SAP and SSO and mac

Contributor II

Do any have knowledge about SAP and single sign on a mac running with nomad and not Bound to AD?

Is it possible or anyone has tried this setup?


Contributor II

I could also use info on that if that is possible ?

Contributor III

if you are using spnego authentication, you must bind. you can still bind and use local accounts as long as they have the same username in my experience with this. SAP on Mac is kinda spotty and our devs refuse to support it, so I get some awkward requests from execs....that said, once you understand the need for bind (and local accounts with same name), it resolves a lot of headaches
my workflow for SAP Macs is as follows:
Mac enrolls via DEP, NoMAD Login creates a local account based on AD object on first login
Machine is not bound
SAP policy available in self service contains a domain bind profile

this gives you the best of both worlds when using the tiny number of applications that rely on bind

New Contributor II

I have the same setup as @hdsreid
NoMadLogin (Creates local account) users logs in
Self Service Policy - package that binds mac to domain
Nomad handles password changes and syncs domain and local account

Contributor II

OK - that sounds scary for me and propably not a way I would like to go. Bind Mac´s to AD - we finally got away with that setup :)

Contributor III

@jameson you don't have much option if you are using an older mechanism of Windows authentication, which a lot of companies seemingly still have because upgrading production ERP systems is even scarier than binding a Mac to AD for whatever reason.

Binding a Mac to AD does not create problems on its own, full stop. Everything you do after enabling that connection is your downfall. My bind profile has nothing other than a bind; network login is not allowed, mobile accounts are not created, home folders are not mounted, etc. In my environment, nothing is different between the bind/no bind other than a green light in the System Preferences indicating that there is indeed a connection to the domain.
For the slim portion of my userbase that even needs SAP access, and thus have this profile setup, I have not ran into any issues with this setup