Hi all, we currently bind our Macs mainly for password policy compliance. We are investigating unbinding and using EC or Nomad instead as we have seen big speed increases espcially with off network boots.
Questions is what else may be happening at boot when binding, apart from authentication, does binding have any other advantages?
This may or may not be relevant to you at all, but for us, one thing we might lose if we moved to EC or Nomad, is the ability to do easy lookups from any system into AD. For example, we may sometimes use scripts run from a Jamf Pro policy or EAs that do an AD lookup of some attribute, maybe the group membership of the account, or some other attribute. This is easy to do on AD bound Macs with
dscl. With non-AD joined Macs, you can still do lookups, but its more complicated as you need to use something like
ldapsearch. But ldapsearch often requires using a service account to do the lookups, meaning the script needs to include some service account information, or it needs to be passed to the script as a parameter.
This isn't a showstopper, but its something to keep in mind, at least for us. I'm sure there are some other things that could be gotchas for us, but I would need to fully test the above products before I could know for sure. I have looked at both, but as of yet, we haven't run any explicit tests with them.
Besides those things, in the environment I'm in, I think hell would freeze over before they'd ever agree to not doing AD joins of our Macs. We're too entrenched into AD to convince management to leave it behind, even just for our Macs. It would be perceived as blasphemy to even bring it up. I wish it were not, as I think our Mac management could really be a lot smoother with no AD binds + one of the above tools to fill some of the gaps.
I'll be following this and other related threads to keep tabs on comments.
We currently bind but have been testing NoMAD (Open source Apple Enterprise Connect). We have also just signed up with Okta and have been rolling it out. After watching this video I am really trying to get us to talk about dumping the whole bind/sync and just use Okta.
Still talking about it but most seem open to it and I think at some point we might start testing it.
What we see with bound Mac's is very slow off corporate network boot times, up to 90 seconds. Unbinding the Mac this goes back to around 23 seconds. We know why this happens as the Mac is looking for the AD server but can't get to it.
So using Nomad or EC would get around this issue, Nomad would still not connect until the user is either back on the corporate network, either directly or via VPN.
The question I'm being asked is at boot when a Mac is bound and on corporate network apart from AD authentication is anything else happening due to binding, any certs being handed out etc.?
We bind every Mac in our environment, and we have not seen the slow boot times that you describe. As long as the option to create a mobile account on the first login is enabled, the system should default to the cached credentials when the domain is not available.
In my previous environment, I saw something similar to what you describe that ended up being due to the fact that we were auto-mapping network shares for users. In that scenario, it wasn't the system login itself, but the script trying to authenticate and mount the share that was stalling and eventually timing out. Once I modified the script to check for the domain presence at the beginning and exit immediately if it was not there, login times returned to usual. In my current environment we do not map shares for users, so the problem has never surfaced.
But I can certainly say that I use my bound laptop off-network 90% of the time, and I do not have the delay in booting...