read

Why Mac Users Need to Break Up with Microsoft AD

By Ben Greiner | October 12, 2021
ntiva

Your new hire is overwhelmed on day one by all the accounts and passwords you’ve thrown at them. Even your veteran team members restart their Macs so infrequently that they sometimes call the support desk because they can’t remember their Mac password. Sound familiar?

If you're looking for a simple and secure solution that will enable your employees to log in to their Macs from anywhere — using the same credentials and two-factor authentication they use for their email — read on!

Start with Identity Management 

If you’re interested in a more simplified and secure workflow for your team, look no further than identity management — a framework to ensure that authorized users in your organization have appropriate and secure access to the technology resources they need to perform their job.

Organizations that practice effective identity management, especially using single sign-on, are more productive, agile, and compliant with security standards and regulations. 

Identity management relies on a central directory of information that identifies your employees.

At a minimum, this central directory securely stores your employee names, email addresses, and passwords, and shares that information with other services you authorize.

This helps you carefully manage who has access to specific applications and company data, and is critical to simplifying and securing your employees both in the office and remote.

The Importance Of A Single Central Directory

Before remote working and cloud solutions were widely adopted, many small businesses only needed access to a single server physically located in their office, typically providing file sharing and email services.

Today, if you don't have a single central directory, then you probably have several.

Many businesses have a directory for every service they deploy — one for email and apps (Microsoft 365), one for file sharing (Box), one for human resources (BambooHR), and one for finance (QuickBooks).  

Multiple directories with multiple authentication requirements can cause confusion and frustration for your team. Onboarding and off-boarding team members can also be increasingly time-consuming or error-prone as you must touch numerous directories. 

Connecting all your web apps, mobile apps, services — and computers — to a central directory can provide your employees with an experience known asingle sign-on (or SSO).

You can often combine SSO with multi-factor authentication protections like security questions, one-time PINs, tokens, or biometrics, to securely access apps and data. Identity management is a topic with many use cases and benefits. 

Breaking Up With Microsoft AD 

Mac users have long lived without — or are unaware of — a central directory service.

Microsoft Active Directory (AD) is the most common directory service in use today. Although more modern directory options are available, AD remains popular because it can also manage and secure Windows devices.

Microsoft administrators often believe they need to bind (connect) Macs to their AD service to get the same benefits. We do not recommend this practice.

Although Macs can be connected to AD, most organizations only leverage the password syncing feature on their Macs. This process produces little more than login and password (Keychain) frustrations for users and the help desk.

Stop binding your Macs to Active Directory — there is a better way!

Innovative businesses are addressing security concerns with modern identity management solutions that use the power of Apple products.

These solutions help employees work more efficiently, reduce overhead, and keep sensitive data secure.

The Most Common Practices For Identity Management Today

Before we talk about a more modern solution, let’s review common existing practices: 

  • No identity management 

    Your organization’s applications, email, and web services are managed separately.

    Without an identity management solution, organizations must rely on their employees to remain proactive and educated to mitigate security issues. Even with the best of intentions, employees may inadvertently create workflows that fail to comply with regulations and industry standards. 

Significant time may be required to set up and support employee access to the many web services required by the organization, including curated permissions within those services. When employees log in to their Macs and then into individual applications and tools, they may fail to keep up with best security practices by reusing passwords in multiple places. All of this can lead to more time-consuming help desk tickets, frustrations, and security risks. 

  • On-premises Active Directory
    Your organization has a single physical Active Directory server at your office that all devices are bound to. Applications and web services are likely not linked to this local AD server. Users must either be in the office or connected to a VPN to check in with the AD server.

    Active Directory provides inadequate support for a modern workforce of contractors, freelancers, and remote employees. Many IT departments find that on-premises Active Directory (which is not the same as cloud-based Azure Active Directory) creates more work and prevents organizations from modernizing their operations. Active Directory (AD) is a solution optimized for Windows-based applications.

Macs can technically be bound to AD to sync password changes between AD and a local Mac account. However, binding Macs to AD can also be problematic and a more intelligent and modern solution is an identity platform that helps your team do their best work using their preferred tools, linking their identity to services outside of local workstation authentication.

  • Employee BYOD (bring your own device) without identity management
    Employees at your organization use their personally owned devices to access company tools and data as if they were company-owned.

    Sensitive business data and operational software are only as secure as an organization’s least trustworthy (or informed) team member. When employees bring their own devices and use business tools on their personal devices without an identity management solution, organizations increase their risk of compromise, data leaks, and misuse of time and resources. 

Introducing Modern Solutions for Simplified Authentication and Onboarding

Interested in out-of-the-box SSO authentication on your Macs in under 5 minutes?

Addigy Identity simplifies users' authentication and onboarding at the macOS login window.

With Addigy Identity, your users will be able to use the same authentication they use across your environment on their macOS systems as well. 

Addigy identity replaces the native macOS login window and pushes out a branded login window configured for our organization. This setup can be replicated and customized for our clients using their branding and central directory or identity provider. 

The result is that Mac users can enter the same authentication they use across their environment (Google, Okta or Microsoft) on their macOS computers.

Note: At Ntiva, we use Microsoft 365, which includes Microsoft Azure Active Directory.  Azure AD serves as our central directory, and we connect this directory to Addigy Identity to simplify our authentication and onboarding at the macOS login window.

 


Why We Recommend Addigy Identity

Here are some of the top benefits of using a single cloud identity, and simplifying your user authentication and onboarding, using Addigy Identity.

Macs Google LIST

  • Employee Empowerment 
    What better way to let employees know you value them than to give them an Apple unboxing experience! Identity Management combined with solutions such as Addigy Identity enables team members to unbox, login, and experience company-owned Macs with the same level of empowerment they feel for their own devices. 

  • Zero-touch & Just-in-time User Creation 
    Zero-touch deployment is an Apple process that allows efficient provisioning of devices for thousands of employees worldwide. New devices are drop-shipped directly to employees without IT needing to touch them. The goal is to have users online and productive within minutes, not hours, of unboxing, and to provide team members with a positive setup experience.

Zero-touch requires either an Apple School Manager or Apple Business Manager account coupled with an authorized Apple reseller or custom Apple eCommerce storefront for your organization (always feel free to reach out to us for assistance in getting these for your team).

Devices approved for Zero-touch enrollment are tied to your organization by their serial number. The first time an employee powers on and connect their new Mac to the internet, the Mac is automatically enrolled into your Apple management system.

With the addition of Addigy Identity, employees can unbox a new Mac, follow the setup prompts, and immediately authenticate at the login window using their company email address and password. This process provides a seamless out-of-the-box experience for new hires and existing employees with new Macs.

It saves time and increases efficiency eliminating special enrollment steps, reinforces the importance of knowing your company email and password, and can be paired with two-factor authentication for an additional level of security. 

  • Company Branding 
    The Addigy Identity login window can be configured with your company branding. This customization also helps when different departments want their logo and background on the login window of their Macs to create a more tailored experience for their team members. 

  • Password Syncing 
    Addigy Identity will acknowledge password resets deployed from the central directory or identity provider (Microsoft, Google, or Okta). Suppose your organization still requires periodic password resets (even though security best practices have abandoned that practice). In that case, password policies and required resets can be seamlessly enforced by your central directory or identity provider to help make the change easy for your users. 

  • Password Resets
    Any time you reset a user’s password in the central directory or identity provider, Addigy Identity will recognize it and prompt the user to enter a new one! 

Common Objections To Centralized Identity Management

One of the counterpoints I hear to centralized identity management is the belief that decentralized identity management is a better security solution.

However, a user experience requiring many logins for different apps and tools can create security fatigue, leading employees to fail to follow best security practices and become less productive. 

Out of frustration, users may employ weaker passwords, or use a single password with easily deducible alterations between multiple sites. Working toward a single sign-on solution can help reduce this risk within your organization. 

I also hear organizations with complex hybrid AD environments say their setup is too complex to leverage central identity management. These organizations need to consider that solutions designed for Apple products have worked for enterprise-scale customers who have large numbers of devices integrated into complex business practices.

Identity management solutions comply with stringent global security standards and are trusted by high-security organizations, including major banks and government institutions.  

Summary 

Implementing an identity management solution designed for Apple devices can help drive results within your organization by optimizing processes, creating exceptional customer experiences, and developing informed and engaged employees. 

You can easily streamline Mac authentication and identity management with modern, cloud-based solutions designed for this purpose.

We use and recommend Addigy Identity, to make it easy for your team to authenticate against macOS computers, take advantage of custom designs, simplify onboarding with just-in-time account creation, and enforce security across your organization.

Why wait? Contact us to get started today! 

 

Apple MSP

Tags: Apple