Yesterday, I tweeted about the idea of not binding Macs to Active directory.
I really don’t see the point in binding Macs to AD aside from “that’s what we do with Windows.”
— John Kitzmiller (@JohnKitzmiller) January 29, 2015
Quite a few people had opinions, and it sparked a pretty lengthy (for twitter) discussion on the subject. Some were pretty opposed to the idea of not binding.
@JohnKitzmiller Enforcing password policies.
— Patrick Gallagher Jr (@patgmac) January 29, 2015
— Eric Holtam (@eholtam) January 29, 2015
— FredCox3 (@FredCox3) January 30, 2015
@JohnKitzmiller 1:1s maybe. But its still easier for the user to have one uname and password to manage
— Calum Hunter (@hunty1er) January 30, 2015
Others seemed open to the idea.
— Tom Anderson (@tomfanderson) January 30, 2015
— Adam Codega (@adamcodega) January 30, 2015
@JohnKitzmiller 1:1 fully agree. Should be no real need. Most things can we worked around with minimal impact.
— Gerard Allen (@zvordauk) January 30, 2015
@JohnKitzmiller Been there done that. Don’t bring up the fact that iOS doesn’t bind to AD. Heads explode.
— Joseph Chilcote (@chilcote) January 30, 2015
— Nick McSpadden (@MrNickMcSpadden) January 30, 2015
I want to start off by saying that I’m really only talking about one to one deployments here. Obviously if you have a lab or other shared environment where people need to be able to log in to many different computers, binding makes sense. I won’t argue that.
Now, I’m not suggesting everyone decommission their Active Directory servers tomorrow. Far from it. I actually think having Active Directory (or some other centralised directory service) is a good thing. Having one username and password across services makes sense.
What doesn’t make sense to me is binding Macs to Active Directory. Let me explain why.
Traditionally, Windows machines are bound to Active Directory so that they can be managed via group policy. In the past, Macs would be bound to Open Directory for MCX, and Active Directory for authentication, a configuration known as the “magic triangle.” This led to a headache of maintaining two types of directory services and making sure each Mac was bound to both. This was not a good solution.
Most Mac admins have moved away from Open Directory for machine management in favor of a management tool like Casper or Munki. But still we’re binding Macs to Active Directory. Why? You can’t manage Macs via group policy, so all that’s left is managing authentication. But is binding to Active Directory really solving a problem?
In the tweets above, you’ll notice a theme: passwords. I’d like to address a few points.
We need to enforce a password policy
Password policies are a good thing when done correctly, and I’m certainly not suggesting the abandonment of them. Password policies can easily be set on any Mac running 10.7 or later with a configuration profile. This provides the same level of protection as an Active Directory password policy, without the hassle of binding the Mac.
Our users need to have the same password for their Mac and their e-mail, etc.
Do they really? Consider this: at home, a user logs in to their computer with one password, and uses a different (hopefully) password for their email. This should not be a new or confusing concept for users. This is part of a bigger problem of not treating users like adults. I’m not going to get into it now (it’s a whole other blog post), but there’s a good article on UX Booth that touches on it.
Change is coming
Consider this: iPhones and iPads can’t be bound to Active Directory. They have a different password to unlock than all of the other services we use, and our users manage to function with this arrangement. Why should the Mac be any different? We need to stop thinking about the Mac as something that needs to be locked down and managed, but rather another device used as a portal to access company resources, just like an iPhone or an iPad. There is no reason these devices should be treated any differently.
Do you have an opinion on binding Macs to Active Directory? Sound off in the comments.