Help

What are the recommended ways to AD, Jamf, and the new versions of the Apple OS to work together?

DCox
New Contributor

Posted on ‎05-13-2020 10:54 AM

We are trying to plan for and get our systems ready for the new versions of the Apple OS. From what I have been reading it seems as though the new versions of the OS coming out make it increasingly problematic to simply use AD. Add in the increased number of users who are working from home and we are looking for the right way to integrate. Permissions for network storage are through AD as are several applications used in the environment so we need to keep AD. We would also like to have new computers we order for users be able to be sent directly to them and when it registers with JAMF it will load the computer with a local account using the AD credentials. We don't care at this point if the system is registered with AD, we just want them to be able to log in with the same credentials, and when they VPN in it passes the AD credentials for when they are using network resources. We are unsure how feasible this is or what exactly it would require. Any help, resources, or thoughts would be helpful. Please feel free to ask for any clarification you may need.

0 Kudos
Reply
4 REPLIES 4

mark_mahabir
Valued Contributor

Posted on ‎05-13-2020 11:59 AM

Binding to AD is something that many sites are coming away from. I'd recommend looking at NoMAD or Jamf Connect. macOS Catalina has Single Sign On extensions built-in.

The only reason we bind to AD at the moment is because connecting to our 802.1X staff Wi-Fi network relies on Macs being domain joined, but the plan is to move to the Jamf AD-CS Connector so that we can come away from binding.

0 Kudos
Reply

LovelessinSEA
Contributor II

Posted on ‎05-13-2020 02:17 PM

We were in a similar situation that you are describing when were investigating JAMF. I'll try to address all of your questions.

  1. Binding to the AD isn't necessarily problematic unless it is (i know.) We bind because we have DFS network shares that we can't access unless we're bound. We also had issues network printers not being discoverable while not bound to AD (we solved this with Printer Logic). With that said, we don't use Mobile Accounts as we use Enterprise Connect (similar to Jamf Connect and Nomad), these tools will get you a kerberos ticket and sync AD passwords to the local user account if you're not using mobile accounts. Like @mark.mahabir we setup the jamf ad-cs connector to handle our machine certificates so machines aren't required to be on the network when provisioning and still get a machine certificate for our internal 802.1x wifi network.

  2. As far as the VPN part we use user certificates to authenticate through our VPN, depending on your vpn client this may not be possible.

  3. Sending machines to remote users for initial setup is called Zero Touch, and that's the golden treasure at the end of the rainbow, it's not impossible but there are a lot of proccesses that you'll need to build out to make it work. But the first thing i would do is get Apple DEP setup and start getting any macs you buy enrolled in DEP. I'm not trying to be a salesman here but it sounds like you shouldn't have any issues doing what you want to do, potentially an investment in professional services from jamf would certainly be beneficial if it's within budget. Happy to answer any other questions that you may have.
Reply

djdavetrouble
Contributor III
In response to LovelessinSEA

Posted on ‎07-20-2021 09:47 AM

Old discussion, but very interesting comment. I was looking at:

https://community.jamf.com/t5/jamf-pro/what-are-the-recommended-ways-to-ad-jamf-and-the-new-versions...

and was understanding that the kerberos extension in Catalina and Big Sur was not enough and Binding was still a requirement.

Does anyone have further experience with this?

0 Kudos
Reply

Tribruin
Valued Contributor II

Posted on ‎05-13-2020 02:57 PM

You are certainly not along in your desire.

To create uses that have the same user name and password as their Active Directory account, you may want to take a look at using Enrollment Customization (using authentication) and pre-poulating the user information in the setup screen. You could lock the account creation screen to use that information. But, once the user logs in, you will need a way to keep the passwords in sync. You can use NoMAD, Enterprise Connect/Kerberos Extension for on-prem AD or Jamf Connect for Azure AD and other iDPs.

Reply