Jamf Connect: replacement for AD binding

What is macOS Active Directory binding?

Before we discuss Jamf Connect, first let’s understand the complexity behind legacy macOS Active Directory binding. macOS AD binding is the expression connected by binding a macOS device to the Active Directory domain.

How the Active Directory binding process works

1. macOS executes a request for Lightweight Directory Access Protocol (LDAP), Kerberos, and Kpasswd DNS service records in the domain. If macOS is not using the DNS server that is integrated with Active Directory, then it will stop to execute.
2. macOS binds anonymously with LDAP and gathers basic Active Directory domain information.
3. Directory Service’s AD connector creates a preliminary Kerberos configuration, which may be replaced during this process.
4. macOS uses the Kerberos configuration, authenticates, and then requests the nearest domain controller.
5. The domain controller returns a list of the nearest domain controllers, based on the IP subnet of the macOS device.
6. macOS confirms that it can connect to the LDAP and Kerberos services of the domain controller list from the above step, and Directory Service and kerberosautoconfig create a final Kerberos configuration in /Library/Preferences/edu.mit.Kerberos and /var/db/dslocal/nodes/Default/config/Kerberos:REALM.plist.
7. macOS joins to what it was told was the nearest domain controller.
8. macOS searches the domain for an existing computer record, and it creates a new computer record to use if it cannot find one.
9. macOS updates its machine password and domain SID and then it updates the DNS record in Active Directory.

The high-level overview process of macOS AD binding

• The complete process begins with Apple macOS asking to join the Active Directory (AD) domain.
• After the joining request is acknowledged, the Active Directory server validates the user credentials (which is necessary in order to join the Active Directory database).
• After the credentials have been effectively confirmed, the Active Directory server/ Domain controller receives the macOS device to connect with the Active Directory database.
• After the completion of this process, Active Directory users are ready to log into macOS using the respective AD credentials, along with their data saved inside the Active Directory database.

Challenges/pain areas of macOS Active Directory binding

• When using Directory Utility, users will input their Active Directory credentials to access the macOS devices. This means that users must rely on the same AD password policies. Likewise, Windows users.
• macOS needs a lasting connection to the AD domain. This means it can’t be used outside the local network, which indicates that it’s not useful for macOS.
• Straight bind will never provide the same GPO control that we have over Windows machines. The bind also comes with the risk of breaking, and users might encounter challenges in file sharing.
• While macOS AD bind users change their passwords in AD, they’re required to input their old password at the time of login. An admin team using this method might need to educate the users to keep their keychain in sync if they change their AD password. This doesn’t report the hurdles with FileVault2 control that can also be problematic with the add-on of Secure Token.
• Active Directory plug-in for macOS has not been fully rationalized by Apple a for few years, which presents issues when a new version of macOS is sent.

What is Jamf Connect?

Jamf Connect is an app that allows administrators to manage authentication by connecting a user's local macOS account to their organization's cloud identity (network account).

Jamf Connect includes two core components:

• Login window: An authorization plug-in that modifies the default macOS login process and login window UI.
• Menu bar app: An application that helps users manage their network and local passwords.

Jamf Connect is designed to work with these cloud-based IdP (Identity Providers):

• Microsoft Entra
• Google Identity
• OneLogin
• PingFederate
• Okta

While it's possible for IdP to work properly without Jamf Connect and Jamf Pro, the two combined make it a far smoother process.

How Jamf Connect works

The best way to understand Jamf Connect is by viewing the enrollment process.

1. After a user turns on a macOS device and connects to the internet for the first time, the computer checks in with Apple. If the serial number is part of Apple Business Manager and an enrolled device, Apple will redirect it to the linked MDM server.
2. As part of the initial MDM enrollment, we can push a package to the device, using the InstallEnterpriseApplication command. We can push Jamf Connect and use the AwaitConfiguration command to ensure that it gets fully installed while the device is in setup assistant mode. That means the device will tell the user to hold on while it sets everything up, and the user can’t mess it up.
3. Then, Jamf Connect will pop up before the standard native login window. Jamf Connect can ask the user to authenticate, using modern practices like multi-factor authentication, conditional access, and cloud identity providers.
4. Now that the user is authenticated and authorized, Jamf Connect will create the local user account in macOS. Successive logins will normally take place using the native login window, but there are a few other places where Jamf Connect comes up.

For a more detailed description of the process, please see our administrators guide to Jamf Connect Integration with Jamf Pro.

Advantages of Jamf Connect

• Provisions a second layer of authentication i.e., multi-factor authentication. Also supports additional features proposed by NoMAD.
• Substitutes the standard login window for macOS with Jamf Connect, permitting authentication to macOS with the respective cloud credentials at the login window.
• It can be set to silently enable FileVault without the need for user interaction.
• It can be used to provide the local user account with the identical details as that of cloud credentials.

How do Microsoft modifications impact macOS AD binding?

Problems with fixes to security issues

In late 2021, Microsoft recognized a security bypass vulnerability in AD Domain Services that basically permitted an attacker to mimic the Domain Controllers. They fixed the issue with a patch and a few handbook changes on every Domain Controller. Read more details on the AD binding issue from Microsoft.

However, the patch, when fully enforced, prohibited macOS computers from being able to bind to Active Directory. Therefore, macOS computers that were already bound often could no longer connect with AD. Because of this, organizations trusting Kerberos authentication AD for macOS fleets were left with data loss, lockouts and other challenges with the service.

Problems with addressing MacOS-specific issues

Microsoft issued a patch update along with some workarounds that was meant to be enforced on July 12, 2022, but has been delayed until October 11 to allow for testing. It still doesn't call our macOS specifically.

This is not the first time that binding macOS devices to Active Directory have been a problem. Releases have either broken binding entirely or upended schedules when Mac administrators have had to scramble for options when devices stop talking to AD.

The solution to these AD binding problems

Basically, the long-term solution is to exchange the Active Directory bind for a cloud identity. This is possible through a few vendors; Jamf Connect can facilitate IdP, and Jamf Pro can manage this en masse.

Microsoft will be presenting obligatory domain controller authentication in the future. Still, there is no assurance that the macOS fleets will be able to connect with AD, which means macOS users could have all the macOS AD binding issues as discussed above.

This means that Jamf Connect truly is the absolute replacement for macOS Active Directory Binding.