We are in the project scope of Jamf and I am looking for some input from you What we have decided is that Mac´s not must be AD bind and that we want to use Nomad We also Use apple DEP and we have azure AD and want to use conditional access When users first time login, how do we ensure that they login with the ad account credentials. So they don´t end up creating a local account that is not in sync with AD Is it possible for this to up sync with AD when the a new macbook is off company network ? - so users can setup a new macbook from home Our own Mac´s we want to use with Jamf, but what is the best way to "control" externals with own macbooks, who maybe are connecting to our company email etc. Conditional access is that the best way control that to set this up in Intune ? -

I'll try to answer, but I'll be honest we still bind. That being said, I want to get away from that myself.I think I have some ideas to solve that one...set up NoMAD in such a way that any non-AD credential doesn't give the end user access to the full plethora of services (shares, authenticated Wifi, certain software not functioning...etc.) It should be understood that only using the AD credential should give them access to everything.Unsure...I know there are AD proxy you can set up and I've heard to some places having a secured and strictly limited external DC in the DMZ.One way to do it without inTune would again be "conditional access" but I'm using the word theoretically, not in terms of an actual control. Make it so that enrollment would kick off a policy adding what you desire to the Mac as part of an enrollmentComplete policy. Such things that come to mind are corporate antivirus clients, certificates, required software, etc..inTune may very well be what you want, but I've heard of some folks using Cisco ISE posturing.

Question

Input needed - best setup solution

6 years ago
October 8, 2018
3 replies
0 views

+10

jameson
Contributor
194 replies

We are in the project scope of Jamf and I am looking for some input from you

What we have decided is that Mac´s not must be AD bind and that we want to use Nomad
We also Use apple DEP and we have azure AD and want to use conditional access

When users first time login, how do we ensure that they login with the ad account credentials. So they don´t end up creating a local account that is not in sync with AD
Is it possible for this to up sync with AD when the a new macbook is off company network ? - so users can setup a new macbook from home
Our own Mac´s we want to use with Jamf, but what is the best way to "control" externals with own macbooks, who maybe are connecting to our company email etc. Conditional access is that the best way control that to set this up in Intune ? -

+26

blackholemac
Valued Contributor
907 replies
6 years ago
October 8, 2018

I'll try to answer, but I'll be honest we still bind. That being said, I want to get away from that myself.

I think I have some ideas to solve that one...set up NoMAD in such a way that any non-AD credential doesn't give the end user access to the full plethora of services (shares, authenticated Wifi, certain software not functioning...etc.) It should be understood that only using the AD credential should give them access to everything.
Unsure...I know there are AD proxy you can set up and I've heard to some places having a secured and strictly limited external DC in the DMZ.
One way to do it without inTune would again be "conditional access" but I'm using the word theoretically, not in terms of an actual control. Make it so that enrollment would kick off a policy adding what you desire to the Mac as part of an enrollmentComplete policy. Such things that come to mind are corporate antivirus clients, certificates, required software, etc..inTune may very well be what you want, but I've heard of some folks using Cisco ISE posturing.

KRIECCO
Contributor
76 replies
6 years ago
October 8, 2018

+10

jameson
Author
Contributor
194 replies
6 years ago
October 8, 2018

In regards to the 1, I think it would be best if users are "forced" to enter the correct AD credentials and password, so they don´t even have the chance to go forward and create a lot of problems for them self and IT support if they enter wrong information

What about including nomad login in that process ? - Don´t know if it is possible to skip the basic startup about creating a local account but instead jump direct to the nomad login where there should be some scripts available ?

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos + marketing

Reply

Related topics

Script of login Policy keeps running from /private/tmpicon

Jamf Connect meta-package for zero touch deploymenticon

Forcing Updates for Chromeicon

Trigger policy when login window is up?icon

Remote support Self Service tool for users off of the corporate network.icon

Most helpful members this week

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings