Binding or not to Active Directory is the debate today.
A couple of years ago, the general recommendation was to bind computers to Active Directory. With the change from desktop and shared computers to 1-to-1 laptop deployments, the picture has dramatically changed.
After the Kerbminder and ADPassMon scripts, we now have two alternatives:
- Apple Enterprise Connect
- NoMAD
Arguments for binding or not binding to Active Directory
Topic | Binding | Not Binding |
---|---|---|
802.1x | Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD | We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP NoMAD can request a 802.1x certificate |
Kerberos tickets | AD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver. As a result, kerberos tickets are rarely renewed. | Enterprise Connect or NoMAD handles the renewal of Kerberos tickets |
AD users can log in to any bound Mac & Shared use of Mac (eg. Lab computers) | As user identification and authentication resides on server, users can log in on any bound Mac. This is especially interesting for shared environments such as Labs | On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. The only possibility is to use network directories which are impractical in a mobile environment |
User identification and computer usage traceability | Binding to AD ensures that each username and uid is used only once across the bound Mac computers | MDM can better trace computer usage |
Users can be admins via the directory plugin | A group of users can be specified as a local admins | A MDM can create a “management account” and take care of renewing the password |
Password policies | Password policies are handled in the AD account | A Password policy can be deployed |
User Password expiry | Password expiry is handled in the AD account | A Password policy can be deployed |
Ease of setup | Computer needs to have access to AD during setup | No particular setup is needed For authenticated DEP, computer needs access to the MDM |
Account lock | Local account is locked at next login or unlock from screensaver | A better way to lock the user is to issue the wipe or lock MDM command |
Keychain | The keychain password is not synchronized with Active Directory. When the password change is not done on the Mac, the users will get prompted to enter his old and new password | Local and remote passwords are not synced Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to the Keychain |
FileVault Password | FileVault and remote passwords are not synced When the AD password is reset, Filevault will keep the previous password, meaning we need to also reset FileVault using the recovery key | Filevault and remote passwords are not synced Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to FileVault |
Choosing between NoMAD and Apple Enterprise Connect
Versions used:
- Enterprise Connect 1.6.3
- NoMAD 1.0.3
- macOS 10.12
x | Enterprise Connect | NoMAD | (Active Directory binding) |
---|---|---|---|
Vendor | Apple | Open Source | Apple |
Support | Supported by Apple PS as included in the engagement and/or AppleCare OS Support | Support plans available | Supported by AppleCare OS Support |
OS requirement | 10.9+ | 10.10+ | 10.3+ |
Single Sign-On | Automatically | Automatically | Only at login and screensaver |
Password Expiration | via Notification Center | via Notification Center | Only at Login |
Password change | via menu item | via menu item | via System Preferences or login window |
Fine Grained Password Policy support | ~ (doesn’t honor password expiration time) | √ | x |
Quick links to getting support and software | x | √ | x |
Support for changing passwords not using AD, e.g. a web-based password portal | x | √ | x |
Password Synchronization | Only when user is logged in | Only when user is logged in | Automatic |
Home Network Share Automount | √ | √ | x |
Network Share Automount | √ | Planned | x |
Support for SSO on DFS shares | x | Planned | x |
AD Binding required? | x | x | √ |
macOS native? | Uses Apple Frameworks | Uses Apple Frameworks | macOS Native |
Script on password change | √ | √ | x |
Script on connection completed | √ | √ | x |
Audit script | √ | x | x |
Distribution | single .pkg | single .pkg | macOS Native |
Configuration | via a Configuration Profile (and .plist) | via a Configuration Profile (and .plist) | multiple ways |
X509 Identity from CA | x | √ | Mature |
Language Support | English | English, French, German, Danish, Swedish | All macOS languages |
Maturity | Mature | 1.0.4 | x |
Installation | Two-day on-site professional services engagement | None | None |
Price | $5,500 (one-time fee) | Free, Support plans available ($399 to $2,500 per year) | Free |
Availability | Contact your local Apple Sales Rep | http://nomad.menu | macOS Native |
Source: http://macadminsdoc.readthedocs.io/en/master/Integration/Active_Directory.html