Jamf Nation Community

Ah shoot, we don't utilize FV because we're still binding to AD.

It's Something that I'd like to get away from eventually, but  I Haven't spent a ton of time looking at how to get Mac's talking to our on-prem AD without binding.... 

Do you know if the Lock Screen on Mac (FV-enabled) halts background OS processes as well or is does it simply lock the end-user out of getting into the OS?

@kbreed27 Are you binding to AD for mobile accounts or for something else?

Mobile accounts that login to the computers, yes. 

That is unfortunate. Used to have to do that in an edu enviroment with multiple users per Mac so much happier now with a corp environment with one user per Mac where we use Kerberos SSO to sync the user's account with our on-prem AD system and have ditched binding.

Yep, K-12 EDU environment here.... The majority of our macs are actually given to teachers and are one-to-one devices. We do have a few labs but most of our kids use Chromebooks.

I'm interested in looking into the Kerberos SSO extension for our teacher Macbooks, but my eyes glaze over reading the materials. It's a few steps ahead of my base knowledge at this point. 

HCS Technology Group created a very extensive guide for the Kerberos SSO extension when it was introduced in macOS Catalina: https://hcsonline.com/support/white-papers/a-guide-for-configuring-the-macos-catalina-kerberos-singl...

It's a bit out of date now (no need to manually create the configuration .plist because Jamf Pro now has a GUI for configuring KSSO) but it's a great overview.

And BTW, while the CrowdStrike capability to isolate network connectivity for a compromised Mac is probably your best approach it is possible to use a Configuration Profile to trigger a Mac to run  policy immediately. For details see the posts by @mm2270 in this thread: https://community.jamf.com/t5/jamf-pro/how-to-run-a-policy-job-immediately-instead-of-a-trigger/m-p/...

Ah great! Thank you so much for the information, I will look into these things. 

I see you all of these forums and your posts are always so helpful. @AJPinto as well. 

Honestly, its not that hard to setup. Apples documentation is just horrible. The only real prerequisite is you need to know your realm, which is likely the suffix at the end of your FQDNs and your domain. For example, hostname.ucla.edu and the domain is campus would be CAMPUS.UCLA.EDU (likely, not always). The rest of the configuration profile is setup to your preferences.

Note, the Kerberos SSO extension does not provide on demand account creation like domain binding does. However, the Platform SSO extension does which is setup similarly. 

Does Platform SSO require a cloud IDP like AAD? 

It's in its very early staged of adoption, but yes. Some of those IDPs like Okta are charging extra for the use of Platform SSO.

Similar pricing to JAMF Connect, which is great until you learn you need a license for every user on that tenant and not just a license for every mac user.

---

Note, the Kerberos SSO extension does not provide on demand account creation like domain binding does. However, the Platform SSO extension does which is setup similarly. 

 

---

I'm trying to wrap my head around what you mean here. Are you saying that new accounts on a machine have to walk through setup assistant to create and can't just be handled by logging in at the login screen?

We have a login screen config profile that forces all computers to a login screen with only username/password fields and a script that runs at enrollment binds the machine to our on-prem AD. I'm guessing the SSO extension wouldn't work in this sort of setup? 

Have you tried deploying the SSO extension to machines that already have Roaming Profiles , or is going to Kereberos SSO profile something you have to switch over for new enrollments? 

When you bind a Mac to the domain, the log in screen will call the domain controller to validate the user account and logs the user in building their account if necessary. Honestly, from the domain binding experience this is about all that really works. 

If you are logged in using a Mobile Account, the Kerberos SSO Extension will still install but it won't do anything.

https://hcsonline.com/support/white-papers/a-guide-for-configuring-the-macos-catalina-kerberos-singl...

https://www.apple.com/za/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

The Kerberos SSO Extension has no way to build users accounts on a Mac. It relies on the account to be built some other way like macOS Setup Assistant, or manual account creation (GUI, CLI or tools like JAMF Policy which is CLI under the hood). Once the user logs in to macOS with that account, they log in to the SSO Extension. The SSO Extension then prompts them to sync passwords and will update the local account PW to match the network password and generate Kerberos tickets. However, the Kerberos SSO Extension does not care what the user name is.

Apples Platform SSO does support on demand account creation, which was a massive oversight with Kerberos SSO Extension.

Yes, we do use CrowdStrike. 

It seems like Shutting down switches or network containing clients is going to be the better move than trying to shut everything down through MDM, but I am far from an expert and less experienced than our NetSec guy.

He's pushing to have the solution of stopping the slow of Ransomware to be through MDM shutdowns. It seems off to me but I'm still kinda new to this. 

@mschlosser has a good point, you dont really want to reboot a compromised device as you may not be able to get back in to it.

CloudStrike Falcon supports network isolation. Basically, if a device is compromised, the security agent isolates the device on the network, whatever network it happens to be on for remote users. Unlike JAMF which works on check-in's, your security agents are usually constantly connected and can act much faster.

The Device Lock MDM command allows sending a message to be displayed to the user on the lock screen. For users who aren't responsive to email notifications that their Mac requires a restart for something sending a Lock command with a message why their Mac was locked and the PIN code to unlock is not an uncommon use of the command. 

AJPinto's method to shutdown the macs would be the most straightforward way in my opinion. That said, I'd be more of an advocate of cutting off the Macs network access whether that be by pulling the cord or at the wifi controller level; I wouldn't turn the device off because sometimes ransomware is written poorly and decryption keys can often be found in memory or tmp folders. Power the device off and those may be lost forever.