For companies using Microsoft Active Directory on-premise or via Azure (Microsoft Cloud), Apple has had an excellent integration for years to link the Mac to the Active Directory domain. Benefits are that network users can log in to the Mac without creating a local account for this and all Macs are viewable in Active Directory. In short, you log in with the same name and password on your Mac as you do on the server or your Microsoft Office365 environment.

There are also some drawbacks for companies that are increasingly moving toward a hybrid setup with Azure Active Directory. In this blog, we look at Active Directory integrations and how this helps achieve the zero-touch deployment model and ensure security.

Moving away from the Active Directory linkage

In many cases it is quite possible to use local accounts instead of network accounts. More and more people are choosing a MacBook Air or MacBook Pro instead of a desktop model, eliminating the need for multiple users to log in to the same device. Yet we are concerned that this still happens too infrequently and many devices are still shared there.

Zero-touch Deployment

Delivering the MacBook to the user (home or business) and having them unpack it themselves is a unique experience. Thanks to Apple Business Manager and Apple's Automated Device Enrollment, all it takes is an Internet connection to automatically prepare the MacBook with apps and configurations without IT intervention.

To enable installation outside the corporate network, a local account created using Azure Active Directory login credentials will be used. Thanks in part to Mobile Device Management, the user can get started right away. In a subsequent blog we will dwell on the possibilities of such MDM namely JAMF, Jamf Now, Jamf Federation and Jamf Pro herein as MDM.

Kerberos Single Sign-On Extension

Now what if the user's password expires in Active Directory Apple has built an extension into macOS from version Catalina: Kerberos Single Sign-On Extension. This easy-to-use tool provides the functions below:

• Active Directory account management: users can easily change the AD password and receive notifications when it is about to expire. The local account password is automatically updated.
• Kerberos support: the extension automatically retrieves a Kerberos TGT ticket for authentication on websites, apps and file servers, for example.
• Password policy: password requirements can be easily configured to comply with policies in Active Directory.

The extension becomes visible with a key icon in the status bar and detects if the Mac is connected to the corporate network (via VPN). The user is automatically prompted to log in once.

Azure AD Seamless Single Sign-On

In a hybrid environment with Active Directory and Azure Active Directory, Seamless Single Sign-On can be used. This means that the user is automatically logged in to all web applications linked via Azure AD. Thanks to the Kerberos ticket, the email address is read and the user is automatically logged in. This is especially useful when working with software like office365. You are already logged in the same account and when you go to the office365 website you are immediately logged in. It is also increasingly possible to link applications and Web applications with SSO (Single Sign-on).

Many of our customers do not know and/or did not know that this is also possible with the Mac. And that the Mac can certainly be a full-fledged workplace in a secure office environment. Of course we are happy to help you with this, for more information please contact us. contact with us.