Authentication and Identity Integration options for macOS
Managing user identity on macOS can be carried out in a number of ways, with some workflows taking on a modern approach and others following more established methods. Here, we look at the pros and cons of some of these options and provide resources for Mac admins to help them get started.
Local accounts are the default means of accessing macOS. In fact, the vast majority of users access macOS this way.
At setup, you are asked to create an account; this is, by default, an administrator account. You are asked to provide a name and password which will then be used going forward.
- Simple to set up, as it is the default
- Little can go wrong with a local accounts
- No central management of user accounts
- Without an MDM, no control over complexity of password is allowed
There are plenty of online resources that can help Mac admins understand the structure and management capabilities for local accounts. The following articles from Jamf on MDM-enabled local user accounts and from Apple on setting up users, guests and groups on Mac and setting up a local administrator account with MDM are a good place to start.
Binding macOS to Active Directory
An option that has gone out of favour, but is still used relatively often in education, is when you bind macOS to an on-premise Active Directory domain.
Once bound, any user can authenticate to that Mac with their Active Directory credentials.
In education, this is still a popular workflow to manage access to lab computers. It allows any student to login to a Mac with their directory credentials, so it is not necessary to create or maintain any local accounts.
There are also some workflows for device based certificates that require the Mac to be bound to Active Directory.
- User accounts are centrally stored and managed in Active Directory
- If set up for network accounts, any Active Directory user can login to a bound Mac
- Can be configured to mount the users network home folder
- Single-sign-on to other services is supported by using Kerberos
- The Mac requires a permanent connection to the Active Directory domain, so cannot be used outside the local network – it is therefore not suited to MacBooks
- Many macOS applications do not like saving directly to network shares, so the option of mounting a user’s network home may cause issues with certain applications
- The Active Directory plug-in for macOS has not been fully updated by Apple for many years and typically has issues when a new version of macOS is shipped
NoMAD is a free software product that gives you the functionality of Active Directory without binding.
It is designed so the Mac still uses local accounts, so is ideal for MacBooks assigned to 1:1 users, but also lets a user authenticate to a local on-premise Active Directory domain for Kerberos authentication.
- Synchronises your Active Directory password with your local account password
- Supports single-sign-on with Kerberos
- Optionally mount your network home folder
- Optionally mount other network shares
- Can run custom scripts based on certain triggers, such as when a user logs in or the network changes
- User has the ability to change their Active Directory Password via NoMAD
- In some situations it can obtain certificates from a Windows Web Certificate Authority, but it can be common to have the Mac still bound to Active Directory, so it can obtain the certificate but use NoMAD for the other pieces listed above
- As with binding, the Mac needs to be on the same network as the local on-premise domain controllers
- NoMAD only functions once a user logs into the Mac via their local user account
- Even though NoMAD can keep the local account password in sync with the Active Directory password, it still requires some intervention from the user to complete this
- Cannot provision local accounts
NoMAD was purchased by Jamf a few years ago and was kept on as a free product for access to on-premise Active Directory domain controllers. A new product called Jamf Connect was subsequently created.
Jamf Connect shares similar functionality to NoMAD, however it does not work with on-premise Active Directory domains. Instead it is designed to work with cloud based identity providers, including:
- Microsoft Azure
- Google Identity
- IBM Security Verify
- Replaces the standard login window for macOS with Jamf Connect, allowing you to authenticate to macOS with your cloud credentials at the login window
- Supports multi-factor authentication
- Can be used to provision the local user account with the same details as their cloud credentials
- Can be set to silently enable FileVault without any user interaction
- Supports the other features offered by NoMAD
- Jamf Connect is not a free product, a yearly subscription is required
- Depending on the cloud identity provider, the user may be prompted more than once for their password to gain access to macOS
If you are interested in getting started with Jamf Connect, you can view the product documentation as well as the admin guides on the Jamf website. You can also leverage dataJAR’s identity services integration, where our team of experts can help you trial and integrate Jamf Connect with your IDP and Mac estate.
Whichever method you employ to provide access for your users, identity management is a critical service. As the mechanism used for authentication and authorisation, identity management is also a crucial security component for any organisation and constitutes a key part of the technology strategy.
dataJAR helps organisations succeed in their adoption and better management of Apple devices by providing a range of services, integrations and workflows that leverage the latest identity management practices and technologies. These range from connecting Jamf Pro to your SSO solution or integrating tools like Jamf Connect, Okta or Azure AD multi-factor authentication into your workflow.
Get in touch with us to find out how dataJAR can simplify the management of your Apple estate.