+6Hey Guys,
We did our Jumpstart last week, and really happy with things thus far. We'd like to now try and do some logins against Active Directory, but are unsure on how to do this. We use on-premises Active Directory with smartcards for our Windows machines.
In summary trying to accomplish the following:
1) Login to Mac using AD credentials.
2) Eventually do this with Smartcards.
Any info or direction would help. Thanks!
Best answer by boberito
Welcome!
What you're wanting to do is called Attribute Mapping and very easy to do!
In Terminal
man SmartcardServiceshttps://resources.jamf.com/documents/technical-papers/macos-smart-card-overview.pdf - jamf has a document on it
https://developer.apple.com/documentation/devicemanagement/smartcard - the keys available for a configuration profile
https://support.apple.com/en-us/HT208372 - A bit of an Apple document on
https://www.jamf.com/resources/videos/dont-forget-your-badge/ - Useful JNUC Presentation on them
Also join the MacAdmins slack and #smartcards has many many people that'll help
+22Welcome!
What you're wanting to do is called Attribute Mapping and very easy to do!
In Terminal
man SmartcardServiceshttps://resources.jamf.com/documents/technical-papers/macos-smart-card-overview.pdf - jamf has a document on it
https://developer.apple.com/documentation/devicemanagement/smartcard - the keys available for a configuration profile
https://support.apple.com/en-us/HT208372 - A bit of an Apple document on
https://www.jamf.com/resources/videos/dont-forget-your-badge/ - Useful JNUC Presentation on them
Also join the MacAdmins slack and #smartcards has many many people that'll help
+6Thanks for such an informative first reply! After looking at some of these resources I do have some questions.
Everyone has told us not to bind, but from the looks of it if we do not bind we'll need a service like Enterprise Connect PKINIT for reliable AD integration. Is this true or could we get away with NoMAD and NoMAD Login for use with Kerberos smartcard logins? We really don't want to bind :) or buy more services if possible.
Just made my first slack account today, do you got the link so I can join that MacAdmins group?
Thanks again!
+22We bind at the organization I'm at. Plenty others do. You can bind or not. There's problems with binding and there's problems with not binding, so neither is perfect. The single sign on extension is the replacement for Enterprise Connect in Catalina. That'll do your PKINIT. I'd also suggest deploying it even if you bind because macOS is finicky about getting that kerberos ticket correctly when using a smart card. https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf
+6boberito, I cannot thank you enough for the resources you've lead me to thus far. The Catalina SSO extension is EXACTLY what we needed. The extension seems to work very well with smartcards too.
Also for anyone reading, this resource was very useful in configuring Kerberos using the Catalina SSO extension: https://hcsonline.com/images/PDFs/Jamf_Kerberos.pdf
I'll head over to the MacAdmins slack and ask some questions. Thanks for your time boberito!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.