Posted on 06-07-2018 12:36 PM
Hey fellow jamf users!
I recently joined a marketing technology startup that is nearly all Mac based, has around 280 employees, and currently uses the G-Suite for productivity. As we all know, the g-suite doesn't have an LDAP component to it. I've been brought in to centralize and establish an IT department, and having already done a jamf jumpstart before, I am doing it again at this new opportunity.
I am fully aware of cloud based services, such as Jump Cloud, Better Cloud, and Okta to help bridge the gap between the G-Suite and an LDAP solution. The company I now work for creates a cloud hosted product that leverages AWS. A colleague in the department that deploys our product to AWS offered to help me spin up a windows VM and to start an instance of Active Directory.
I've received advise to avoid implementing AD unless necessary, and to use a cloud based directory if I don't need to be married to Microsoft. We also have about 4 PC's in this company that are completely unmanaged and those are users who from what I can tell handle sensitive data that needs to be protected.
I want to trial the three products I mentioned above, and ultimately, I want to explore Okta because of it's integrations with NoMAD and NoMAD Login. As I understand it, Okta prices based off of the features listed as well as for each user object. AD in AWS may be our cheapest option because we are already have a ton of space there for a VM.
What are questions I may not be considering?
Has anyone else been faced with this?
What advise do you have?
Is trusting a third party company with LDAP a good idea? Or is having our own windows server with AD the best option for scalability and the future? We wouldn't be marrying to one company that we would be paying annually in this sense. If we ever had to go from AWS to another cloud or to something on premise, having the full domain controller would help should migration, no?
TLDR; Source of truth is g-suite, I need an LDAP solution to fully leverage Jamf Pro and to introduce managed access to user accounts, and I have many options to explore.
Posted on 06-07-2018 02:00 PM
Cannot answer your question but may have some helpful insight
We have AD on prem with instances in AWS. I find this annoying as we also use Jamfcloud, gsuite, okta, many other cloud based services. Now we have to integrate an on prem system to these. 500ish macs with 30 ish Windows machines (excluding servers). I would have rather gone with a service like jumpcloud, but AD is much more mature and familiar to folks. Our AD syncs with Google using the Google Sync Tool, and Google acts as a profile master for Okta. But then passwords are a problem, AD will sync passwords TO google, not from, and Okta will set googles password but again not from.
I think if you are going to trust a cloud provider, you have to make sure the contract is firm and that they are responsible for failures/recovery/breaches
Posted on 06-07-2018 03:42 PM
I use Active Directory and just sync with our g-suite instance. Works great and we have over 18K people.
If I were you I would just leverage AD in your AWS instance and sync with gsuite.
I know nothing other than Active Directory and since I've been working in the industry I have never worked for a place / company using anything other than AD. I know many other options exist but that is just my experience after 10 years.
Posted on 09-20-2018 05:42 PM
How did you make out?
Jump start seems like a good fit IMHO.
Posted on 09-24-2018 02:40 AM
You can use self hosted GSuite to LDAP synchronizer ( g-suite-identity-sync ). As @bizzaredm said, you have to sync password from LDAP to Gsuite, but this is supported feature.
Posted on 10-04-2018 09:08 AM
Has anyone used Better Cloud as an AD connector? I am seeing lots of "it can do it" but would like to hear from someone who has done it. Hope to see tech be able to log into Jamf cloud with their AD creds and scope to AD groups.
Posted on 10-04-2018 09:17 AM
For cloud hosted AD you might also consider utilizing Azure AD. https://azure.microsoft.com/en-us/services/active-directory/