Help

Input needed - best setup solution

jameson
Contributor II

Posted on ‎10-08-2018 01:20 AM

We are in the project scope of Jamf and I am looking for some input from you

What we have decided is that Mac´s not must be AD bind and that we want to use Nomad
We also Use apple DEP and we have azure AD and want to use conditional access

  1. When users first time login, how do we ensure that they login with the ad account credentials. So they don´t end up creating a local account that is not in sync with AD

  2. Is it possible for this to up sync with AD when the a new macbook is off company network ? - so users can setup a new macbook from home

  3. Our own Mac´s we want to use with Jamf, but what is the best way to "control" externals with own macbooks, who maybe are connecting to our company email etc. Conditional access is that the best way control that to set this up in Intune ? -

0 Kudos
3 REPLIES 3

blackholemac
Valued Contributor III

Posted on ‎10-08-2018 04:19 AM

I'll try to answer, but I'll be honest we still bind. That being said, I want to get away from that myself.

  1. I think I have some ideas to solve that one...set up NoMAD in such a way that any non-AD credential doesn't give the end user access to the full plethora of services (shares, authenticated Wifi, certain software not functioning...etc.) It should be understood that only using the AD credential should give them access to everything.

  2. Unsure...I know there are AD proxy you can set up and I've heard to some places having a secured and strictly limited external DC in the DMZ.

  3. One way to do it without inTune would again be "conditional access" but I'm using the word theoretically, not in terms of an actual control. Make it so that enrollment would kick off a policy adding what you desire to the Mac as part of an enrollmentComplete policy. Such things that come to mind are corporate antivirus clients, certificates, required software, etc..inTune may very well be what you want, but I've heard of some folks using Cisco ISE posturing.

0 Kudos

KRIECCO
Contributor

Posted on ‎10-08-2018 04:52 AM

.

0 Kudos

jameson
Contributor II

Posted on ‎10-08-2018 04:57 AM

In regards to the 1, I think it would be best if users are "forced" to enter the correct AD credentials and password, so they don´t even have the chance to go forward and create a lot of problems for them self and IT support if they enter wrong information

What about including nomad login in that process ? - Don´t know if it is possible to skip the basic startup about creating a local account but instead jump direct to the nomad login where there should be some scripts available ?

0 Kudos