ftiff/to_Bind_not_to_Bind.md

## to_Bind_not_to_Bind.md

      
    Raw
  

              to_Bind_not_to_Bind.md
            
          
Topic
Binding
Not Binding


802.1x
Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD
We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP


Kerberos tickets
AD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver. As a result, kerberos tickets are rarely renewed.
Enterprise Connect handles the renewal of Kerberos tickets


AD users can log in to any bound Mac & Shared use of Mac (eg. Lab computers)
As user identification and authentication resides on server, users can log in on any bound Mac. This is especially interesting for shared environments such as Labs
On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. The only possibility is to use network directories which are impractical in a mobile environment


User identification and computer usage traceability
Binding to AD ensures that each username and uid is used only once across the bound Mac computers
MDM can better trace computer usage


Users can be admins via the directory plugin
A group of users can be specified as a local admins
A MDM can create a “management account” and take care of renewing the password


Password policies
Password policies are handled in the AD account
A Password policy can be deployed


User Password expiry
Password expiry is handled in the AD account
A Password policy can be deployed


Ease of setup
Computer needs to have access to AD during setup
No particular setup is needed


For authenticated DEP, computer needs access to the MDM


Account lock
Local account is locked at next login or unlock from screensaver
A better way to lock the user is to issue the wipe or lock MDM command


Keychain
The keychain password is not synchronized with Active Directory.
Local and remote passwords are not synced


When the password change is not done on the Mac, the users will get prompted to enter his old and new password
Enterprise Connect will sync the local password when it detects a change. Change will be replicated to the Keychain


FileVault Password
FileVault and remote passwords are not synced
Filevault and remote passwords are not synced


When the AD password is reset, Filevault will keep the previous password, meaning we need to also reset FileVault using the recovery key
Enterprise Connect will sync the local password when it detects a change. Change will be replicated to FileVault


Bugs
Topic	Binding	Not Binding
802.1x	Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD	We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP
Kerberos tickets	AD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver. As a result, kerberos tickets are rarely renewed.	Enterprise Connect handles the renewal of Kerberos tickets
AD users can log in to any bound Mac & Shared use of Mac (eg. Lab computers)	As user identification and authentication resides on server, users can log in on any bound Mac. This is especially interesting for shared environments such as Labs	On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. The only possibility is to use network directories which are impractical in a mobile environment
User identification and computer usage traceability	Binding to AD ensures that each username and uid is used only once across the bound Mac computers	MDM can better trace computer usage
Users can be admins via the directory plugin	A group of users can be specified as a local admins	A MDM can create a “management account” and take care of renewing the password
Password policies	Password policies are handled in the AD account	A Password policy can be deployed
User Password expiry	Password expiry is handled in the AD account	A Password policy can be deployed
Ease of setup	Computer needs to have access to AD during setup	No particular setup is needed
		For authenticated DEP, computer needs access to the MDM
Account lock	Local account is locked at next login or unlock from screensaver	A better way to lock the user is to issue the wipe or lock MDM command
Keychain	The keychain password is not synchronized with Active Directory.	Local and remote passwords are not synced
	When the password change is not done on the Mac, the users will get prompted to enter his old and new password	Enterprise Connect will sync the local password when it detects a change. Change will be replicated to the Keychain
FileVault Password	FileVault and remote passwords are not synced	Filevault and remote passwords are not synced
	When the AD password is reset, Filevault will keep the previous password, meaning we need to also reset FileVault using the recovery key	Enterprise Connect will sync the local password when it detects a change. Change will be replicated to FileVault
Bugs