For organizations using Active Directory, Apple has had excellent integration for years to connect Mac to the Active Directory domain. The benefits include allowing network users to log in to the Mac without creating a local account and having all Macs visible in Active Directory.

However, there are also some drawbacks for organizations that are moving towards a hybrid setup with Azure Active Directory. In this blog, we will explore modern integrations with (Azure) Active Directory in macOS Catalina, how it helps achieve the zero-touch deployment model, and ensures security.

Moving away from the Active Directory integration

In many cases, it is possible to use local accounts instead of network accounts. More often, MacBook Air or MacBook Pro is chosen over a desktop model, eliminating the need for multiple users to log in to the same device.

Zero-touch Deployment

Delivering the MacBook to the end user (at home) and letting them unpack it is a unique experience. With Apple Business Manager and Apple’s Automated Device Enrollment, only an internet connection is needed to automatically prepare the MacBook with apps and configurations without the involvement of the IT department.

To enable installation outside the corporate network, a local account will be created based on Azure Active Directory login credentials. Thanks to Mobile Device Management, the user can start using the device immediately.

Kerberos Single Sign-On Extension

What if the user’s password expires in Active Directory? Apple has built an extension in macOS Catalina called Kerberos Single Sign-On Extension. This user-friendly tool provides the following functions:

  • Active Directory account management Users can easily change their AD password and receive notifications when it is about to expire. The password of the local account is automatically updated.
  • Kerberos support: The extension automatically retrieves a Kerberos TGT ticket for authentication on websites, apps, and file servers.
  • Password policy: The password requirements can be easily configured to comply with the policy in Active Directory.

The extension is visible with a key icon in the status bar and detects whether the Mac is connected to the corporate network (via VPN). The user is prompted to sign in once.

Azure AD Seamless Single Sign-On

In a hybrid environment with Active Directory and Azure Active Directory, Seamless Single Sign-On can be used. This means that the user is automatically logged in to all web applications linked through Azure AD. Using the Kerberos ticket, the email address is retrieved, and the user is automatically logged in. 

Want to learn more?

Contact us! You can send an email to [email protected] or call +31 85 400 30 30.