Bring Your Macs into Azure AD with Jamf Connect
With many organisations and businesses now retiring their expensive on-premise Active Directory hardware and moving to a cloud-first Azure environment, or seriously making plans to do so in the near future, the big question we’re often asked by both customers and prospects is, “Where does this leave our growing Mac fleet?”. Given that Azure Active Directory has no compatibility with Macs and traditionally binding them to an on- premise AD can cause major headaches of its own, IT admins and business managers across the land are now facing major problems and sleepless nights. Throw in the global challenges facing IT in 2020-21, along with the permanent rise of #WorkingFromHome, and it can lead to a real headache.
Thankfully, there is a neat solution to both of these significant challenges in the form of Jamf Connect - a piece of software that fully integrates your Macs with your Azure AD tenant, all without any binding. Rather than simply offering a bullet-point list of its features, we’d like to take you through how it effectively solves four real-world key problems facing organisations today:
Problem 1: Azure Active Directory + Macs
As we’ve covered, Microsoft’s Azure Active Directory by itself currently has zero support for Macs which, given their well-documented rise in both the Enterprise and Educational sectors, presents IT admins with a quite serious and immediate problem. After all, it’s the very backbone of many organisations’ digital infrastructure and security policies!
Fortunately, Jamf Connect fully supports Azure AD and allows users to simply sign-in to their Mac using their existing Microsoft credentials. It even provides ongoing password sync, so if their Microsoft account password changes then it’ll immediately reflect that on their Mac, too! Having just one set of credentials to remember for both your Microsoft account and your local Mac account massively streamlines things for both IT admins and end-users, as well as decreasing user down-time from a forgotten computer password.
Problem 2: Security
With MacBook Airs and Pros being some of the most popular (and portable) laptops ever made, endpoint security has become a headline necessity over the past few years. Many IT admins need to ensure that FileVault data encryption is active immediately after set-up, and multi-factor authentication (MFA) offers additional protection but isn’t available within macOS for local accounts.
Jamf Connect saves the day once again, as not only can FileVault be automatically enabled for network users but MFA can also be required for local account log-in (if this is set in your Azure AD). Furthermore, any password policies you’ve set within Azure AD are forcibly honoured for the local Mac account via Jamf Connect, so you can be assured that your devices are secured with IT-compliant passwords and MFA. This is, of course, in addition to the leading hardware encryption supported by T2-enabled Macs. Your IT admins won’t have had such a good night’s sleep in years!
Finally, you can even configure Jamf Connect to automatically create either Administrator or Standard local Mac accounts based on that account’s Role within your Azure AD tenant. This means that end-users cannot do things like install rogue software, set-up new printers or otherwise change things that may compromise their work or your security. Another handy use-case is the ability to quickly create spontaneous Admin-level local accounts if IT ever do need to take control of a user’s Mac to fix a problem remotely and then remove them, eliminating the chance of those credentials ever falling into the wrong hands. No organisation wants a skeleton key approach to their Admin accounts and, with Jamf Connect, avoiding that possibility is easier than ever.
Problem 3: Mobile Users + AD Bind
The past 12 months have seen sweeping workflow changes and a huge rise in working from home (did you know that #WFH was one of Twitter’s top trends of 2020?). IT admins have therefore had to thoroughly embrace zero-touch deployment methodologies, where factory-sealed Macs are shipped directly to the user and remote MDM configuration sets them up automatically. Without a complex VPN set-up, binding to an on-premise AD in this scenario would be impossible and thus prevent users from accessing the apps and resources they need for work.
As no binding takes place, Jamf Connect is fully-functional wherever the user has an Internet connection (and will still allow them to log-in even when they don’t) and this lends itself perfectly to the new normal of working away from the office - or indeed from anywhere! For the ultimate in slick convenience, an MDM such as Jamf Pro can even be set to bypass the local admin account creation during the Mac’s initial setup and instead have Connect simply prompt the user to sign-in with their Azure AD account details. No muss, no fuss.
Problem 4: Password Resets
Keychain sync issues for mobile account users, caused while having to change their easily-forgettable local account password while off-site, cause significant downtime for users and a potential loss of their saved Keychain passwords if they cannot remember their former log-in password (as their Keychain will still be tied to that old password). Jamf themselves conducted some global research and found that a staggering 31% of all IT support requests were for password resets! The costs, in terms of lost productivity, reduced user morale and IT maintenance are both high and avoidable.
Using Jamf Connect, ongoing password sync with your Azure AD ensures that users will never again have to choose between accessing their Mac and waving goodbye to their stored passwords for all the websites and services they rely on day-to-day.
Our Final Thoughts
As we’ve discussed, Jamf Connect is a vital lifeline for any organisation using Azure AD. While we’ve focussed on that specifically in this post, it’s also compatible with a variety of other cloud-based identity providers (IdPs) such as Okta, Onelogin, PingFederate and - to a lesser degree due to its differing architecture - Google Cloud. The latter aside, these IdPs also support the full range of Connect’s features and offer the same benefits to your organisation. The best part is that Connect is fully compatible with any MDM solution, not just Jamf’s offerings, and in fact doesn’t even require one to function. That said, an MDM should absolutely be in place for any realistic Mac fleet within an organisation.
To find out how KRCS can help take your Macs into the cloud-based world of today, give us a call and one of our friendly team will be glad to assist based on your specific needs and set-up.
Follow us on Twitter.
Email us at email@example.com or call us on (0115) 985 1797