Help

Link Jamf Pro to TWO different Active Directory Domain for authentication (mobile devices only)

Go to solution
conitsupport
Contributor

Posted on ‎11-06-2017 06:19 AM

Hi we are in the process of taking over a primary school and already have our school linked to Jamf Pro via Active Directory(AD) and im wondering whether we can simply just add another AD server to our JAMF Pro for authentication. At present our server is internal BUT we do have a DMZ server setup for outside of school connections / access.

Is it feasible and has anyone done this? if so how?

Thanks.

Labels:
0 Kudos
Reply
4 ACCEPTED SOLUTIONS

Go to solution
mike_paul
Contributor III
Contributor III

Posted on ‎11-06-2017 07:07 AM

It would use both. It would start searching in the one with the lower JSS ID as shown in the JSS url when in the object, essentially always prioritizing the one that was created first. Some orgs use this logic if they have a really large directory and actually add the same AD multiple times, first starting with the main OU they plan to search and then adding it again with the full or larger OU so that way it would search one specific one first prior to moving on to the entire domain.

View solution in original post

Reply

Go to solution
gabester
Contributor III

Posted on ‎11-06-2017 11:48 AM

Similar but different...
An org I worked with had scoped their LDAP connection to a particular OU and I needed to add an account from another OU. I added another LDAP connection to the other OU where the desired account resided and I was able to add it. It took me more time to figure out why I couldn't add the desired account to begin with... I hadn't realized they had restricted the scope to that one OU. I suspect adding two different LDAP domains will work similarly... although beware issues that may arise if there are duplicate account names in both directories!
g=

View solution in original post

Reply

Go to solution
conitsupport
Contributor

Posted on ‎11-07-2017 06:05 AM

Thanks for the responses, im really just waiting on JAMF to say yes it wont break what you've got setup, but with this information i think i may try / test it out, Sterritt. as for duplicated we have different naming conventions for the AD Accounts (or will have)

View solution in original post

0 Kudos
Reply

Go to solution
Emmert
Valued Contributor

Posted on ‎11-07-2017 08:52 AM

You can absolutely add two. We have both a staff and a student domain set up slightly differently and it's worked fine for many years.

View solution in original post

Reply
6 REPLIES 6

Go to solution
conitsupport
Contributor

Posted on ‎11-06-2017 06:45 AM

41f8b84c4bb0478f93a2eaf378b88e4f
Basically if i add another Active directory server here, would it overwrite our existing school one? or would it now look at both AD servers for authenticating users when enrolling iPad?

0 Kudos
Reply

Go to solution
mike_paul
Contributor III
Contributor III

Posted on ‎11-06-2017 07:07 AM

It would use both. It would start searching in the one with the lower JSS ID as shown in the JSS url when in the object, essentially always prioritizing the one that was created first. Some orgs use this logic if they have a really large directory and actually add the same AD multiple times, first starting with the main OU they plan to search and then adding it again with the full or larger OU so that way it would search one specific one first prior to moving on to the entire domain.

Reply

Go to solution
gabester
Contributor III

Posted on ‎11-06-2017 11:48 AM

Similar but different...
An org I worked with had scoped their LDAP connection to a particular OU and I needed to add an account from another OU. I added another LDAP connection to the other OU where the desired account resided and I was able to add it. It took me more time to figure out why I couldn't add the desired account to begin with... I hadn't realized they had restricted the scope to that one OU. I suspect adding two different LDAP domains will work similarly... although beware issues that may arise if there are duplicate account names in both directories!
g=

Reply

Go to solution
conitsupport
Contributor

Posted on ‎11-07-2017 06:05 AM

Thanks for the responses, im really just waiting on JAMF to say yes it wont break what you've got setup, but with this information i think i may try / test it out, Sterritt. as for duplicated we have different naming conventions for the AD Accounts (or will have)

0 Kudos
Reply

Go to solution
Emmert
Valued Contributor

Posted on ‎11-07-2017 08:52 AM

You can absolutely add two. We have both a staff and a student domain set up slightly differently and it's worked fine for many years.

Reply

Go to solution
conitsupport
Contributor

Posted on ‎11-08-2017 03:00 AM

Thanks people for your replies, ive set it up and its working.

0 Kudos
Reply