Help

Joining AD from outside network

ooshnoo
Valued Contributor

Posted on ‎05-07-2015 01:01 PM

Yo..

Does anyone have any experience, pointers, ideas, etc.. on how a Mac can join AD when the Mac is outside our network...like a home user?

We're intending on leveraging the DEP for external enrollment, yet each Mac will need a computer cert for VPN access, and we can't get that cert without a computer being joined to AD. Could it be as easy as a config profile???

Somebody? Anybody?

-A

0 Kudos
3 REPLIES 3

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎05-07-2015 01:09 PM

Technically its easy, just open up the relevant ports and use a profile, or a standard Casper AD bind.

Security is another question. To get it to work you would really need to open up your domain controller(s) to a wide range of potential Internet addresses, which would be a bad idea.

Personally, I would try and work out a different workflow / process to get to where you need. I would probably start with the VPN element and see if you can get some kind of secure, but temporary VPN going without certs initially for the AD bind.

AD, certificates, enterprise VPN and WiFi are all areas where DEP can fall down unfortunately. I'm still a big fan but in a lot of cases its not quite as straight forward to implement as it first appears.

0 Kudos

wdpickle
Contributor

Posted on ‎05-07-2015 01:32 PM

We require our users to sign into the MacBooks (school district owned) when they pick them up inside the district. If they choose to go home first we let them come back to the inside to log in. Opening our AD to the outside world is a risk we are not going to take.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎05-07-2015 03:03 PM

Yeah, as has been mentioned, other than opening up your domain controllers to the outside world, which is kind of crazy, there aren't many options.
I love the idea behind DEP, but unfortunately, it was not really designed with the enterprise in mind, or I should say, not designed for enterprises that require users to log into directory level accounts. There is no way for a user receiving a new Mac enrolled into DEP that is setting it up from home to log into an AD account on their Mac, since AD join has to happen first, and for that to happen the Mac must be in range of your domain controllers. All conditions which are extremely unlikely to happen when someone is sitting on their couch at home with a brand new Mac.
So what happens in that case? They set up a local account, which is far less than ideal. Some of our users set up local admin accounts on their Macs after the fact, since we don't block anyone from doing that, but we don't want users creating and logging into a local account from the get-go! This goes completely against everything we're trying to maintain.

We have a different and custom setup process that works around these complications, but DEP would not fit well with the process we have. For now, we aren't going to be using DEP, and frankly, we may never be able to, since a large number of users getting Macs work from home.

0 Kudos