Posted on 11-26-2018 10:05 AM
So I need a compelling argument/discussion to have with the infrastructure team as to why we should no longer bind Macs to Active Directory.
Posted on 11-26-2018 10:40 AM
Off the top of my head... Keychain issues and AD Connection Drops -- having to constantly re-bind machines.
Posted on 11-26-2018 11:35 AM
Binding works pretty well for us. here's some key configs to keeping it working.
Posted on 11-26-2018 12:48 PM
Does NoMAD require just one person to login? Can a workmate borrow the laptop and log in?
Posted on 11-26-2018 01:15 PM
Our biggest issue right now is the Secure Token with machines being upgraded to 10.13.x. Seems to be a major issue with AD accounts.
Posted on 11-26-2018 02:05 PM
We use NoMAD Pro configured with both Okta and AD (but devices are not domain joined). If you holistically look at JAMF; everything that AD does with Windows (GPOs, device configs, and etc.) can be done through JAMF. However, what is your use case for AD bind with MacOS. Previously, our use case was Kerberos tickets generated through AD and firewall rules configured based on AD membership (we used Centrify instead of native MAcOS bind). Since NoMAD can generate these tickets without binding devices; we decided that there is no need for us to bind MacOS to AD. Also, one more thing to remember, NoMAD [Jamf Connect] will not work with mobile accounts (at least this was the case 6 months ago). I am happy to share more details if needed.
Posted on 11-26-2018 02:12 PM
@cdenesha Sure, but NoMAD Login would need to be utilized for that scenario to work. That effectively turns it's into a multiuser machine. Just using NoMAD alone with a local user created during DEP/Setup Assistant wouldn't work. In that case the machine is tied to a single user.
Posted on 11-26-2018 02:31 PM
AD and secure tokens are a bad time. I still have alot of legacy machines with mobile users and Password syncing between the AD user and the crypto account has been an endless nightmare on those.
I'm hesitant to convert them all to local accounts via script because it seems about 30% of the time when I do that they account loses the secure token after conversion leaving them unable to login to filevault.
Posted on 11-26-2018 02:58 PM
@cdenesha we dont use NoMAD login. Users login to their local accounts which is synced to Okta for password replication. NoMAD pnly generates Kerberos tickets.
Posted on 11-26-2018 03:17 PM
The secure token problem is the main issue with NoMAD Login, and I assume Jamf Connect as well. Unless you create that user account during setup as the first user on the system created by the OS, you won't have a secure token and cannot use FV. You need DEP to do that as far as I know, but DEP is not available for every Mac and has other issues.
Apple is really mangling this secure token stuff. Since not having one prevents encryption entirely, it's making some systems far less secure than they were prior to secure tokens. They implemented it poorly without thinking any of this through.
Posted on 11-26-2018 03:24 PM
@cdenesha probably NoMAD login is what you need. This use case was not applicable for our environment.