Topic | Binding | Not Binding |
---|---|---|
802.1x | Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD | We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP |
Kerberos tickets | AD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver. As a result, kerberos tickets are rarely renewed. | Enterprise Connect handles the renewal of Kerberos tickets |
AD users can log in to any bound Mac & Shared use of Mac (eg. Lab computers) | As user identification and authentication resides on server, users can log in on any bound Mac. This is especially interesting for shared environments such as Labs | On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. The only possibility is to use network directories which are impractical in a mobile environment |
User identification and computer usage traceability | Binding to AD ensures that each username and uid is used only once across the bound Mac computers | MDM can better trace computer usage |
Users can be admins via the directory plugin | A group of users can be specified as a local admins | A MDM can create a “management account” and take care of renewing the password |
Password policies | Password policies are handled in the AD account | A Password policy can be deployed |
User Password expiry | Password expiry is handled in the AD account | A Password policy can be deployed |
Ease of setup | Computer needs to have access to AD during setup | No particular setup is needed |
For authenticated DEP, computer needs access to the MDM | ||
Account lock | Local account is locked at next login or unlock from screensaver | A better way to lock the user is to issue the wipe or lock MDM command |
Keychain | The keychain password is not synchronized with Active Directory. | Local and remote passwords are not synced |
When the password change is not done on the Mac, the users will get prompted to enter his old and new password | Enterprise Connect will sync the local password when it detects a change. Change will be replicated to the Keychain | |
FileVault Password | FileVault and remote passwords are not synced | Filevault and remote passwords are not synced |
When the AD password is reset, Filevault will keep the previous password, meaning we need to also reset FileVault using the recovery key | Enterprise Connect will sync the local password when it detects a change. Change will be replicated to FileVault | |
Bugs | ||
Created
December 2, 2016 13:17
-
-
Save ftiff/1ffbf0a87ea16d7cc4c0486238873121 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment