To Bind or not To Bind

MatG
Contributor III

Hi all, we currently bind our Macs mainly for password policy compliance. We are investigating unbinding and using EC or Nomad instead as we have seen big speed increases espcially with off network boots.

Questions is what else may be happening at boot when binding, apart from authentication, does binding have any other advantages?

10 REPLIES 10

simonep
New Contributor III

We are also currently binding to AD but are starting to look at Enterprise Connect. Would love to hear any feedback from someone that is currently using EC.

mm2270
Legendary Contributor III

This may or may not be relevant to you at all, but for us, one thing we might lose if we moved to EC or Nomad, is the ability to do easy lookups from any system into AD. For example, we may sometimes use scripts run from a Jamf Pro policy or EAs that do an AD lookup of some attribute, maybe the group membership of the account, or some other attribute. This is easy to do on AD bound Macs with dscl. With non-AD joined Macs, you can still do lookups, but its more complicated as you need to use something like ldapsearch. But ldapsearch often requires using a service account to do the lookups, meaning the script needs to include some service account information, or it needs to be passed to the script as a parameter.
This isn't a showstopper, but its something to keep in mind, at least for us. I'm sure there are some other things that could be gotchas for us, but I would need to fully test the above products before I could know for sure. I have looked at both, but as of yet, we haven't run any explicit tests with them.

Besides those things, in the environment I'm in, I think hell would freeze over before they'd ever agree to not doing AD joins of our Macs. We're too entrenched into AD to convince management to leave it behind, even just for our Macs. It would be perceived as blasphemy to even bring it up. I wish it were not, as I think our Mac management could really be a lot smoother with no AD binds + one of the above tools to fill some of the gaps.

I'll be following this and other related threads to keep tabs on comments.

cmarker
Contributor

We currently bind, and I think we may start using NoMAD along side the binding to make things smoother.

Having the device bound can be nice if you write an EA to report on the device OU, then you can scope things to the OU level as an easy target.

careybell
New Contributor III

We currently bind but have been testing NoMAD (Open source Apple Enterprise Connect). We have also just signed up with Okta and have been rolling it out. After watching this video I am really trying to get us to talk about dumping the whole bind/sync and just use Okta.
https://youtu.be/sb0YUw8sx0s?t=1011

Still talking about it but most seem open to it and I think at some point we might start testing it.

hkabik
Valued Contributor

It doesn't have to be an either/or scenario. You can still bind for the benefits it offers or only as needed and also use NoMAD/EC to allow for the smoother management of local accounts.

MatG
Contributor III

What we see with bound Mac's is very slow off corporate network boot times, up to 90 seconds. Unbinding the Mac this goes back to around 23 seconds. We know why this happens as the Mac is looking for the AD server but can't get to it.

So using Nomad or EC would get around this issue, Nomad would still not connect until the user is either back on the corporate network, either directly or via VPN.

The question I'm being asked is at boot when a Mac is bound and on corporate network apart from AD authentication is anything else happening due to binding, any certs being handed out etc.?

bkerns
New Contributor II

We bind every Mac in our environment, and we have not seen the slow boot times that you describe. As long as the option to create a mobile account on the first login is enabled, the system should default to the cached credentials when the domain is not available.

In my previous environment, I saw something similar to what you describe that ended up being due to the fact that we were auto-mapping network shares for users. In that scenario, it wasn't the system login itself, but the script trying to authenticate and mount the share that was stalling and eventually timing out. Once I modified the script to check for the domain presence at the beginning and exit immediately if it was not there, login times returned to usual. In my current environment we do not map shares for users, so the problem has never surfaced.

But I can certainly say that I use my bound laptop off-network 90% of the time, and I do not have the delay in booting...

MatG
Contributor III

Good info. Thanks all.

mjsanders
New Contributor III

Please check out this nice overview of compare binding to AD with NomAD and Enterprise Connect:

http://macadminsdoc.readthedocs.io/en/master/Integration/Active_Directory.html

PhilS
New Contributor III

Is there an up-to-date version of this comparison to be had, that includes Jamf Connect? I'm trying to sell the latter to upper management and to forestall having to convert a large fleet to binding.