix it.

I have the occasional wrinkle ever since just of trying to modify tips I find here on Jamf nation and other places when everyone assumes you're using dsconfigad, but overall, it works reliably, you just have to wrap your head around a different scenario.

Again though... if your #1 reason for considering this is because you're waiting on the 10.13 CIS release... wait a week. ;) .

0 Kudos
Reply

Go to solution
obi-k
Valued Contributor III

Posted on ‎08-16-2018 01:27 PM

They put a deadline to get this all working by the end of the month, though I was only notified about it a week ago. So I'm scrambling and I haven't tested this with a group yet.

I'm going to push back with the CIS 10.13 coming out in a week (thanks for the tip).

Hopefully, with Centrify MFA in beta, that won't require an agent installation down the road. He said it could be an agent or config profile.

Again, thanks a lot sir!

0 Kudos
Reply

Go to solution
Taylor_Armstron
Valued Contributor

Posted on ‎08-16-2018 01:51 PM

My pleasure, and thanks for the info on the config profile! I hadn't seen that, good nugget of info to keep in the back of my mind right now...

0 Kudos
Reply