Mobility and Mac

Directory services were initially conceived to support multiple users logging in to a single computer connected to the directory service via a persistent trusted network connection. Deploying a portable computer to a single user who frequently transitions between a variety of networks requires a different strategy.

Mobile devices may rarely have access to an organization’s directory service. Therefore, any updates made in the directory services may not be reflected on the mobile devices right away. Administrators can use MDM to update policies and configurations remotely, even if Mac computers aren’t constantly connected to the directory service.

The same process and philosophy for deploying configurations and policies to iOS and iPadOS can be applied to macOS. By using the Apple Push Notification service (APNS), an MDM solution can notify Mac computers that a configuration or policy update is available. When a Mac receives the push notification, it silently and securely checks in with the MDM solution using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol to retrieve the updated policy or configuration data, as long as the client has an internet connection. In this scenario, there is no prerequisite for the device to be on VPN or an explicitly trusted network.

Many of the original benefits of binding a directory service and using network accounts are provided by using an MDM solution or a client management solution. Password and client policies, including certificate identities, can be deployed and updated wirelessly. Devices can still be bound to the directory service at the system level to provide user and group resolution for authorization to services such as network file servers. This eliminates the complexity of maintaining network accounts on the local Mac.

Single Sign-On can still be achieved by leveraging the command line kinit, which can be implemented in AppleScript to create a simple graphical app to acquire the initial Kerberos ticket.