Using Microsoft's Active Directory to manage Mac desktops

Organizations with both Mac and Windows devices can use some of their Windows-focused AD setup to address macOS management tasks.

PCs are the predominant workstations among enterprises, and despite Windows-based desktops' preeminence, many organizations still need to manage Mac devices alongside them.

Luckily for these organizations, Active Directory (AD) can account for both of these OSes, and it includes single sign-on (SSO) capabilities, Distributed File Systems shares support, packet encryption and signing, and other policies.

However, incorporating Macs into a Windows-first desktop management infrastructure is no small task. It comes down to the number of Macs that need support, what type of access they require and the tools and systems that IT administrators already have in place.

When IT administrators take the step to accommodate Macs, they have to ensure that corporate assets and control resources stay protected and the devices have the necessary management capabilities. To ensure this, IT teams can take two primary approaches to manage Macs within AD.

  1. Use existing tools to incorporate Macs into the AD domain as they would with Windows desktops.
  2. Incorporate the Macs into the AD domain but use unique tools to manage them.

Note: IT can also manage the Macs separately and treat them as mobile devices via MDM, but this method does not involve Active Directory.

Option 1. Incorporate Macs into an AD domain

Many IT administrators would prefer to seamlessly add Macs to their AD environments like they do with Windows desktops. Apple's Mac OS X makes this possible because Mac desktops and laptops include the client component necessary to join AD and other standards-based directory services, as long as the domain functional levels are 2008 or higher.

A list of the services included in Microsoft's Active Directory.

Binding a Mac to the domain is relatively simple, assuming the user has the necessary access and domain credentials. When the desktop joins the domain, Windows Server automatically creates the computer object in AD, just like a Windows desktop. The only exception would be if this desktop already exists within AD.

Still, most desktop management products are built for Windows computers. That means compatibility issues will arise. One way to mitigate these issues is to extend the AD schema to further accommodate Mac computers, which may require development resources and technical expertise beyond what many organizations are willing to commit. This is especially a concern if the organization only has a small pool of Macs to support.

To address this, administrators can augment their existing tools' capabilities with the extensive set of commands available to macOS. Admins can issue commands to set screensaver idle times, configure language and text formats, disable autocorrect and other key configurations.

Option 2. Use AD alongside third-party tools

Although AD and command support in OS X make integrating Macs into AD simpler, many administrators find it easier to bring other tools onboard to help with management. Admins can join Macs to AD domains and then use Apple Remote Desktop to push commands out to the Mac clients.

Another option is implementing macOS X Server on its system and using Apple's Profile Manager to set Mac policies based on AD groups. This requires IT to set up an Open Directory domain alongside the AD service, resulting in simpler management over the long haul. AD handles the Windows side while Open Directory and OS X Server take care of the Macs. Because the Macs are still bound to AD, there is seamless communication between the two environments. This also accounts for shared file and printer services.

Given their skill sets and resources, if this is too difficult for a group of IT admins, they might consider Centrify User Suite -- the Mac Edition. It can help IT administer Macs and use the AD identity infrastructure to centrally manage authentication, policy enforcement and SSO. Another popular option is Jamf Pro, a comprehensive endpoint management product that can integrate with AD and Open Directory.

Dig Deeper on Alternative OSes