MacOS® Catalina™ User Management

By Zach DeMeyer Posted June 29, 2019

With the recent introduction of macOS® Catalina™, many IT admins are wondering about how the pending OS changes will affect how they can manage their Mac® fleets. A key consideration that’s driving this curiosity is specifically how they will manage macOS user access. 

Let’s discuss some of the potential changes that may arise with macOS Catalina user management. First, however, let’s look at how IT admins have been managing macOS users as a whole before Catalina.

Managing Users in IT Organizations

User management is a critical part of the role of any IT admin or DevOps engineer. Provisioning, deprovisioning, and modifying user access to various IT resources is how IT admins help users leverage those resources to get their jobs done. User management is also a key component of identity security, that is, making sure only the right people can access critical resources so bad actors cannot slip in where they don’t belong.

Traditionally, most IT organizations have leveraged the on-prem identity provider, Microsoft® Active Directory® to manage their users. Active Directory (AD) works especially well for on-prem, Windows-based systems and infrastructure. The challenge, historically, has been using AD to manage user access to macOS devices. 

macOS User Management with AD

As the IT landscape has continued to shift to non-Windows resources such as macOS and Linux® systems, AD has struggled. Add in web applications, cloud infrastructure, WiFi networks, and more, and IT admins have a major challenge on their hands. 

For many organizations, macOS has become a core part of their IT infrastructure, and as such, users of the platform must be managed. Unfortunately, AD is simply not designed for Macs, and subsequently has a hard time managing Mac systems and their users. IT admins have either managed macOS user access manually or leveraged directory extensions, called identity bridges, to extend their Active Directory instance to Mac systems. 

Changing macOS Management

Over the last few macOS releases, Apple has been dramatically changing their preferred model of managing access for macOS users. With the introduction of the Secure Token concept, Apple created a chain of trust cadence to increase security. Unfortunately, Secure Tokens have been difficult to manage, creating a great deal of overhead for IT admins in order to manage Mac user access, specifically to the full disk encryption (FDE) tool, FileVault®.

With macOS Catalina, Apple is changing some of the management overhead related to Secure Tokens, enabling mobile device management (MDM) tools to remotely manage the Secure Token process. Additionally, Apple is introducing the ability to authenticate user access to macOS Catalina via SAML. The result is that user accounts can be managed from a SAML identity provider, expanding the choices for IT admins on where to authenticate and manage macOS user access. Of course, the challenges of local account creation and the original Secure Token user still persist.

The Right Tool for the Job

Mac user management is certainly presenting IT admins with hiccups. They can either use legacy solutions like AD, complete with a set of other add-on tools to connect their Macs to AD, or they can use more modern solutions like MDMs, but still need other tools, like web app single sign-on (SSO) tools, to manage access to the various other IT resources that users need to do their jobs. It’s quite the pickle indeed.

An ideal tool for macOS Catalina user management would be able to manage users and their access to virtually all of their resources from a single solution. This tool would also need to be leveraged across the wide variety of vendors, platforms, and locations that IT resources stem from. Thankfully, such a solution exists: JumpCloud® Directory-as-a-Service®.

Managing macOS users with JumpCloud

JumpCloud Directory-as-a-Service is a reimagination of AD for the modern era, extending a single set of user credentials to the various resources that user leverages. JumpCloud’s user management platform tightly manages user access to macOS (as well as Windows and Linux) systems through the creation of a local identity that can then be extended to a wide range of other IT resources including G Suite™, Office 365™, web applications, networks, and more.

IT organizations can use JumpCloud’s web-based admin portal to control all of their users, regardless of where admins or users are. IT admins can also enforce settings like FileVault FDE and disable Siri, screensavers, or USB ports on macOS devices remotely using JumpCloud Policies.

Try Directory-as-a-Service for Free

JumpCloud is available absolutely free for the first ten users in your organization, forever. All you need to do is sign up for JumpCloud to start taking advantage of all Directory-as-a-Service has to offer for free. Once you try the product, you can explore our various pricing options before you buy, all the while keeping your first ten users as long as you want.

If you would like to hear more about JumpCloud macOS user management, or any other features of Directory-as-a-Service, please contact us.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts