By Vince Lujan Posted July 17, 2019
With the new macOS®, Catalina™, on the horizon, IT admins can’t help but wonder what changes the new operating system (OS) will bring with respect to identity management. As Mac® admins know, controlling user access to Mac systems has never been easy. Not only that, but Apple® isn’t totally forthcoming about what will change in their new OS versions, which has resulted in some anxiety in regard to macOS Catalina identity management.
Over the past several releases, this anxiety has only been heightened by features like Secure Token, for example, which complicated the IT admin’s ability to centrally manage and enable FileVault® encryption remotely. Of course, Mac admins have come to expect nothing less than dramatic changes from Apple in their updates (which lead to big innovations too!), which is why a strong macOS-focused identity provider (IdP) is critical to managing a fleet of Mac machines in modern environments.
Why Do You Need a macOS IdP?
The broader macOS identity management challenges have existed for a long time now. In a historical sense, IT networks have primarily been based on the Windows® OS from Microsoft®. As such, admins generally leveraged Active Directory® (AD), another Microsoft product, as their core IdP.
Active Directory works well to manage Windows users and their access to Windows-based IT resources. Unfortunately, the same cannot be said for non-Windows users leveraging non-Windows-based IT resources. Specifically, with respect to macOS, admins cannot manage nor optimize Mac users and systems at the same level as their Windows counterparts in pure AD environments.
While it is possible to authenticate user access on macOS with AD credentials, the Microsoft platform falls short in that it is unable to remotely manage user provisioning, modifications, and deletions for macOS users and systems from a centralized location. This process has only been complicated over the years with the introduction of new functionalities such as Secure Token.
Secure Token Brief
In short, this Apple concept was intended to level up security for Mac users by building a chain of trust starting with the original user. Primarily used for FileVault, Apple’s at rest data encryption solution, a Secure Token was only granted to the original user, and then subsequently passed along by the original user to new users.
While effective at building a chain of trust, Secure Token severely limited the ability of traditional identity management solutions such as Active Directory to manage and secure macOS users and systems remotely. To make matters worse, Secure Token is only the most recent example of the challenges created by changes to macOS, and there will almost certainly be similar challenges with Catalina.
What About the Add-on Approach?
Of course, there are plenty of third-party tools available—such as directory extensions, identity bridges, mobile device management (MDM) solutions, web application single sign-on (SSO), and others—that try and solve some of the issues with macOS identity management. The challenge with this approach is that admins have been forced to cobble together an array of add-on solutions, which are typically layered on top of AD.
While the add-on approach can be effective, it adds significant cost and complexity to identity management for macOS. Although macOS 10.15 appears to add some new features to centrally manage Secure Token via MDM, user profiles being gated via an MDM, SAML authentication, and more, there are still challenges that need to be solved.
Of course, we won’t really know what those challenges are until Catalina drops this fall. The only thing we can say for sure is that identity management for macOS systems will continue to be interesting. At any rate, this is why a macOS focused identity provider that can adapt to Apple changes would be helpful.
What Do We Propose?
Ultimately, IT admins need a central identity provider to manage their macOS user identities (Windows & Linux, too) across an organization. Integrating that IdP via these new features will be central to providing a holistic view and management of macOS users.
JumpCloud® has been supporting Mac admins for a number of years now and is excited to continue to innovate in the space with these new identity management capabilities introduced in Catalina. So, if you’re anxiously waiting to find out how macOS Catalina will affect your identity management infrastructure, don’t be. Rather, check out JumpCloud Directory-as-a-Service today and see how we can enhance identity management for macOS and a lot more.
Learn More About Directory-as-a-Service
Directory-as-a-Service is the first cross-platform, vendor-neutral, protocol-driven cloud directory services platform that can securely manage and connect users to virtually any IT resource without anything on-prem. To learn more about macOS Catalina identity management with Directory-as-a-Service, contact JumpCloud today.
You can also sign up for a free account and check out our current functionality in preparation for Catalina. The full functionality of the DaaS platform, including macOS management, is free for up to ten users—and there’s no time limit to how long you can demo everything JumpCloud has to offer.