By Vince Lujan Posted May 17, 2019
What is the best directory service for Mac®?
Well, it used to be Apple® Open Directory (OD), but now admins aren’t so sure. As Apple deprecates key aspects of macOS® Server, it isn’t clear where Apple is headed with OD, which doesn’t bode well for Mac-focused shops that have come to rely on it.
As a result, forward thinking Mac admins are looking for a new way to centralize Mac management and preferably provide enhanced control for Mac systems. So, how do you provide enhanced control for Mac systems and manage Mac passwords without OD?
Apple Open Directory Foreword
Apple Open Directory is an on-prem directory services platform for macOS® users and resources. OD is basically the Apple version of Microsoft® Active Directory® (AD). The key difference being that OD is designed for macOS, whereas AD is designed for Windows®.
There are other key differences, of course, especially that OD has never had the breadth/depth of capabilities that AD offers. AD is built for enterprise-grade system management. OD has tried to keep up with features such as Kerberos, but generally has shied away from system management.
Still, centralized password management for Mac users and systems is an important advantage of using the OD platform. Without it, IT admins must find a new way to manage macOS user credentials and control access to Mac systems.
Mac Management Strategies
There are a number of one off Mac management strategies in use today. However, most IT organizations leverage a variation of one of the following if they don’t already have Apple Open Directory in place.
Manage Mac Independently
Mac systems have historically been managed independently in many IT organizations. The dominance of Windows and Windows-based identity management tools such as Active Directory made it easy to justify treating Mac systems and users as second-class citizens.
In practice, IT admins would leverage AD to manage Windows users and resources. Then, manage Mac users and resources independently, if at all.
While this approach may work for governing a small number of savvy Mac users, it quickly breaks down as more Mac systems enter the network. As a result, IT admins have had to invest significant time and effort to manage all of the Macs in their environment.
IT organizations often need a more centralized approach to Mac management.
Integrate Mac with AD
Another approach has been to integrate Mac systems with Active Directory. This can be done locally on the machine by configuring specific settings in the control panel and within AD. It’s far from an automated process and AD functionality is limited for Mac, but it can be done.
What you don’t get is the full user and system management capabilities that are available for Windows systems in AD environments, such as Group Policy Objects (GPOs). Not only that, but the integration is like fitting a square peg in a round hole—it’s just not ideal.
Of course, there are AD add-ons available that can extend AD functionality to macOS systems and resources more seamlessly. This approach is relatively painless (apart from the cost) and enables admins to integrate Mac systems with AD and provide centralized password management.
However, the trouble with this approach is that the convenience comes at a premium and adds complexity to the overall identity management infrastructure. What’s more, add-on solutions further cement the overall IT organization on-prem and reinforces Windows as the preferred OS and generally Active Directory as the preferred identity provider.
Cloud Mac Management
Ideally, there would be a single solution that could manage virtually any IT resource without anything on-prem. This would enable admins to eliminate their on-prem IdP and manage Mac users and systems with the convenience of the cloud.
More specifically, an ideal solution would provide Mac password and policy management functionality as a core feature of the overall platform, rather than a separate add-on expense. The good news is that the cloud has enabled developers to reimagine traditional approaches to Mac management beyond what was previously available with OD.
A new solution called Directory-as-a-Service® can centralize IAM for virtually any IT resource, including Windows, Mac, and Linux systems, and do so as a cloud-based service. As a result, admins can provide end users with a True Single Sign-On™ experience by leveraging one password for everything.
In other words, the best directory service for Mac would be able to manage more than just macOS users and systems, and do it all from the cloud. Thankfully, this is achievable with JumpCloud® Directory-as-a-Service.
Directory-as-a-Service even offers a custom built Mac app that allows end users to reset their own password from their desktop. Mac password management has never been easier.
Mac Password Management and More
Sign up for a JumpCloud account to check out our Mac password management functionality and more. The full functionality of Directory-as-a-Service is free for up to ten users, and there’s no time limit to how long you can explore the comprehensive platform. If you have any questions, say hello. We’re here to help.