Answer the question
In order to leave comments, you need to log in
macOS management. Analogues of Active directory for MacOS?
There was a question about the management of computers on macos.
Windows has active directory and microsoft azure. Is there something similar for MACos? Or is full integration into AD possible?
The minimum task is to remotely connect to a PC, be able to block the PC
The maximum task is a centralized PC setup with macos features similar to AD
Answer the question
In order to leave comments, you need to log in
To bind or not to bind ....
With the latest update and the creation of KerberosExtension, Apple seems to have put an end to the issue - saying that it's superfluous (to enter a Mac into a domain). This is in terms of Mac's interaction with the domain infrastructure.
But the Mac is controlled ideologically with the help of MDM solutions by applying management profiles, all other approaches are crutches that, as it usually happens, stop working with the next auto-update.
Hint 1.
Be sure to read about the ProfileManager first ... and learn how it works.
https://support.apple.com/ru-ru/guide/profile-mana...
Hint 2.
If the PC fleet for Mac is small (up to 25 machines), then you can use ManageEngine Desktop Central as a free solution (there is MDM and an agent and a remote support and a self-service portal)....
Ok, let's look at the issue from different angles. First of all, we will not go into details of why such a question even arose. Maybe the company has an audit on the horizon, or the budgets have not been mastered, or the CTO is planning an achievement. And to take the rap to the administrator, of course.
It has already been written here that the Windows approach does not work, but this is not entirely true. It is possible to arrange a fence on a Mac, but this is no longer effective. And this is the first mistake in the approach of an inveterate Windows administrator, whose imagination, by the will of fate, turned out to be locked within the framework of what he was used to working with.
Separately, I will add that the wording of the questions on the Toaster today shows a sad picture of the lack of an engineering approach. Anyway.
So.
Mac Management
Is everyone used to it? gpupdate has started and is happy. If AD has its own policies and mechanisms, then Apple, for its part, has made its own, which work only under the control of an MDM server, which you can implement yourself, because it is, in fact, a web server and a database that use APNS for delivery. MDM functionality is limited to what Apple has added to it. And every year it is updated. Somewhere it is cooler than AD, somewhere not. For example, Activation Lock was added for 10.15. As for communication with the server, you are not tied to a specific office, Internet access is enough. And since the commands “arrive” through Push, you don’t need to think about NAT.
But not just politicians. On Windows, we also use scripts, we like to run batch files. What about MDM? The MDM server itself does not execute scripts, but the MDM solutions that are sold today (Jamf, Workspace One, Mobileron, Filewave, Fleetsmith...) offer the ability to install an agent that will perform these functions. And note that the scripts do not completely cover the functionality of MDM, this is blocked at the system level for security purposes.
As for integration with AD, Azure AD, Microsoft 365, there are solutions (Nomad, Jamf Connect), but these are already add-ons to MDM.
Task(s?) Minimum
Connection
You on Windows do not connect through AD mechanisms (if you discard authentication and authorization), but through a specific protocol that provides a specific service that can be enabled manually or via AD. It's almost the same on Mac, just the protocol is different.
Blocking
This is hardwired into the MDM protocol and Works like magic. But it is desirable to include the firmware password and Activation Lock to this.
Task (tasks) maximum
Centralized PC setup with macos features similar to AD
We figured out the settings, now we need to install the software. MDM cannot install PKG (well, almost), so we use vendor solutions that essentially execute commands in the terminal. Learning to pack Skype in PKG, change settings, fight TCC, UAKEL and what else...
Accordingly, we read:
Apple Device Managemnet by Charles Edge and Rick Trouton
If it's difficult, you can also read Arek Dreyer's
Bash Cookbook
Python
About packaging applications in PKG
THE MOST IMPORTANT PARAGRAPH
When we (mac admins) explain to Windows admins how modern Apple device management works, The latter (among admins) experience catharsis and, at best, enlightenment.
Why? Because in today's world, you don't give all the rights and then take them away bit by bit. You give the user only what he needs to work. It's not easy to understand, especially the first time.
We have our own Apple macOS Server, it is a bit of a crutch, but we use it to auto-deploy software, organization profiles are put there and it allows (if the computer has access to the server, via the Internet, for example) to block it remotely, put software on it, steer some settings.
There are still different cloud systems, search according to Apple MDM
Google cancelled?
https://support.apple.com/ru-ru/guide/directory-ut...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question