macOS 10.15 password Sync active directory

hallfire
New Contributor II

Hello everyone.

I'm integrating jamf to my company and I looking for moving on local account on all the MAC.

At the moment we using Domain account for connecting user on there Mac.

Im looking for a solution to use LOCAL account but to keep the password sync with AD password MASTER.

When a user call our Hotline for missing password (usually after holiday :) ) the technical support change the password directly on active directory, at the moment if the Mac is connected on the company building the user can connect with the new password.

The two solution I know is Nomade and Kerberos SSO Extention but is look like the master password is the local password. So if we need to change an user password on our ActiveDirectory I think the session password not going to change.

Did you know any solution for stop using mobile account but keeping the password sync with AD password as a master password. I think the solution have to work with closed session

12 REPLIES 12

mm2270
Legendary Contributor III

You'll want to look at products like NoMAD or Jamf Connect for this. There is/was also Enterprise Connect from Apple, but I don't really know the state of that product anymore, since Apple is beginning to integrate some pieces of what that did into the OS now.
At the time of introduction Enterprise Connect wasn't really free, as in you had to agree to have Apple engineers come on site and help with the setup and deployment, which if my memory serves, was around a $5k one time fee. Again, I have no idea what's happening with it now, especially since on site service engagements likely aren't taking place amid a pandemic.

I have experience with NoMAD specifically, which is still free to use, as long as you feel you don't need their support plan. It works well to keep local accounts and their respective AD passwords in sync. There is a little "know-how" in terms of setting it up, with the correct Config Profile deployed and so on. I would take a look at the page for it here: https://nomad.menu/products/#nomad
Also, they have a full list of the plist keys that can help manage how it operates listed here: https://nomad.menu/help/preferences-and-what-they-do/

hallfire
New Contributor II

Did NomaD work when the user is not log on the computer if we change the password on the AD side ?

snowfox
Contributor III

I've just been testing Apple's Single Sign-on Kerberos extension yesterday which is now built into 10.15
You can find instructions for setting it up here:
Apple Kerberos SSO PDF

It replaces enterprise connect and is free/built into the OS
You just need to set up a configuration profile in Jamf & deploy it to a machine for testing.

It keeps the AD account and local account passwords in sync with the AD password being the master.
The whole point is that the user changes the password themselves. IT doesn't do it. If they have VPN access into your network, they can change their AD password from their desktop using this extension. It grants them a kerberos ticket. The machine doesn't have to be bound to AD any more.

There's a WWDC 2020 video on it here:
WWDC 2020 Video

Using Apple's Kerberos extension:

Allows Mac to get a Kerberos ticket-granting-ticket (TGT).
Grants access to directory resources, like servers and printers.
Keep local accounts' passwords synced with counterpart account in directory service and comply with organizations' password complexity rules.

Where a Mac would need to be bound:

When traversing Distributed File Systems
When using the AD Certificate Payload via MDM
Notes from the video
Notes from the video

2fbd15fd29024515a8553c9d64a6c1ee

You'll need the below plist code options to import into the Configuration Profile in Jamf.
It's at the bottom where it says drag a file here or browse for file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>pwNotificationDays</key><integer>15</integer>
    <key>requireUserPresence</key><false/>
    <key>allowAutomaticLogin</key><true/>
    <key>syncLocalPassword</key><true/>
    <key>useSiteAutoDiscovery</key><true/>
    <key>isDefaultRealm</key><false/>
    <key>pwReqComplexity</key><true/>
</dict>
</plist>

49f3a489feb14277a54e40cec4b17b2f

ac57b5b1b50347898ca2f8b075cb4eae
2cd0bdb5704a40178badd262de3d8a6b
58efa86ad0904dfcaee1ec2ed93386c7
2b1546eb40ac4dc98017810667fe3bd3
c3374496210140b08aaf3c630ef630cd

I don't know what will happen if you change the AD password while the user is offline. I have not tested that.

snowfox
Contributor III

f3e4712de0be463392274595e9c51a96

Big Sur 11.0 will allow you to customize the sign in window that pops up. Currently you can't in 10.15
a4a09a8cbd384f65a5b30196a674d594

965eaa9be4984a40ac19532cd1ed51b7

snowfox
Contributor III

I forgot to say - the missing piece of the puzzle regarding local account creation.

If you have an LDAP server integrated with your Jamf server either directly or via a JIM instance, when your devices are going through Automated Device Enrollment in a 1 to 1 deployment, you can create a customized enrollment payne that requests the user authenticate with their LDAP credentials. This will pull their AD account info into the Jamf machine record and also prepopulate the local user account Full Name and Username with their AD details. You can lock these details (in the prestage enrollment, account creation section) to stop them from being changed by the user. Advise the user to use their AD password as their local user account password during setup. Even if they dont comply and use a different password, SSO Kerberos extension will sync the two to match their AD password once they get logged in to the local account and sign in to AD using the extension.

snowfox
Contributor III

It will look something like this during ADE. All aspects of the window are customizable including the image at the top.

8227d469cd8546e6bbf476d6f6114ee5

GabeShack
Valued Contributor III

My question with all of this, is can we piggy back on the JIM to help with remote devices and password syncing using the built in Enterprise Connect features? It seems a shame that only JAMF Connect is allowed to use the JIM for this purpose, and its also quite unaffordable for our district (especially with the cost of our Jamf Cloud subscription).

I'd love a way to build on the JIM to leverage Kerberos authentication/password sync enforcement since we know it uses that for the automated device enrollment piece. Perhaps we can backward engineer it from how it establishes the authentication connection for Automated Device Enrollment lookups.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

snowfox
Contributor III

@gshackney What Apple have just done is to provide native support in their technology stack for what NoMad does. (On prem AD only, 10.15+). Unfortunately they haven't released an SSO Extension for cloud IDPs (yet). Currently enabling Jamf SSO gives you SSO into the server, self service and authentication during Automated Device enrolment.

I could be wrong but no one (including Apple) has released an SSO extension for IDP (yet).
I know Microsoft are working on an SSO extension for Company portal for the mac.

We'll just have to wait and see.

GabeShack
Valued Contributor III

All Im saying is the ability for authentication over Cloud IDP is already there considering I'm already doing that for Automated Device Enrollment user sign in and look ups using the JIM. I just want to apply the same programing logic when Im not calling the ADE sign in. In theory we should be able to piggyback on the JIM whenever we make a Kerberos call just like Jamf connect does. I just want a free solution, hopefully Apple will continue to build onto it, but maybe, just maybe someone here is smart enough to figure it out...lol. Here's to hoping...

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

ericbenfer
Contributor III

It is also critical to escrow FileVault recovery keys for this workflow.
If a user cannot log into their local account or unlock FileVault provide them with the escrowed FileVault recovery key.
They can then reset their local account password and log into the Mac. Then sign into Kerberos SSO with their AD credentials. This may have already been reset by the help desk.
At that point Kerberos SSO will resync the local password to the AD password.

maiksanftenberg
Contributor II

@snowfox you have any Info how this can be used in a DEP scenario? I'm very curious.

spotmac
New Contributor III

@maik.sanftenberg if have time i will give you some insight in our DEP implementation with Kerberos SSO.