Proof for Unbound Macs?

jpsalamat
New Contributor II

The company I work for currently uses Centrify to bind Macs to our domain. We have experienced the login issues with mobile AD accounts over several years and are looking to move away from AD-joined Macs with hope to resolve these issues. However, our security Director is not convinced. Is there documentation out there that lays out the issues with AD-binding and why we shouldn't bind going forward? What about the root cause for the issues?

I could never find the root cause for multiple users randomly not being able to log into their MBP's when remote. The workaround is to get them into the office and hardwired to the LAN, which is only going to get more difficult going forward in 2020-21.

6 REPLIES 6

psliequ
Contributor III

WWDC Session on Enterprise Identity
It’s all good but they go into your concern about 33 minutes in.

wmehilos
Contributor

If I were you I'd ask your Security Director exactly what they want and exactly what they think they are getting out of a macOS AD Bind. Typically, it'll just be password sync, which Catalina can do out of the box with just a config profile, Mojave and earlier get that with NoMAD and a config profile. If you need certs and stuff there are options for that too.

Biggest loss to the security folks is usually logging for login/logout/failed events, which so far as I know there isn't one single super great replacement, but if they use an SIEM service that can forward the logs. I'm currently testing some launch daemons that copy a log stream of login/logout events from the unified logging system out to a text file that Splunk can eat.

They'll have to decide whether easy peasy logging is a greater need than keeping employees off of company property during a pandemic, and whether it's worth the constant headaches and achingly slow login times and FileVault shenanigans that mobile accounts usually bring to the table.

Ke_ReM
New Contributor III

Care to elaborate on this Catalina out of the box method you mention?


I have AD bound Macs and if there was a better way to achieve password sync with Catalina, I certainly would like to know more about it. Access to network drives is certainly also a requirement still for us although we are pushing staff to utilise CLoud based solutions such as Sharepoint and OneDrive much more but its a slow process and instant adoption never happens. If the devices were not bound to AD, I guess once on the network via VPn they could still mount SMB drives and would just need to enter credentials whereas AD bound devices can auto mount via the logged in credentials.
I would happily forfeit that small luxury in place of better password syncing if there is a method without binding to AD.

talkingmoose
Moderator
Moderator

AD-bound Macs are going to get you very little in today's remote world where they won't be able to communicate with a domain controller at login. To allow users to log in while off network, they must use mobile accounts. That means changing their password in AD won't be effective to prevent them from logging in. That's the only "security" reason I can see for requiring binding.

Rather than convincing your security director that binding isn't needed, find out what he or she is expecting to accomplish with binding and see if those needs still apply today. Can you offer alternatives that would allow you to not bind?

tlarkin
Honored Contributor

What does being bound to AD get you?

  • kerberos ticket
  • joined to a domain network

Every other thing AD offers can be done with out AD on a Mac, and actually same with Windows 10 and Intune (AAD joined is not AD joined, but whole different discussion there). Domain networks are also slowly going away and Orgs are looking more and more toward a zero-trust type of network. You will want to separate the endpoint from the services these days. No one thinks that auto mounting file-shares on a domain network is a good security practice anymore. Especially with the rise of crypto viruses. You are allowing any malicious thing direct access to network share with this model. Where as if you went with web/cloud based storage, you completely mitigate this issue. You also separate the endpoint from the service. With cloud/web based file sharing tools (box, drop box, g-drive, etc) you can set RBAC (role based access controls), require authentication, require 2FA or MFA as well. All of this is inherently more secure than a domain network.

So, really, what does joining to AD even get you security wise? I would say it actually harms your security posture.

Ke_ReM
New Contributor III

Current usage for AD binding -------------------------------------------------- Replacement Method

------------------------------------------------------------------------------------------------------------------------------

AD Mobile User account creation on device --------------------------- Jamf Pushed Mobile user account

SMB Network Drive/Printer mapping --------------------------------------Jamf Pushed manual mapping

Password sync (when it works) --------------------------------------------- User AD password Sync/reset via O365 Admin + Jamf recovery Key (if needed)

Device Password 90 day change enforcement --------------------- Jamf scripted / O365 enforced (?)