Joining Mac to domain vs OKTA device trust

Tim-PA
New Contributor

Client I have was all Windows based, they have puchased a bunch of Mac and therefore I am now here. We just got Jamf purchased and portal setup but nothing else done yet. Have my two 4hr session calls setup with Jamf to get things rolling.

Q: From what I am being told and finding, people are not joining newer Mac's to a domain. looking for any thoughts on this and if there is any big reasons not to.

 

Q: With that said on not joining to the domain, this client is looking to restrict access to their company data to only company owned devices. So we were looking at restricting so only Domain joined computers can access the VPN and other tools. But if we don't join the Mac's to a domain then looking at other options.

OKTA: I have not looked into this but I know OKTA has a device trust feature. I am wondering if anyone has worked with that and if that could help with restricting so only devices that are linked to okta's device trust can access and therefor replacing the only domain joined computer's option we were originally thinking.

 

Thanks in advance!

3 REPLIES 3

joshd
New Contributor

Okta is moving away from Device Trust to Okta Identity Engine, so you'll want to take a look at that instead. Device Trust has some issues with newer Macs (Apple doesn't have python3 installed, so its up to you to deploy it and keep it up to date). Depending on their VPN software, several providers have checks to verify compliance before allowing access.

merps
Contributor III

We don't join the Macs to the domain, but we do issue certificates from the internal domain controller via SCEP. This allows VPN connectivity as the certificate comes from a trusted source.

Jamf also offers an ADCS Connector to deliver certs. You'll want to do some research on whether SCEP proxy or ADCS is the best route for your environment.

sdamiano
Contributor II

The biggest reason to not join macs to Active Directory is that macOS doesn't speak group policy, and the password synch mechanism isn't great. 

There are tools, like jamf connect, that allow you to synch IDP credentials to a machine. However, if you are using things like SCEP proxy, you have a modern password policy (no rotations unless of compromise/breach), you have a model in place to lock a machine when necessary (like via MDM), there isn't a good argument to join a computer to AD anymore. 

The built in SSO extension in macOS which is a bit of a misleading name does help synch kerberos tokens to the machine if thats necessary for the workflow that you have. This can be done in leu of AD binding.