Apple Device Management and Security

Why now is the time to cut ties with Mac OS active directory binding

By Anthony McCarty
Senior Systems Engineer

At DARE we work with many organisations who have a blend of Windows and macOS devices within their fleet. In most cases we see, organisations who have a Microsoft infrastructure at their core naturally opt for binding their macOS devices to Active Directory to achieve central user account management for both estates.

At DARE we have always actively encouraged organisations who adopt this approach to explore a future without the AD bind whilst preserving the same functionality. Since some recent changes implemented by Microsoft, this has become a much more pressing requirement which we encourage any organisation still utilising macOS AD binding to address immediately. Read on to find out why.

What have Microsoft changed and what is affected?

In Autumn 2021, Microsoft identified a security bypass vulnerability in Active Directory Domain Services which would essentially allow an attacker to impersonate domain controllers.

Microsoft addressed the issue by releasing remediation instructions which included installing security updates and making some manual changes on all domain controllers (for more info, click here).

It quickly became apparent that these remediation steps had directly prevented macOS computers from being able to bind to Active Directory and any macOS computers already bound could no longer communicate with AD. As a result, organisations relying on AD for their macOS estate were left with user lockouts, data loss and issues with services relying on Kerberos authentication.

If you have followed the steps outlined by Microsoft and your macOS devices are unable to communicate with AD, you can submit feedback to Apple outlining the issue and the impact on your organisation.

The fix: Swap the AD Bind for Cloud Identity

On October 11th 2022, Microsoft will be introducing enforced domain controller validation. After this point there is no guarantee that your macOS devices will be able to communicate with Active Directory and you may be left with your Mac users facing the issues outlined above.

So, what is the alternative to Active Directory binding for macOS? The answer is utilising cloud identity with Jamf’s cloud identity integration application for macOS, Jamf Connect.

With the increasing adoption of remote and hybrid working, organisations are looking to move from on-premise services such as Active Directory where functionality is limited in favour of cloud-based services.

Jamf Connect

Jamf Connect gives you that element of being able to manage your user accounts through one centralised service whilst offering a whole host of additional benefits.

Jamf Connect ties into your cloud identity provider (IDP), whether that be Microsoft Azure, Okta or Google Workspace to name only a few, and provides an alternative macOS login window that is essentially connected to your IDP.

Whether the user is remote or in the office, they can authenticate on this login window securely with multifactor authentication if required, and Jamf Connect will provision a local macOS account with a password that matches the cloud account password. Additionally, the local and cloud passwords will be kept in sync going forward regardless of where the user is based and with no AD bind requirement.

This drastically reduces the amount of forgotten password tickets your helpdesk will be faced with whilst allowing users to authenticate on their Mac using their institutional password, which they see as that one password they are familiar with and use for all services.

You can also define which users should be local administrators or standard privileged users centrally in your cloud identity provider, and when Jamf Connect creates the account or whenever a user logs in to their Mac going forward, Jamf Connect will take care of ensuring they have the right privileges locally.

Kerberos Tickets

When your users are working in the office or connected to a company VPN, Jamf Connect can also connect into your on-premise Active Directory environment and obtain a Kerberos ticket, again without any need for the device to be bound to AD. That Kerberos ticket then seamlessly allows the user access to any shared onsite resources such as network shares, printers etc that may require Active Directory authentication.

Another huge benefit of Jamf Connect is it’s ability to facilitate a seamless zero-touch onboarding workflow when paired with a Mobile Device Management platform such as Jamf Pro. Onboarding Active Directory bound Macs is usually a very cumbersome experience for both the IT administrator and the end user, but with Jamf Connect the user can be automatically onboarded and have Jamf Connect provision their account as well as ensure any software they require is installed by the time they land on their desktop for the first time, all through a simple next, next finish type of setup.

Where to start

If you’re among the many organisations looking to move away from macOS AD binding and ensure you aren’t affected by the enforced changes by Microsoft in October of this year, please feel free to get in touch with us here at DARE and take the first step towards a future without binding.

At DARE we can provide a full in-depth technical demonstration of Jamf Connect, as well as arranging a 14-day trial of the product.

Click the button below.
Book demo