I would really like to explore and discuss the various and creative ways in which folks are authenticating OS X devices and/or user accounts WITHOUT Active Directory binding. I’d like to completely overhaul my own thinking and approach when it comes to user authentication in the modern and very mobile world. Especially when I see the great things being done by various entities form the last few JNUCs.
At present we utilize and manage AD, RADIUS, GAM and a few test SSO services via a web portal and SIS system we've developed. Our user credentials work well with a the services utilized across our campus and it’s super easy for our users to manage their own credentials from any device they can use to access the internet. Yet, our users computers simply have completely local accounts. In general these are created during the imaging process via a “CreateUserPkg”.pkg or through Casper Imaging itself. Our users are highly mobile and travel all over the world so we've been pretty happy, not having to deal with login/timeout type issues. (In the distant past we used Open LDAP mobile accounts so I am familiar with the process and the general gotchas).
However, there's a lot being left on the table since our users OS X devices have nothing tying whatever computer they have, to any type of service. I suppose I might be able to utilize the 802.1x wireless certificate they have but I might be stretching a bit on that one. Heck, even my JSS has no idea what user is on which computer unless I tell it. It's the same for any service of course.
So now it’s brainstorm time. What are you doing, trying or thinking of trying?
