The keychain password is not synchronized with Active Directory. Local account is locked at next login or unlock from screensaverĪ better way to lock the user is to issue the wipe or lock MDM command No particular setup is needed For authenticated DEP, computer needs access to the MDM Password expiry is handled in the AD accountĬomputer needs to have access to AD during setup Password policies are handled in the AD account Users can be admins via the directory pluginĪ group of users can be specified as a local adminsĪ MDM can create a “management account” and take care of renewing the password User identification and computer usage traceabilityīinding to AD ensures that each username and uid is used only once across the bound Mac computers The only possibility is to use network directories which are impractical in a mobile environment
#MAC OS ACTIVE DIRECTORY LOGIN PORTABLE#
On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. This is especially interesting for shared environments such as Labs Lab computers)Īs user identification and authentication resides on server, users can log in on any bound Mac. As a result, kerberos tickets are rarely renewed.Įnterprise Connect or NoMAD handles the renewal of Kerberos ticketsĪD users can log in to any bound Mac & Shared use of Mac (eg.
On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver.
We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP NoMAD can request a 802.1x certificateĪD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD
0 kommentar(er)
