Macs and Active Directory

Seems like some people at work are going to be getting Mac Books for travel and to replace their Windows workstations.

I understand from a quick google it is possible to get the Macs to play nice with AD. I assume things like roaming profiles etc will all be possible to sync between OSX and AD. As well as adding them to the domain?


As one of the functions of the Mac Book will be for out of office use, I am thinking I would create a local account on the Mac which the user uses when they are out of the office. They can use it like a regular machine that way and save documents to their desktop. When they are back in the office they can then login to their domain profiles to get their regular profiles and access to the domain shares etc...

We don't currently have any sort of VPN or remote desktop setup at work.

Any other better solution?

My limited experience is that you can get Macs to access Windows file shares in a borderline acceptable manner, and you can domain join the machines for privileges and get a Windows home drive, but Macs are a giant PITA compared to Windows PC's in terms of management.

If someone wants a Mac I'd set it up standalone with user files synced to a cloud solution.

Don't bother binding Macs to a domain, it's a waste of time. As is having roaming profiles in a 1:1 deployment.

Purchase the laptops through an Apple reseller that can support DEP and pair that up with Jamf's excellent Casper suite for remote management. You're going to want to sort out file access sooner or later so now seems like a good time to look into Google Drive/OneDrive/Dropbox for Business/whatever, especially if you don't have any VPN that can act as a band-aid in the interim.

This little article makes it sound possible.

At least adding the Mac to the domain and getting access to the My Documents folders hosted on the DC.

In my previous company we had this sorted but that was a 100% Linux environment using Samba and LDAP.

It's possible but there's no benefit in doing it with a laptop since then you get to mess around with mobile accounts.

The 2016 way of managing Macs is to use MDM and DEP, don't fight it.

https://help.apple.com/deployment/osx/#/iorce42113ea

Caged said:

The 2016 way of managing Macs is to use MDM and DEP, don't fight it.

Click to expand...

Would that just be laptops or would MDM desktop/static Mac's?

It certainly is the new 'thing' but i can't say i've ever thought about it for desktop systems, rather i've always rolled out AD/LDAP.

Same for everything. Calling it MDM does make you think of relatively inflexible stuff like you'd use to manage phones - some of the Apple-specific stuff is closer to SCCM. Look at some of the presentations on https://www.youtube.com/user/JAMFMedia and head over to https://macadmins.herokuapp.com/

When you set it all up properly you can get to a point where a new Mac can be unboxed, powered up, enrolls in your management platform automatically, admin and user accounts are deployed and then a custom internal 'App Store' for letting users pick printers to connect to, Adobe software to install etc. is offered to them at first login. It's amazing how much better it is than Windows if you've not looked at it for a few years.

I'd still keep AD as a primary source of user authentication, to provide DNS, DHCP etc. but you can hook Casper into LDAP so you can keep the central management of users.

Is this the same boss who wont spend money to help you automate software installs

Why can the people not use windows laptops? From a money perspective it's a no brainer. Much cheaper laptops and much cheaper to support.

MACs can work but you will need to spend significant time looking after them!

Centrify is your friend.

If they are looking at getting mac books, for the cost I would suggest Surface Pro 4's portable, good screen, have docks for office use, windows based, cost is on par with mac books.

Probably a more costly solution, but we use Citrix desktops as both a BYOD and remote access solutions. DR too.

Have only one Macbook user, but if they want to use the domain they logon to a Citrix desktop and voila, they have a PC.