1) Are they moving towards Non AD environment ( what are the pros and cons) 2) If yes how is security dealing with it 3) How is network – 802.1x being used in the environment. Is it a security issue if we only use user certs. 4) How is Jamf supporting this infracructure.
Question
AD or Non AD and best practices in large companies
+12
+18Working as an MSP, we're starting to see it be of interest, but not take hold yet. We've had one mid-sized organisation stop using AD on their MacBook fleet with good success.
There's a number of emerging open source tools that are starting to provide SSO and other elements for companies not joining their Macs to AD, but it's early days.
In the non AD environments with 802.1X, the users are still authenticating with their usernames and passwords from AD to connect to wireless.
Depends on the corporate environment and it's requirements. I've seen a publishing company using generic accounts but where I am is so tightly regulated that AD authentication is utterly required.
+16IBM
https://www.jamfsoftware.com/blog/mac-ibm-zero-to-30000-in-6-months/
If you still using AD you are "not holding it correctly"......It's time to stop.
C
+12@gachowski i am leaving AD behind but i need to convince our security team so i am getting facts for them to see how can i run our wifi without AD binding.
Where I work, we are SAS, SOX, and HIPPA compliant. Needless to say, security is at the forefront.
We do bind to AD. This gives us a "chicken or the egg" scenario when trying to deploy with Apple DEP.
We did get around that hurdle though...
Here's our typical deployment workflow...
1 Apple DEP Enabled Mac - Still in shrink wrapped box
2 User powers on
3 User connects to Guest WiFi
4 User authenticates with AD/LDAP credentials
5 User creates local account - username is irrelevant
6 User gets desktop
7 JAMF deploys Self-Service
8 JAMF deploys MobileConfigs
9 JAMF auto-enrolls and triggers FileVault full disk encryption
10 System reboots within 1 minute
11 User logs in
12 User enables FileVault
13 System reboots
14 User logs in
15 User gets desktop
16 JAMF triggers install of Global Protect VPN software
17 JAMF triggers install of Apple Enterprise Connect
18 User logs into Global Protect
19 JAMF Triggers a Network State Change
20 JAMF installes 802.1x mobileconfig
21 JAMF initiats script to rename hostname to NetBIOS 15-character limit standards
22 JAMF binds to Active Directory
23 User logs into Apple Enterprise Connect using AD/LDAP username and password
24 User gets Kereros Ticket Granting Ticket
25 Deployment process is complete
26 Have a nice day!
There's more minutiae that takes place behind the scenes, but you get the high level idea...
+12@cainehorr Thanks for taking time out for putting this list down. i appreciate it. What if we dont ad bind is there a way can get authentication for 802.1x , we use enterprise connect
There is KerbMinder. It allows you to create a Kerberos Ticket and refresh it every time you're connected to your corporate network.
https://github.com/pmbuko/KerbMinder
I have also recently heard of NoMad - similar to Apple Enterprise Connect.
http://maclovin.org/blog-native/2016/nomad-get-ad-features-without-binding-your-mac
Cheers!
+12If you have thousands of multi user devices, like we have, how could we not use AD binding? Interested to hear alternatives for this scenario
+12@marklamont we are using non adbind machine 1000 and growing and thats the reason i wanted these details but recently i found more solutions on it, any specific questions you had .
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.