Jamf Nation Community

kevin5495 · ‎03-17-2022

Like many higher ed environments we have two types of users. One group is faculty and staff and the other is computers in shared classroom/labs. Our fac/staff machines are bound to AD but users authenticate with a local account. AD is only used to access Papercut print queues in System Prefs. They all have access to cloud resources through Google.

Lab machines, however all all bound to AD and all are on the wired network. Students log in anywhere and their AD home is in the dock. Does the Kerberos SSO extension have similar functionality? I'm not so concerned with keeping access to their AD home directory but having the "portable desktop" is essential. How are other schools handling this?

-Kevin

SeetendraPanda · ‎03-18-2022

Kevin We have never bound our devices to Ad since its always kind of a mess to deal with lockout issues and other compatibility issues when a mac is bound to AD.
With Kerberos TGT Ticket we are able to get auth done for all the sites including SSO on all the browsers. This needs to be set up in your IDP (Azure in our case) and is working perfectly.
But we use Apple Enterprise connect to get the password sync . Getting the users to login and retain there portable desktop can be only done by JAmf connect and the Jamf PRo services guys can do some magic for sure.

kevin5495 · ‎03-28-2022

I'm only concerned with public facing (classroom) computers. Students use a different computer in each class and may use several others in open, public areas. Is Connect appropriate for this?

Jamf Nation Community

CVE-2021-42287 (AD bind) and edu lab computers