I'm integrating jamf to my company and I looking for moving on local account on all the MAC.
At the moment we using Domain account for connecting user on there Mac.
Im looking for a solution to use LOCAL account but to keep the password sync with AD password MASTER.
When a user call our Hotline for missing password (usually after holiday 🙂 ) the technical support change the password directly on active directory, at the moment if the Mac is connected on the company building the user can connect with the new password.
The two solution I know is Nomade and Kerberos SSO Extention but is look like the master password is the local password. So if we need to change an user password on our ActiveDirectory I think the session password not going to change.
Did you know any solution for stop using mobile account but keeping the password sync with AD password as a master password. I think the solution have to work with closed session
You'll want to look at products like NoMAD or Jamf Connect for this. There is/was also Enterprise Connect from Apple, but I don't really know the state of that product anymore, since Apple is beginning to integrate some pieces of what that did into the OS now.
At the time of introduction Enterprise Connect wasn't really free, as in you had to agree to have Apple engineers come on site and help with the setup and deployment, which if my memory serves, was around a $5k one time fee. Again, I have no idea what's happening with it now, especially since on site service engagements likely aren't taking place amid a pandemic.
I have experience with NoMAD specifically, which is still free to use, as long as you feel you don't need their support plan. It works well to keep local accounts and their respective AD passwords in sync. There is a little "know-how" in terms of setting it up, with the correct Config Profile deployed and so on. I would take a look at the page for it here: https://nomad.menu/products/#nomad
Also, they have a full list of the plist keys that can help manage how it operates listed here: https://nomad.menu/help/preferences-and-what-they-do/
I've just been testing Apple's Single Sign-on Kerberos extension yesterday which is now built into 10.15
You can find instructions for setting it up here:
Apple Kerberos SSO PDF
It replaces enterprise connect and is free/built into the OS
You just need to set up a configuration profile in Jamf & deploy it to a machine for testing.
It keeps the AD account and local account passwords in sync with the AD password being the master.
The whole point is that the user changes the password themselves. IT doesn't do it. If they have VPN access into your network, they can change their AD password from their desktop using this extension. It grants them a kerberos ticket. The machine doesn't have to be bound to AD any more.
There's a WWDC 2020 video on it here:
WWDC 2020 Video
Using Apple's Kerberos extension:
Allows Mac to get a Kerberos ticket-granting-ticket (TGT).
Grants access to directory resources, like servers and printers.
Keep local accounts' passwords synced with counterpart account in directory service and comply with organizations' password complexity rules.
Where a Mac would need to be bound:
When traversing Distributed File Systems
When using the AD Certificate Payload via MDM
Notes from the video
Notes from the video
You'll need the below plist code options to import into the Configuration Profile in Jamf.
It's at the bottom where it says drag a file here or browse for file.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>pwNotificationDays</key><integer>15</integer> <key>requireUserPresence</key><false/> <key>allowAutomaticLogin</key><true/> <key>syncLocalPassword</key><true/> <key>useSiteAutoDiscovery</key><true/> <key>isDefaultRealm</key><false/> <key>pwReqComplexity</key><true/> </dict> </plist>
I don't know what will happen if you change the AD password while the user is offline. I have not tested that.
I forgot to say - the missing piece of the puzzle regarding local account creation.
If you have an LDAP server integrated with your Jamf server either directly or via a JIM instance, when your devices are going through Automated Device Enrollment in a 1 to 1 deployment, you can create a customized enrollment payne that requests the user authenticate with their LDAP credentials. This will pull their AD account info into the Jamf machine record and also prepopulate the local user account Full Name and Username with their AD details. You can lock these details (in the prestage enrollment, account creation section) to stop them from being changed by the user. Advise the user to use their AD password as their local user account password during setup. Even if they dont comply and use a different password, SSO Kerberos extension will sync the two to match their AD password once they get logged in to the local account and sign in to AD using the extension.
My question with all of this, is can we piggy back on the JIM to help with remote devices and password syncing using the built in Enterprise Connect features? It seems a shame that only JAMF Connect is allowed to use the JIM for this purpose, and its also quite unaffordable for our district (especially with the cost of our Jamf Cloud subscription).
I'd love a way to build on the JIM to leverage Kerberos authentication/password sync enforcement since we know it uses that for the automated device enrollment piece. Perhaps we can backward engineer it from how it establishes the authentication connection for Automated Device Enrollment lookups.
Princeton Public Schools
@gshackney What Apple have just done is to provide native support in their technology stack for what NoMad does. (On prem AD only, 10.15+). Unfortunately they haven't released an SSO Extension for cloud IDPs (yet). Currently enabling Jamf SSO gives you SSO into the server, self service and authentication during Automated Device enrolment.
I could be wrong but no one (including Apple) has released an SSO extension for IDP (yet).
I know Microsoft are working on an SSO extension for Company portal for the mac.
We'll just have to wait and see.
All Im saying is the ability for authentication over Cloud IDP is already there considering I'm already doing that for Automated Device Enrollment user sign in and look ups using the JIM. I just want to apply the same programing logic when Im not calling the ADE sign in. In theory we should be able to piggyback on the JIM whenever we make a Kerberos call just like Jamf connect does. I just want a free solution, hopefully Apple will continue to build onto it, but maybe, just maybe someone here is smart enough to figure it out...lol. Here's to hoping...
Princeton Public Schools
It is also critical to escrow FileVault recovery keys for this workflow.
If a user cannot log into their local account or unlock FileVault provide them with the escrowed FileVault recovery key.
They can then reset their local account password and log into the Mac. Then sign into Kerberos SSO with their AD credentials. This may have already been reset by the help desk.
At that point Kerberos SSO will resync the local password to the AD password.