Problems with Joining Mac computers to AD infrastructure


Recommended Posts

Sometimes not many, sometimes countless. Really need some more information on what you're trying to achieve here because various scenarios can result in different issues.

 

Are you hoping to just use it for authentication? Are you expecting it to behave like any other computer object in AD?

 

Give us something to work with :).

  On 03/12/2018 at 16:19, GrayW said:

Sometimes not many, sometimes countless.

Expand  

I concur, it's really an afterthought for Apple, they've all but completely given up on enterprise integration.

 

Enforcing password policy would work though, that functions as expected on macOS, but you wont get any GPO benefits because it doesn't handle those, period.

 

If you want to properly manage Macs in your environment you'd be looking at some type of third party service, like JAMF and to some degree KACE can do some, there is also free software such as Munki that can do software/patch deployment, you could use it to push scripts to manage settings as well.

 

Hopefully that helps you in your quest.

  • Like 3

As @JaredFrost said, if you've got the resources then go for something like JAMF. It resolves a vast number of the issues that can appear when integrating Apple devices.

 

If you haven't and you're really looking for GPO like behaviour, then you're going to need to use Profile Manager (which quite honestly doesn't work half the damn time). To use that, you're going to need macOS Server running on a device that is the same version as the devices you are managing. Sometimes you can get away with being a version either side, but that just causes more issues. Unfortunately, they make macOS Server more and more useless with each update. This is where you enter the world of the "Golden Triangle".

 

I'll be honest, it's become so problematic and unstable these days that I'm currently planning the move away from macOS Server to Munki for the software and patching + Ansible/Chef for configuration management/quick setups and just having them bound to AD for the authentication.

 

It's a deep dark rabbit hole if you don't have the time and money to throw at it.

  • 2 weeks later...

If your only goal is to centrally set and control password policies for your Mac infrastructure I think you would be better served by an MDM solution. As others have mentioned good MDM products include JAMF, VMware AirWatch and Microsoft InTune. As it sounds like you already have the Microsoft stack deployed perhaps InTune would be a good fit.

 

One of the major drawbacks with Mac's in an active directory domain is the keychain. I've found that quite often users are prompted to change their password when using separate Microsoft apps such as OWA (Outlook Web Access) or RDS. When the password is reset outside of MacOS the keychain password is not updated. This seems to cause almost endless password prompts and authentication issues.

 

I'd roll out a good MDM and leave the Mac's with local logins.

This topic is now closed to further replies.
  • Posts

    • People yearn for the good old days of IRC and truly open Internet, yet are dismissive of modern solutions like ActivityPub (which Mastodon pioneered) and Matrix. Make it make sense.
    • AI judges learn new tricks to fact-check and code better by Paul Hill Image via Pixabay AI researchers and developers are increasingly turning to large language models (LLMs) to evaluate the responses of other LLMs in a process known as “LLM-as-a-judge”. Unfortunately, the quality of these evaluations degrades on complex tasks like long-form factual checking, advanced coding, and math problems. Now, a new research paper published by researchers from the University of Cambridge and Apple outlines a new system that augments AI judges with external validation tools to improve their judgment quality. This system aims to overcome limitations found in both human and AI annotation. Humans face challenges and biases due to time limits, fatigue, and being influenced by writing style over factual accuracy while AI struggles with the aforementioned complex tasks. The Evaluation Agent that the researchers created is agentic so it can assess the response to determine if external tools are needed and utilizes the correct tools. For each evaluation, three main steps are passed through: initial domain assessment, tool usage, and a final decision. The fact-checking tool uses web search to verify atomic facts within a response; code execution leverages OpenAI’s code interpreter to run and verify code correctness; and math checker is a specialized version of the code execution tool for validating mathematical and arithmetic operations. If none of the tools are found to be useful for making judgments, the baseline LLM annotator is used to avoid unnecessary processing and potential performance regression on simple tasks. The system delivered notable improvements in long-form factual checking, with significant increases in agreement with ground-truth annotations across various baselines. In coding tasks, the agent-based approach significantly improved performance across all baselines. For challenging math tasks, the agents improved performance over some baselines, but not all, and overall agreement remained relatively low at around 56%. Notably, the researchers found that in long-form factual responses, the agent’s agreement with ground-truth was higher than that of human annotators. This framework is extensible, so in the future, other tools could be integrated to further improve LLM evaluation systems. The code for the framework will be made open source on Apple’s GitHub, but it isn’t up yet.
    • https://www.neowin.net/news/tags/mastodon/ In short: Federated Twitter (X)
    • Keep in mind it was purchased by an advertising company. I use SearxNG.
    • I am using Waterfox Private Search now that I started using the Waterfox browser on my PC and Android. Both work great* search waterfox net with full stops in between. * I have an issue where making comments on articles on various websites is difficult with Waterfox on Android as it randomly adds spaces and doubles up on text.
  • Recent Achievements

    • Collaborator
      fernan99 earned a badge
      Collaborator
    • Collaborator
      MikeK13 earned a badge
      Collaborator
    • One Month Later
      Alexander 001 earned a badge
      One Month Later
    • One Month Later
      Antonio Barboza earned a badge
      One Month Later
    • Week One Done
      Antonio Barboza earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      588
    2. 2
      ATLien_0
      221
    3. 3
      Michael Scrip
      171
    4. 4
      Xenon
      137
    5. 5
      +FloatingFatMan
      126
  • Tell a friend

    Love Neowin? Tell a friend!