Problems with Joining Mac computers to AD infrastructure


Recommended Posts

Sometimes not many, sometimes countless. Really need some more information on what you're trying to achieve here because various scenarios can result in different issues.

 

Are you hoping to just use it for authentication? Are you expecting it to behave like any other computer object in AD?

 

Give us something to work with :).

  On 03/12/2018 at 16:19, GrayW said:

Sometimes not many, sometimes countless.

Expand  

I concur, it's really an afterthought for Apple, they've all but completely given up on enterprise integration.

 

Enforcing password policy would work though, that functions as expected on macOS, but you wont get any GPO benefits because it doesn't handle those, period.

 

If you want to properly manage Macs in your environment you'd be looking at some type of third party service, like JAMF and to some degree KACE can do some, there is also free software such as Munki that can do software/patch deployment, you could use it to push scripts to manage settings as well.

 

Hopefully that helps you in your quest.

  • Like 3

As @JaredFrost said, if you've got the resources then go for something like JAMF. It resolves a vast number of the issues that can appear when integrating Apple devices.

 

If you haven't and you're really looking for GPO like behaviour, then you're going to need to use Profile Manager (which quite honestly doesn't work half the damn time). To use that, you're going to need macOS Server running on a device that is the same version as the devices you are managing. Sometimes you can get away with being a version either side, but that just causes more issues. Unfortunately, they make macOS Server more and more useless with each update. This is where you enter the world of the "Golden Triangle".

 

I'll be honest, it's become so problematic and unstable these days that I'm currently planning the move away from macOS Server to Munki for the software and patching + Ansible/Chef for configuration management/quick setups and just having them bound to AD for the authentication.

 

It's a deep dark rabbit hole if you don't have the time and money to throw at it.

  • 2 weeks later...

If your only goal is to centrally set and control password policies for your Mac infrastructure I think you would be better served by an MDM solution. As others have mentioned good MDM products include JAMF, VMware AirWatch and Microsoft InTune. As it sounds like you already have the Microsoft stack deployed perhaps InTune would be a good fit.

 

One of the major drawbacks with Mac's in an active directory domain is the keychain. I've found that quite often users are prompted to change their password when using separate Microsoft apps such as OWA (Outlook Web Access) or RDS. When the password is reset outside of MacOS the keychain password is not updated. This seems to cause almost endless password prompts and authentication issues.

 

I'd roll out a good MDM and leave the Mac's with local logins.

This topic is now closed to further replies.
  • Posts

    • Is there a 'recovery' settings option in Settings? The one where we can rollback to a previous restore point. I find it very useful if there is some issue and I have to rollback to the last stable point.
    • Google brings Gemini to all Workspace for Education subscribers by David Uzondu Google has announced that its Gemini app is now accessible to all Google Workspace for Education users, regardless of age. This brings the company's generative AI directly into the suite of tools used by millions of students and teachers. The Workspace for Education platform, if you did not know, already provides a massive suite of tools like Classroom, Docs, and Drive, which are designed to work together in a school setting. Naturally, the first question on any administrator's mind is what the company plans to do with student data. Google states that Gemini usage for these accounts falls under the Workspace for Education Terms of Service. This agreement includes "enterprise-grade data protections" and a promise that user data is not reviewed by anyone or used to train the company's AI models. It also maintains compliance with regulations like FERPA and COPPA, which are fundamental requirements for any technology operating in United States schools. The experience is not one-size-fits-all, particularly for younger students. Users under the age of 18 will get a more restricted version of the app, with stricter content filters to prevent inappropriate responses and a dedicated onboarding process to teach AI literacy. To reduce the likelihood of hallucinations, the first time a younger user asks a fact-based question, a double-check feature that validates the answer using Google Search runs automatically. For educators and older students, the AI can be used to brainstorm ideas, create lesson plans, and get feedback on work. The entire service is powered by what Google calls LearnLM, a family of its AI models supposedly fine-tuned for educational purposes. Access is not mandatory, as administrators can still control which users or groups can use the Gemini app through their admin console. This rollout applies to institutions using the free Education Fundamentals, the security-focused Standard, and the feature-rich Plus editions, making it widely available immediately.
    • Is it a bird? Is it a plane? No! It's a f-ing bomb!! This is why real rocket scientists don't base their designs on 1930's Flash Gordon comics...  
  • Recent Achievements

    • Contributor
      GravityDead went up a rank
      Contributor
    • Week One Done
      BlakeBringer earned a badge
      Week One Done
    • Week One Done
      Helen Shafer earned a badge
      Week One Done
    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      661
    2. 2
      ATLien_0
      269
    3. 3
      Michael Scrip
      236
    4. 4
      Steven P.
      164
    5. 5
      +FloatingFatMan
      151
  • Tell a friend

    Love Neowin? Tell a friend!