Active Directory

Binding or not to Active Directory is the debate today. A couple of years ago, the general recommandation was to bind computers to Active Directory. With the change from desktop and shared computers to 1-to-1 laptop deployments, the picture has dramatically changed.

After the Kerbminder and ADPassMon scripts, we now have two alternatives:

  • Apple Enterprise Connect
  • Orchard & Grove - NoMAD

Arguments for binding or not binding to Active Directory

Topic Binding Not Binding
802.1x Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP NoMAD can request a 802.1x certificate
Kerberos tickets AD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver. As a result, kerberos tickets are rarely renewed. Enterprise Connect or NoMAD handles the renewal of Kerberos tickets
AD users can log in to any bound Mac & Shared use of Mac (eg. Lab computers) As user identification and authentication resides on server, users can log in on any bound Mac. This is especially interesting for shared environments such as Labs On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. The only possibility is to use network directories which are impractical in a mobile environment
User identification and computer usage traceability Binding to AD ensures that each username and uid is used only once across the bound Mac computers MDM can better trace computer usage
Users can be admins via the directory plugin A group of users can be specified as a local admins A MDM can create a “management account” and take care of renewing the password
Password policies Password policies are handled in the AD account A Password policy can be deployed
User Password expiry Password expiry is handled in the AD account A Password policy can be deployed
Ease of setup Computer needs to have access to AD during setup No particular setup is needed For authenticated DEP, computer needs access to the MDM
Account lock Local account is locked at next login or unlock from screensaver A better way to lock the user is to issue the wipe or lock MDM command
Keychain The keychain password is not synchronized with Active Directory. When the password change is not done on the Mac, the users will get prompted to enter his old and new password Local and remote passwords are not synced Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to the Keychain
FileVault Password FileVault and remote passwords are not synced When the AD password is reset, Filevault will keep the previous password, meaning we need to also reset FileVault using the recovery key Filevault and remote passwords are not synced Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to FileVault

Choosing between NoMAD and Apple Enterprise Connect

Versions used:

  • Enterprise Connect 1.8.0
  • NoMAD 1.0.5
  • macOS 10.12
x Enterprise Connect NoMAD (Active Directory binding)
Vendor Apple Open Source Apple
Support Supported by Apple PS as included in the engagement and/or AppleCare OS Support Support plans available Supported by AppleCare OS Support
OS requirement 10.10+ 10.10+ 10.3+
Single Sign-On Automatically Automatically Only at login and screensaver
Password Expiration via Notification Center via Notification Center Only at Login
Password change via menu item via menu item via System Preferences or login window
Fine Grained Password Policy support ~ (doesn’t honor password expiration time) x
Quick links to getting support and software x x
Support for changing passwords not using AD, e.g. a web-based password portal x
Password Synchronization Only when user is logged in Only when user is logged in Automatic
Home Network Share Automount x
Network Share Automount Planned x
Support for SSO on DFS shares x Planned x
AD Binding required? x x
macOS native? Uses Apple Frameworks Uses Apple Frameworks macOS Native
Script on password change x
Script on connection completed x
Audit script x x
Distribution single .pkg single .pkg macOS Native
Configuration via a Configuration Profile (and .plist) via a Configuration Profile (and .plist) multiple ways
X509 Identity from CA Script provided to request it via an AD Certificate profile payload Mature
Language Support All macOS languages English, French, German, Spanish and others. All macOS languages
Maturity Mature 1.0.5 x
Installation Two-day on-site professional services engagement None None
Price $5,500 (one-time fee) Free, Support plans available ($399 to $2,500 per year) Free
Availability Contact your local Apple Sales Rep http://nomad.menu macOS Native