local user accounts or mobile/ad accounts?

SQR
New Contributor

we're going to be deploying casper in our environment in the next few months and to prepare I'm trying to figure out a few things to get a good slate of functionality going forward.
All users on Macs currently have local user accounts and are primarily managed by Apple Remote Desktop and sometimes we work with composer. so most things are manual or remoting in through there.

Is there an advantage to either or? Our implementation would be mainly self-service and policies. there are macs on multiple subnets and this is a primarily windows organization.

trying to find the ideal solution, and it just seems that local would be easiest/nicer

5 REPLIES 5

alexjdale
Valued Contributor III

Local is easiest, but least capable. Mobile brings more functionality such as SSO (if your intranet sites support it), and of course the ability to have passwords managed by a directory can be very handy (and is required by some security policies, to enforce password complexity/expiration). Managing access to network resources through AD is also a plus.

If security is not a strong requirement and Identity Management is not important, local accounts may be the right choice. Much lower complexity.

SQR
New Contributor

There may be some macs that need to be bound to AD for this complexity, in changing departments, and with comes access to different servers or printers.

but most of that may be solved through self service

Michael_Meyers
Contributor

I'm at a school district and we use all AD accounts. If needed, you can add a policy to Self Service to cache credentials locally and make the users admins, especially if they take their Macs home. You can scope what users see in Self Service by AD credentials. The real advantage to Casper is setting up scoping by subnet or location, and sending out automated updates or installs without user interaction. But, either through automation or user management, the Casper Suite will allow you to work smarter instead of harder. ;)

SQR
New Contributor

Mike - does it make a difference if theyre local or AD in the sense of scoping or installs?

For example, if they take their macs with them...connect to our vpn and access our self service options there or we can push stuff via vpn (probably not the most ideal) but is that workable?

alexjdale
Valued Contributor III

For Self Service scoping, it has to be an AD account or an account on the JSS.

That said, they can log in with a local account and use their AD account for Self Service and that works fine, it absolutely does not matter what account is logged into the system, just who logs into Self Service.