Decision headache: startup deploying self-hosted AD in 2017

Eid
New Contributor II

Hey community,

I searched high and low and couldn't find anything specific, so hopefully somebody can share a bit of their time to to throw this in the right way. Thank you so much for your time!

Basically - we have a small startup and the current moment we're running GSuite for our most of our needs (SSO wise as well) along with 1Password, for where Google OAuth is not available.

We're getting more and more staff and the main problem is keeping all devices connected&secure. As far as device security goes we started using Meraki MDM, but plan to switch to JAMF PRO at some point, just for the sake of better functionality.

The main problem is remote authentication across all devices instead of having local accounts. The go to solution for the past many many years was AD, but I just feel like something's not right doing it from scratch in 2017. We're using GSuite Email and File Storage, so I feel like we would need to switch to MS File Sharing & Exchange for it to make more sense. One of the main issues is that the servers will probably be hosted publicly within data centers and accessible via WAN, since most of us are remote workers. So it kinda is not the standard AD setup, which - in my mind - is mostly office based.

I looked at alternatives like MS AD and AD DS, but they don't support OSX at all, which would leave our Macs with only having local accounts cutting them off from accessing resources.

What options do you think would be better suited for 2017 and onwards? We are across 2 locations in US and Europe. Running mobiles, laptops, desktops (Windows, Mac) and Linux servers (but those are a separate animal).

Thank you for any ideas.
Cheers.

9 REPLIES 9

mpermann
Valued Contributor II

@Eid have a look at JumpCloud. They have a cloud directory product that hooks into GSuite and can integrate with Casper as well. It may be an option for you.

Eid
New Contributor II

Thanks @mpermann - sorry to say, but are you guys paid by JC? I am not sure but so many replies with basically one liners.

I personally tried the product and thought it was awful. Apart from the company being quite shady and not having exposure, there's little documentation about the technical aspects and it just 'works'. Personally I felt like installing such basically hidden/anonymous cloud applications which hook up to the company's server felt really untrustworthy.

I thought about what I could add to the topic, and basically - in the end, I guess our main gripe is that we would like that wherever any staff member sits, he/she can login to an environment that's always the same (desktop, files, shares, apps, desktop wallpaper! wise).

I looked at a post from SpiceWorks https://community.spiceworks.com/topic/1251024-migrate-to-azure-active-directory-from-on-premise-ad , it's the second reply from 'Gregory' - and it seems that AD / AD DS is not good for this in the first place.

So what do you guys reckon, open WAN on-premise AD?

mpermann
Valued Contributor II

@Eid no, I'm not paid by JumpCloud to suggest you look at their product. I've been evaluating their product for a few months now. There are some shortcomings that may keep us from being able to use their product in our environment. But for some folks/environments it's probably going to be a good solution. You know your environment better than anyone else so you will have to determine what works best for your environment. Good luck in your search.

gachowski
Valued Contributor II

Don't do it... binding to any directory service brings nothing but issues to the Mac...

Apple and IBM have spoke and it's Configuration Profiles to manage password requirements.

https://www.youtube.com/watch?v=fSHTzJl9BW0

Most every security group is ok using Configuration Profiles to manage the "pin/password" on an phone, so they have no "real" argument against using Profiles on macOS.

If you start reading Apple tea leaves and really thinking about the future, the most likely plan they have for macOS is to lock it down as tight as iOS.

C

Eid
New Contributor II

Thanks C,

How do you handle Macs in your corp environment then? Only via JAMF? What about file sharing from AD environment?
Thanks for the keynote, I will take a look at that today.

For us, we're happy to use 1Password for most of the non-SSO stuff, but yeah.. having the same account across OSX&Windows for remote&local workers would be nice. To have your desktop&files accessible.

gachowski
Valued Contributor II

We are hopefully moving away from AD to local passwords later this month early next and will mange the passwords with profiles. We have only used Jamf for the past 9 or 10 years. : ) AD password issues are the largest group of macOS tickets our help-desk receives.

Most of our users are using UNIX shares so that really isn't an issue, Also the ones that still use windows shares can just browse to them in the finder and log in manually. I have found that the whole Kerberos really didn't work in our environment and from what I have read most environment have an issues setting it up on everywhere. We have also moved to O365 so we are trying to get our users to use OneDrive. As for desktops synced I am not sure that it's possible anymore.. Apple has dropped support for portable home directories

https://derflounder.wordpress.com/2016/09/03/portable-home-directories-will-not-work-on-macos-sierra/

If you really need the SSO check out Enterprise Connect...

https://www.jamf.com/jamf-nation/discussions/17757/about-enterprise-connect

There is two IBM the one I linked is this year but there is one from 2015 too that you should watch it's on the Jamf YouTube channel too.

C

nmanager
New Contributor III

I would look at Enterprise Connect or Nomad (https://www.nomad.menu/). Both have features that let you use local accounts but still have control over them. Here is an article that covers binding vs unbound and them the differences between EC and Nomad.

http://macadminsdoc.readthedocs.io/Integration/Active_Directory/

I am going with Enterprise Connect but we are bound to AD. It will help with keeping the kerberos tickets updated and password reminders. If we were unbound I would still look at them to help stream line maintaining user accounts.

jared_f
Valued Contributor

We have also been evaluating JumpCloud and it has seemed to work very well in our test lab environment. We had a good discussion going in JamfNation about it. Like @mpermann, it does have a lot of shortcomings... but most of the stuff you can get around. We don't use their binding client, in out discussion someone posted a nice scan of something they printed off about binding via the Users & Groups, then it is not require you as the admin to push down each user from the JumpCloud admin page.

Like you, I am using Meraki until we invest in JAMF Pro. If you have any questions, I have been using/testing it for the last two years heavily.

Jared

jared_f
Valued Contributor

I see you want the users apps and everything to be the same when they login... usually when binding to AD, I like to have everything local. Nothing but issues migrating everything over when the user decides to login to a new computer. I like having the users store files on a network drive.