- Jamf Nation Community
- Products
- Jamf Pro
- Is setting up OD worth it in a JAMF-managed enviro...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Is setting up OD worth it in a JAMF-managed environment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2014 08:28 AM
I'm looking for opinions here, and I've love to hear your thoughts and reasons behind them. We have always had a small mac population here, only about 100 macs and 100 ipads. They're bound to AD, which they use for authentication and to point to network drives. They're also all managed by our JSS, which is used 100% for all the management (packages, scripts, settings, printers, etc.)
Now, we're stepping up to an all-mac environment, which will bring in 400 of each device in the next few months, and 1,600 of each in the coming years. We're reevaluating to see if our current setup is best, and how we might make it better.
These machines will be student computers, but owned/managed by the school. So:
1. We are definitely going to be managing them with Casper. We'll use this for VPP software, tracking possesses each machine, etc. Normal stuff.
2. We cannot (convince me I'm wrong, though!) think of a reason to bind them to AD. They'll be logged into using local accounts (students will create their own) so they don't need AD authentication, and they won't have network drives.
3. We're completely unsure if we need to set up Open Directory and Profile Manager. We've never had it set up before, but it sort of looks like Casper can do everything that OD can.
We're working on setting up a 10.9 print server with Papercut on it, so I'm curious if OD is needed for that, or maybe even if AD is needed because of authenticating to print.
If you're willing, just share your thoughts on the best-practice here.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2014 08:37 AM
IMHO...
Honestly, I would try as hard as possible to avoid OD. Especially if you are using Casper than there is almost no need.
(Dare I say in this forum, even to avoid Server.app as much as possible)
Only 2 issues I see:
2. We cannot (convince me I'm wrong, though!) think of a reason to bind them to AD. They'll be logged into using local accounts (students will create their own) so they don't need AD authentication, and they won't have network drives.
Is this a 1:1 solution? otherwise the students will have to always sit at the same computer if not using a network account.
Printing....using OD with an OS X print server might make it easier to manage print authentication. However, Papercut allows you to create Papercut users so you might be OK. Each user will have to do a separate login to Papercut I think though.
Edit:spelling.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2014 08:47 AM
Thanks for the input. I've been leaning in that direction: avoid OD if at all possible.
Is this a 1:1 solution? otherwise the students will have to always sit at the same computer if not using a network account.
Every student will have their own iPad and Macbook, so yes 1:1. If they ever need to log into a computer lab or a public computer, those ARE managed by AD, so their network credentials should work fine.
Printing....using OD with an OS X print server might make it easier to manage print authentication. However, Papercut allows you to create Papercut users so you might be OK. Each user will have to do a separate login to Papercut I think though.
I'm just beginning to play with Papercut for these macs now, so I'm still trying to figure out how we can make the user authentication portion of it work. I feel like the server only has to be bound to AD to get the users, and then student can then authenticate when printing without having to be bound (similar to connecting to wireless. The server checks AD credentials, but clients don't need to be bound). I have nothing to support that theory yet, but it'd be great if that's how it works.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2014 01:14 PM
I don't have much to contribute here, but I have noticed that when a Mac is bound to AD the Mail program can find email addresses from AD for those that a user has never emailed before.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2014 06:32 AM
We use JAMF with OD because we have all of our groups and classes set up in it. That allows us to manage who has access to specific policies (by user or group), who can install, download or get specific apps without having to change JSS groups so much. We also use papercut and authenticate users using OD, that allows us to get quotas and some more info. Since our OD is always with the correct class and groups information, it saves us a lot of work managing groups in JSS.
I do agree it adds a degree of complexity, but in our scenario it makes our life a lot easier.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2014 06:42 AM
If you have modern Macs (10.7+), AD, and Casper, I'd move completely away from OD. Have done so at a number of clients.
