I've been trying to figure out a way to utilize this new service across our mac devices that still require LDAP user authentication. Has anyone else successfully got this to work?
Right off the bat I cannot figure a simple solution of injecting the certificates Google requires to a client and authenticate directly. So I started digging into the idea of running open directory and using stunnel. I ran into some road blocks configuring the .conf file and getting it to communicate to google. Is this the way to go? Or is there is better solution I am not able to find online?
Solved! Go to Solution.
So I have been looking at this and you want to look at the new "Cloud Identity Providers" section. This document has details on pages 3-9. https://hcsonline.com/images/PDFs/Google_SSO.pdf If you ignore the SSO part this should get you the same functionality according to the docs as configuring an LDAP Server. The latest Admin guide has a section
"Integrating with Cloud Identity Providers, which is similar to integrating with an LDAP directory service, allows you to do the following:
Look up and populate user information from the secure LDAP service for inventory purposes.
Add Jamf Pro user accounts or groups from the secure LDAP service.
Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.
Require users to log in during mobile device setup using their LDAP directory accounts.
Base the scope of remote management tasks on users or groups from the secure LDAP service."
So the only question I have remaining is if an Enrollment Customization can be configured that uses the Identity Provider ?
I can't answer that yet as I am still waiting for my Google Admins to approve the testing. If you get there before me please let me know.
Secure LDAP requires a mobile account and deep configuration of opendirectoryd. Given 2020 and SSO, probably not worth the time investment with solutions like native catalina SSO/Kerb connectors, JAMFConnect, etc that work off normal local accounts and dont have secureToken complexity with the bootstrap token.
We want to stop binding to local AD in favor of using Google Workspace credentials. How would we configure the native catalina/bigsur SSO/Kerb connectors to use Google Workspace credentials to log into macOS?? Streamlining this into ABM enrollments to Jamf would be huge!!
So my question for this overall process is in this statement "Require users to log in during mobile device setup using their LDAP directory accounts. Does JAMF mean the mobile device such as iPad do they mean the Mobile account Google Secure LDAP creates to keep the user account on the system in the event of loss of network connection.
Another question, is once the Google Secure LDAP mobile account is created on the local box, can the user sync local/server passwords if the LDAP password is changed?
We deployed this solution last year &it is working properly with Google Secure LDAP. We are still using Mobile accounts. Once the user log in yes we set Jamf config to create mobile account locally on the computer. This account is working without syncing any user data and it is linked to the google Secure LDAP. If the users change their passwords it will be synced to the local Mobile account on the computer. This Solution is perfect as we don't need to pay any other module like Jamf connect but the question now is for how long does Apple will support directory service & when it will be discontinued? So far Monterey is supported but not sure about any changes apple will make in the future, Any ideas?
This is exactly what I'm tying to accomplish. Do you happen to have any information on how you set this up?
Following the instructions posted in a link above looks like it would require some advanced scripting. Did you get into that? Anything you could share with me to get a baseline?