• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Problems with Joining Mac computers to AD infrastructure

Recommended Posts

iampedro    1

Dear All,

 

What are the issues with joining mac's on active directory network?

Share this post


Link to post
Share on other sites
GrayW    119

Sometimes not many, sometimes countless. Really need some more information on what you're trying to achieve here because various scenarios can result in different issues.

 

Are you hoping to just use it for authentication? Are you expecting it to behave like any other computer object in AD?

 

Give us something to work with :).

Share this post


Link to post
Share on other sites
iampedro    1

I want to enforce my mac users to change there passwords ever year, plus the other GPO benefits...

Share this post


Link to post
Share on other sites
JaredFrost    303
25 minutes ago, GrayW said:

Sometimes not many, sometimes countless.

I concur, it's really an afterthought for Apple, they've all but completely given up on enterprise integration.

 

Enforcing password policy would work though, that functions as expected on macOS, but you wont get any GPO benefits because it doesn't handle those, period.

 

If you want to properly manage Macs in your environment you'd be looking at some type of third party service, like JAMF and to some degree KACE can do some, there is also free software such as Munki that can do software/patch deployment, you could use it to push scripts to manage settings as well.

 

Hopefully that helps you in your quest.

  • Like 3

Share this post


Link to post
Share on other sites
GrayW    119

As @JaredFrost said, if you've got the resources then go for something like JAMF. It resolves a vast number of the issues that can appear when integrating Apple devices.

 

If you haven't and you're really looking for GPO like behaviour, then you're going to need to use Profile Manager (which quite honestly doesn't work half the damn time). To use that, you're going to need macOS Server running on a device that is the same version as the devices you are managing. Sometimes you can get away with being a version either side, but that just causes more issues. Unfortunately, they make macOS Server more and more useless with each update. This is where you enter the world of the "Golden Triangle".

 

I'll be honest, it's become so problematic and unstable these days that I'm currently planning the move away from macOS Server to Munki for the software and patching + Ansible/Chef for configuration management/quick setups and just having them bound to AD for the authentication.

 

It's a deep dark rabbit hole if you don't have the time and money to throw at it.

Share this post


Link to post
Share on other sites
sc302    1,723

GPO does not apply to MAC unfortunately. 

 

You can utilize and MDM solution to manage macs or you can utilize an OSX server.

Share this post


Link to post
Share on other sites
CoadyTech    1

If your only goal is to centrally set and control password policies for your Mac infrastructure I think you would be better served by an MDM solution. As others have mentioned good MDM products include JAMF, VMware AirWatch and Microsoft InTune. As it sounds like you already have the Microsoft stack deployed perhaps InTune would be a good fit.

 

One of the major drawbacks with Mac's in an active directory domain is the keychain. I've found that quite often users are prompted to change their password when using separate Microsoft apps such as OWA (Outlook Web Access) or RDS. When the password is reset outside of MacOS the keychain password is not updated. This seems to cause almost endless password prompts and authentication issues.

 

I'd roll out a good MDM and leave the Mac's with local logins.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.