In the ol' Windows day, everything was bound to AD. Everyone did it from 5 person companies to 5k. It was just the way of the world. But now is the time of the Mac and The Cloud. If a majority (or maybe all) of your software is SaaS, the device becomes disposable (just don't tell accounting that).
So I'm curious. Are people still binding to AD/LDAP/OD for central authentication? If not, why? Or more interestingly how are you handling user authentication?
Personally, I don't bind to anything. I treat the device as disposable. The users login with a local account and JAMF keeps an admin account in play for IT to use. I'm curious if this is normal and/or if there are better options.
We bind but that's for the sake of the user having to only remember one set of credentials for different company services. I suppose that can have its own set of security problems if someone got a hold of it. It's a delicate balance for sure. You also have to deal with computers not communicating with AD as well. But users have so many problems remember passwords as it is that I can only imagine it would be exasperated if they had to remember yet another set. As it stands some people literally leave a note or sticky with all passwords listed. I suppose it's what happens when you try to enforce security so stringently. People find ways to comply but the end goal of being secure is lost.
Yep, it's time to move to config profiles, to manage the passwords. Binding to AD is no longer worthing the hassle in most environments.
Everything is trade off, do you want old AD issues that might be fixed or new config profile issues that should be fixed ASAP?
Binding to AD is dependency in most builds and removing that dependency would simplify a lot of builds and make many many onsite staff jobs easier and free them up to really help end users.
@bentoms interesting link, thanks!
@bpavlov Fair point. I wonder then if it possible to push usernames/passwords to OSX from another service via JAMF? @gachowski mentions config profiles which I honestly haven't used.... but it'd be an interesting experiment. If you use SaaS SSO, you could probably have those systems communicate passwords to JAMF, then pass them down to the end laptops? Not sure if that is possible, but interesting.
I don't think it's experiment any more, : ) some big companies are not using AD any more.. and all managed iPhones are using config profiles... The question is, can your password requirements be enforced by the options Appel provides. :) I would guess that most everyones can be...
I would guess that Jamf has plans for other services syncing, they sent out a survey earlier this about this and there were 6 or 7 options that they gave us a choice of. ( Okta was on the survey)
However my personal view is that I don't want the those passwords on the Macs. I think have two password one for the machine and one for your companies resources is a good idea.
Similar for us. On any of our school deployments it's always AD, very occasionally there's an old OD server just for the Macs.
In the larger businesses I go to its AD there too. This is partly for login window authentication but also for machine based certificates for access to corporate wifi and VPN.
Personally I'm not sure it's so useful these days to actually bind the client devices in 1:1 scenarios. Just connect all the servers to a central directory so you can get them setup quicker, and revoke service access more easily.
For shared device usage of OS X I'd still bind them to the directory service.
I'll throw my hat in the ring.
Around 100 employees and growing, we use Google for Work, and laptops are assigned 1:1. Since the company has grown from five people four years ago they never saw a reason to stand up a traditional directory infrastructure. From time to setup to availability and fault tolerance. Our wireless has built-in 802.1x authentication and Casper provides assignment of settings, apps, and etc via the computer's assignments. Now, we'll most likely be starting with an identity provider like Ping or Okta for single sign on access to a variety of services, but you can use these without a directory service in place.
We bind our machines to the domain for our overall effort of removing any extra passwords.
The only issue we find is with our remote users when they change their passwords theres's no way to talk back to our AD externally. (this being built as best practice), so we tell them to hop on the vpn, and things will magically start working again.
We heavily use SSO and our users expect nothing less.
One username One Password, just makes it easier for everyone.
We're an edu that DOES NOT BIND to AD. While we use AD, RADIUS and a number of other technologies to manage authentication, our users devices are NOT bound to AD. In my less than humble opinion AD bindings really hurt performance with completely modern mobile fleets. In the end, we teach password management to our users anyways so we don't mind the user essentially having two passwords (one for their computer and one for pretty much everything else related to our academy, SaaS included). In the end they need to manage passwords for various other personal things anyways. We teach them rather than fighting with issues related to LDAP bindings. That said, we don't have strict compliance rules to deal with.
If you have to work under HIPAA restrictions, you don't really have a choice but to bind everything to AD. Full accountability at all times on all devices. It can be a management and performance nightmare to maintain security from top to bottom.
Chiming in to say that our environment is virtually identical to @Chris_Hafner's. We have about 1300 users, virtually all of them on MacBook Airs and do not bind the equipment to AD, even though we have AD in place and it use of authentication to almost all of our services (email, Moodle, HelpDesk, etc.). We also teach strong password generation rules, but also teach them the distinction between a computer password and an email password. We feel it's healthier for them to understand the distinction. SSO isn't necessarily a bad thing; but it can be viewed by some as enabling users to be lazier about password management.
With a 10-1 Windows-Mac ratio, (2000+ WinPC - 200+ Macs) our tertiary education environment is heavily controlled by Windows. As a result, as a number here have mentioned, we bind to AD for authentication, so students & staff can log on to any machine campus-wide with the same credentials.
We used to have a 'magic triangle' set up with OD binding as well, but moved away from this when we decommissioned our X-Serves and Raid array! So now it is all via AD and Windows Sans for storage.
We are actually looking away from AD binding now, for at least some. We are a K-12 school, but all of our Middle School and High School students buy and own their laptops. Since we no longer "thick image" student owned laptops, as we like to keep it pristine from Apple, with school licensed apps served a la cart via Self Service. Right now we don't really feel the need for these set of student machines to be bound. We kept them bound for printing with PaperCut, but I am now finding that we can utilize and gain the same functionality of getting and charging them based on their AD username with the PaperCut Client installed. We too will be decommissioning our OD environment as we bring our X-Serves offline.
I messed around with a non-bound Mac and Papercut a few weeks ago.
Is that how you 2 are going to config it?
I'm a bit of a non-conformist so I have no idea. Read this as: I will fix anything I find generally stupid no matter what the manual says or I won't pay for it.
My plan is to utilize the Client and maintain as long a general auth as I can (hopefully a day?). Then I'll start using it to figure out what annoys me the most, fix that, bring my wife to the office and let her use it, figure out what annoys her the most, and fix that. In the end I'm sure our users will have to authenticate from time to time and we are 100% A-OK with that. Being an EDU we tend to like having them log into something every so often so they don't forget their passwords!
I see. I am really tempted to remove AD binding and have users authenticate when needing to print, (the Papercut client provides a pop-up login when needed) but I also know anything more than 1 login (the AD login for OSX) will cause complaining.
@lehmanp00 I'm still testing actually, #2 on your list. Yes, you can set it up so that you get pop-up authentication when printing asking for AD credentials, as long as the printer in PaperCut is set for this and the mac has the PaperCut Client installed. I actually have my testing with ther printer set to this along with it being released by a release station. However there is a way for it to not get the pop-up authentication, and still print based on the username initially put into the PaperCut Client. In order for this to work there is a login script to bypass popup authentication . I was able to modify it based on the user logging into Self Service when the PaperCut Client gets installed via Self Service Policy. So when a user prints, the pop-up authentication does not ask for AD username and password to print. However what I'm finding is that it isn't 100% reliable. I'm still testing to see if I might have missed something.
@dah0041 Hey, we're a helpful bunch around here however, I don't think we're going to do much for you beyond pointing you at your Apple rep. GSX is full of all sorts of privileged info and I certainly would not be comfortable sharing too much. Additionally, you're asking questions that quite honestly, many of us might think of as 'less than trustworthy' to unethical.
I apologize ahead of time if you really are stuck trying to figure some stuff out. However, looking at your post history it certainly feels like you're trying to get privileged info on breaking activation locks. Apple, via GSX is very, very clear on their policies and instructions regarding activation lock and there are several threads here discussing it yet you are not posting to those. I can't imagine you having access to both JAMFNation and GSX and not being able to find the info you keep requesting as it's been policy for some time. Much longer than you've been "on vacation".
Now, I'd really like to keep this thread on track.
Context check - I said this all with a smile ;-)
Cant you still just use AD credentials to login to Macs without having to physically bind them now? We were going to bind our macs with AD since we recently setup OKTA and that syncs with AD passwords but we are really trying not to bind the macs at all to an AD server.
This is my personal opinion, and does not reflect the opinions of my current or any past employer. So please take this as my personal opinion based off my experiences in IT over the years.
There are really only a few niche reasons you should BIND to an LDAP directory anymore, and they are these:
Really those two reasons are the best reasons to BIND. Otherwise you can do everything else with out it and it is much less of a headache. Here goes some things to consider.
I just really don't see much of a benefit sans the kerberos ticket and the many humans to a single device scenario. These are just my opinions.