Jamf Nation Community

mrmiller · ‎07-27-2016

We have used Casper to manage our iPads for almost 1yr, and are now getting ready to add MacBooks. As we prepare for this we are weighing all options, and are curious about the experiences others have had.

Thanks

thoule · ‎07-27-2016

Pro
- Single password for users convenience
- Security - fired employee can't login to old account
- Password policies (change freq. and length, etc) enforced

Con
- One more thing to manage
- Password change headache (FV out of sync, off network change, keychain)

gachowski · ‎07-27-2016

I am full on the Pro side... I look at it like this

AD binding old and busted Config Profiles new hotness... : )

Change like this or decision like this you are really just trading one set of issues for a different set of issues. I feel that in the long run issues Config Profiles are more likely to get resolved faster than AD issues...

Also Config Profiles should give your users an experience "more like" their personal Mac at home...

C

tcandela · ‎07-27-2016

if its a laptop that is going to be used by a single user, we don't bind it to AD. (because of all those password headaches that come later on, plus the administrative rights that does not initially come with the user logging in via AD account. We give laptop single users admin rights.)

with computers that will be accessed by multiple users, we bind them to AD

iJake · ‎07-27-2016

Stay off AD and use Enterprise Connect from Apple. Many less headaches.

iaml · ‎07-27-2016

At MacDeployment last month, @luisgiraldo did a presentation on Binding to AD. His first three slides:
why?
Why?
WHY?

You can see the full slide deck and notes on the 2016 Conference Resources page. He provided some nice alternatives. (Strangely enough, my employer is choosing to bind to AD.)

jkuo · ‎07-27-2016

We don't bind. The only thing you really gain is the single streamlined password. You can manage password policy via Casper + a script, and you can similarly lock a computer for a departed employee with a lock command. Essentially, if you're using Casper you can accomplish so much already without AD binding.

The advantage? Simplicity all around. Especially like how @tcandela said if it's just a single user on the computer, to me it makes much more sense to just use a local admin account.

mradams · ‎07-28-2016

We bind our devices to AD simply for allowing access to shared drives and home directories. By enrolling in AD rights are given to the user to access their specific folders, we then create network mounts for shared drives and run disable home sync to prevent their home directory from syncing with the device.

Other than shared drives and home folders nothing else is managed using AD.

franton · ‎07-28-2016

Binding is the preferred option where I am due to the use of smart cards for authentication. While it would be possible to attach smart cards to local user accounts, the process is programmatically quite painful.

Jamf Nation Community

Pro's and Con's of binding to AD? Specific challenges?