Do you bind to AD/LDAP/OD? Why not?

ShakataGaNai
New Contributor III

In the ol' Windows day, everything was bound to AD. Everyone did it from 5 person companies to 5k. It was just the way of the world. But now is the time of the Mac and The Cloud. If a majority (or maybe all) of your software is SaaS, the device becomes disposable (just don't tell accounting that).

So I'm curious. Are people still binding to AD/LDAP/OD for central authentication? If not, why? Or more interestingly how are you handling user authentication?

Personally, I don't bind to anything. I treat the device as disposable. The users login with a local account and JAMF keeps an admin account in play for IT to use. I'm curious if this is normal and/or if there are better options.

28 REPLIES 28

Aziz
Valued Contributor

Active Directory.

Why? Because we're a school and need to give the students/staff/faculty personal home drives! They need to access Windows/Mac machines wherever they are on campus. Biggest problem is the dreaded Keychain.

Edit:

As @bpavlov said, one set of credinatls for endusers!

bpavlov
Honored Contributor

We bind but that's for the sake of the user having to only remember one set of credentials for different company services. I suppose that can have its own set of security problems if someone got a hold of it. It's a delicate balance for sure. You also have to deal with computers not communicating with AD as well. But users have so many problems remember passwords as it is that I can only imagine it would be exasperated if they had to remember yet another set. As it stands some people literally leave a note or sticky with all passwords listed. I suppose it's what happens when you try to enforce security so stringently. People find ways to comply but the end goal of being secure is lost.

bentoms
Release Candidate Programs Tester

@ShakataGaNai Actually @kitzy mad a similar statement on Twitter & blogged it

For us, we leverage SSO heavily with AD being the source leveraged for user credentials.

For SaaS stuff we then use ADFS/SAML to leverage the same credentials.

gachowski
Valued Contributor II

Yep, it's time to move to config profiles, to manage the passwords. Binding to AD is no longer worthing the hassle in most environments.

Everything is trade off, do you want old AD issues that might be fixed or new config profile issues that should be fixed ASAP?

Binding to AD is dependency in most builds and removing that dependency would simplify a lot of builds and make many many onsite staff jobs easier and free them up to really help end users.

C

ShakataGaNai
New Contributor III

@bentoms interesting link, thanks!

@bpavlov Fair point. I wonder then if it possible to push usernames/passwords to OSX from another service via JAMF? @gachowski mentions config profiles which I honestly haven't used.... but it'd be an interesting experiment. If you use SaaS SSO, you could probably have those systems communicate passwords to JAMF, then pass them down to the end laptops? Not sure if that is possible, but interesting.

gachowski
Valued Contributor II

I don't think it's experiment any more, : ) some big companies are not using AD any more.. and all managed iPhones are using config profiles... The question is, can your password requirements be enforced by the options Appel provides. :) I would guess that most everyones can be...

I would guess that Jamf has plans for other services syncing, they sent out a survey earlier this about this and there were 6 or 7 options that they gave us a choice of. ( Okta was on the survey)

However my personal view is that I don't want the those passwords on the Macs. I think have two password one for the machine and one for your companies resources is a good idea.

C

davidacland
Honored Contributor II
Honored Contributor II

Similar for us. On any of our school deployments it's always AD, very occasionally there's an old OD server just for the Macs.

In the larger businesses I go to its AD there too. This is partly for login window authentication but also for machine based certificates for access to corporate wifi and VPN.

Personally I'm not sure it's so useful these days to actually bind the client devices in 1:1 scenarios. Just connect all the servers to a central directory so you can get them setup quicker, and revoke service access more easily.

For shared device usage of OS X I'd still bind them to the directory service.

Look
Valued Contributor III

With 5000 PC's and 1500 Macs it's much simpler for us to have a single set of credentials in AD.
Plus we use for a number of other services as well.

adamcodega
Valued Contributor

I'll throw my hat in the ring.

Around 100 employees and growing, we use Google for Work, and laptops are assigned 1:1. Since the company has grown from five people four years ago they never saw a reason to stand up a traditional directory infrastructure. From time to setup to availability and fault tolerance. Our wireless has built-in 802.1x authentication and Casper provides assignment of settings, apps, and etc via the computer's assignments. Now, we'll most likely be starting with an identity provider like Ping or Okta for single sign on access to a variety of services, but you can use these without a directory service in place.

rderewianko
Valued Contributor II

We bind our machines to the domain for our overall effort of removing any extra passwords.
The only issue we find is with our remote users when they change their passwords theres's no way to talk back to our AD externally. (this being built as best practice), so we tell them to hop on the vpn, and things will magically start working again.

We heavily use SSO and our users expect nothing less.

One username One Password, just makes it easier for everyone.

Chris_Hafner
Valued Contributor II

We're an edu that DOES NOT BIND to AD. While we use AD, RADIUS and a number of other technologies to manage authentication, our users devices are NOT bound to AD. In my less than humble opinion AD bindings really hurt performance with completely modern mobile fleets. In the end, we teach password management to our users anyways so we don't mind the user essentially having two passwords (one for their computer and one for pretty much everything else related to our academy, SaaS included). In the end they need to manage passwords for various other personal things anyways. We teach them rather than fighting with issues related to LDAP bindings. That said, we don't have strict compliance rules to deal with.

lehmanp00
Contributor III

I would love to get away from AD logins, but we have requirements for print and web auditing that only really works well with AD/LDAP user accounts.

AVmcclint
Honored Contributor

If you have to work under HIPAA restrictions, you don't really have a choice but to bind everything to AD. Full accountability at all times on all devices. It can be a management and performance nightmare to maintain security from top to bottom.

emily
Valued Contributor III
Valued Contributor III

We bind to AD and I hate it.

damienbarrett
Valued Contributor

Chiming in to say that our environment is virtually identical to @Chris_Hafner's. We have about 1300 users, virtually all of them on MacBook Airs and do not bind the equipment to AD, even though we have AD in place and it use of authentication to almost all of our services (email, Moodle, HelpDesk, etc.). We also teach strong password generation rules, but also teach them the distinction between a computer password and an email password. We feel it's healthier for them to understand the distinction. SSO isn't necessarily a bad thing; but it can be viewed by some as enabling users to be lazier about password management.

Chris_Hafner
Valued Contributor II

Not to mention the cost of the CALs. We can swing most things on our external connector license. In any event, yep @damienbarrett We're the lucky ones! Another reason I love working in the EDU space (Private edu that is).

AlanSmith
Contributor

With a 10-1 Windows-Mac ratio, (2000+ WinPC - 200+ Macs) our tertiary education environment is heavily controlled by Windows. As a result, as a number here have mentioned, we bind to AD for authentication, so students & staff can log on to any machine campus-wide with the same credentials.
We used to have a 'magic triangle' set up with OD binding as well, but moved away from this when we decommissioned our X-Serves and Raid array! So now it is all via AD and Windows Sans for storage.

pchang
New Contributor

We are actually looking away from AD binding now, for at least some. We are a K-12 school, but all of our Middle School and High School students buy and own their laptops. Since we no longer "thick image" student owned laptops, as we like to keep it pristine from Apple, with school licensed apps served a la cart via Self Service. Right now we don't really feel the need for these set of student machines to be bound. We kept them bound for printing with PaperCut, but I am now finding that we can utilize and gain the same functionality of getting and charging them based on their AD username with the PaperCut Client installed. We too will be decommissioning our OD environment as we bring our X-Serves offline.

Chris_Hafner
Valued Contributor II

@pchang Nice! I'm actually going to be setting up PaperCut here in similar fashion Wednesday.

lehmanp00
Contributor III

I messed around with a non-bound Mac and Papercut a few weeks ago.

  1. The printer still needed to be installed via LPD method with the print server queues
  2. The user still had to login using the client with AD credentials to print (each time?)

Is that how you 2 are going to config it?

Chris_Hafner
Valued Contributor II

I'm a bit of a non-conformist so I have no idea. Read this as: I will fix anything I find generally stupid no matter what the manual says or I won't pay for it.

My plan is to utilize the Client and maintain as long a general auth as I can (hopefully a day?). Then I'll start using it to figure out what annoys me the most, fix that, bring my wife to the office and let her use it, figure out what annoys her the most, and fix that. In the end I'm sure our users will have to authenticate from time to time and we are 100% A-OK with that. Being an EDU we tend to like having them log into something every so often so they don't forget their passwords!

dah0041
New Contributor

@ Chris_Hafner
i need ur help if u have gsx acesss i dont find how to repain SN complete because old method not working with can u showi nstructions here please

lehmanp00
Contributor III

I see. I am really tempted to remove AD binding and have users authenticate when needing to print, (the Papercut client provides a pop-up login when needed) but I also know anything more than 1 login (the AD login for OSX) will cause complaining.

pchang
New Contributor

@lehmanp00 I'm still testing actually, #2 on your list. Yes, you can set it up so that you get pop-up authentication when printing asking for AD credentials, as long as the printer in PaperCut is set for this and the mac has the PaperCut Client installed. I actually have my testing with ther printer set to this along with it being released by a release station. However there is a way for it to not get the pop-up authentication, and still print based on the username initially put into the PaperCut Client. In order for this to work there is a login script to bypass popup authentication . I was able to modify it based on the user logging into Self Service when the PaperCut Client gets installed via Self Service Policy. So when a user prints, the pop-up authentication does not ask for AD username and password to print. However what I'm finding is that it isn't 100% reliable. I'm still testing to see if I might have missed something.

Chris_Hafner
Valued Contributor II

@dah0041 Hey, we're a helpful bunch around here however, I don't think we're going to do much for you beyond pointing you at your Apple rep. GSX is full of all sorts of privileged info and I certainly would not be comfortable sharing too much. Additionally, you're asking questions that quite honestly, many of us might think of as 'less than trustworthy' to unethical.

I apologize ahead of time if you really are stuck trying to figure some stuff out. However, looking at your post history it certainly feels like you're trying to get privileged info on breaking activation locks. Apple, via GSX is very, very clear on their policies and instructions regarding activation lock and there are several threads here discussing it yet you are not posting to those. I can't imagine you having access to both JAMFNation and GSX and not being able to find the info you keep requesting as it's been policy for some time. Much longer than you've been "on vacation".

Now, I'd really like to keep this thread on track.

Context check - I said this all with a smile ;-)

dubprocess
New Contributor III

Cant you still just use AD credentials to login to Macs without having to physically bind them now? We were going to bind our macs with AD since we recently setup OKTA and that syncs with AD passwords but we are really trying not to bind the macs at all to an AD server.

znilsson
Contributor II

tlarkin
Honored Contributor

This is my personal opinion, and does not reflect the opinions of my current or any past employer. So please take this as my personal opinion based off my experiences in IT over the years.

There are really only a few niche reasons you should BIND to an LDAP directory anymore, and they are these:

  1. You heavily rely on Kerberos and you use Kerberos tickets as authentication to other services, AD/LDAP can do this
  2. You have multiple humans to a single computer - like a call center type environment or a lab

Really those two reasons are the best reasons to BIND. Otherwise you can do everything else with out it and it is much less of a headache. Here goes some things to consider.

  • Password compliance and rotation can be done with either a Passcode Profile or using the pwpolicy binary
  • Mapping network shares is not really a good practice, and it is a huge attack vector of most crypto-viruses. Look at migrating to a web app based file share system. Bonus those are cross platform since the are web based. Box, Dropbox, Google Drive, etc.
  • Apps like Enterprise Connect and NoMAD exist, which help mitigate the need to BIND, they can also supply K-tickets
  • You won't get any management features extending the AD schema to a Mac
  • if your reasons are inventory asset management just go get an actual asset management tool that does everything for that. AD/SCCM inventory isn't really that great, nor really that easy to setup or maintain. Plus it doesn't do anything for iOS or Android devices. To me this might be the worst reason to BIND
  • mobile accounts while easier to manage still can be a pain so why use them, plus they are identical to local accounts but with added complexities.
  • if AD still requires unique computer names, now you have to maintain naming convention of your Macs which is yet another thing you have to do

I just really don't see much of a benefit sans the kerberos ticket and the many humans to a single device scenario. These are just my opinions.