Help

Pro's and Con's of binding to AD? Specific challenges?

mrmiller
New Contributor III

Posted on ‎07-27-2016 06:11 AM

We have used Casper to manage our iPads for almost 1yr, and are now getting ready to add MacBooks. As we prepare for this we are weighing all options, and are curious about the experiences others have had.

Thanks

Labels:
0 Kudos
8 REPLIES 8

thoule
Valued Contributor II

Posted on ‎07-27-2016 07:19 AM

Pro
- Single password for users convenience
- Security - fired employee can't login to old account
- Password policies (change freq. and length, etc) enforced

Con
- One more thing to manage
- Password change headache (FV out of sync, off network change, keychain)

0 Kudos

gachowski
Valued Contributor II

Posted on ‎07-27-2016 07:59 AM

I am full on the Pro side... I look at it like this

AD binding old and busted Config Profiles new hotness... : )

Change like this or decision like this you are really just trading one set of issues for a different set of issues. I feel that in the long run issues Config Profiles are more likely to get resolved faster than AD issues...

Also Config Profiles should give your users an experience "more like" their personal Mac at home...

C

0 Kudos

tcandela
Valued Contributor II

Posted on ‎07-27-2016 08:58 AM

if its a laptop that is going to be used by a single user, we don't bind it to AD. (because of all those password headaches that come later on, plus the administrative rights that does not initially come with the user logging in via AD account. We give laptop single users admin rights.)

with computers that will be accessed by multiple users, we bind them to AD

0 Kudos

iJake
Valued Contributor

Posted on ‎07-27-2016 09:55 AM

Stay off AD and use Enterprise Connect from Apple. Many less headaches.

0 Kudos

iaml
New Contributor II

Posted on ‎07-27-2016 02:54 PM

At MacDeployment last month, @luisgiraldo did a presentation on Binding to AD. His first three slides:
why?
Why?
WHY?

You can see the full slide deck and notes on the 2016 Conference Resources page. He provided some nice alternatives. (Strangely enough, my employer is choosing to bind to AD.)

0 Kudos

jkuo
Contributor

Posted on ‎07-27-2016 04:00 PM

We don't bind. The only thing you really gain is the single streamlined password. You can manage password policy via Casper + a script, and you can similarly lock a computer for a departed employee with a lock command. Essentially, if you're using Casper you can accomplish so much already without AD binding.

The advantage? Simplicity all around. Especially like how @tcandela said if it's just a single user on the computer, to me it makes much more sense to just use a local admin account.

0 Kudos

mradams
Contributor

Posted on ‎07-28-2016 03:15 AM

We bind our devices to AD simply for allowing access to shared drives and home directories. By enrolling in AD rights are given to the user to access their specific folders, we then create network mounts for shared drives and run disable home sync to prevent their home directory from syncing with the device.

Other than shared drives and home folders nothing else is managed using AD.

0 Kudos

franton
Valued Contributor III

Posted on ‎07-28-2016 05:51 AM

Binding is the preferred option where I am due to the use of smart cards for authentication. While it would be possible to attach smart cards to local user accounts, the process is programmatically quite painful.

0 Kudos