Using AD when you can t use AD – Getting Jamf Pro to talk to ADAM or NoMAD

Speakers: Edward Shorrock

Level: Intermediate, Lecture

Excerpt: Have you ever wanted to get the benefits of AD but your security team said no? If so then this is the session for you. Come learn how to make Jamf use AD without needing to actually talk to AD. We will cover AD LDS, NoMAD and some custom Python tooling as options for getting you off the ground.

Description: Session Description:

Many Mac Admins will be familiar with this scenario: I want to deploy Jamf Pro, and I want to be able to scope policies based on Active Directory groups. Or I want to take advantage of my current AD Security groups to deploy software in Self Service, but my security team won’t allow Jamf to talk to AD.

We will cover three ways to use AD when you cannot allow your Jamf servers to touch AD directly. First is the use of a Active Directory Lightweight Directory Server using ADAM sync. This allows you to create a replica of specific OU’s in your directory and because it is a one way sync your core AD environment is untouched.

Additionally we will also look at a few ways that you can utilize NoMAD and / or a python LDAP connector on the machines themselves to gather and report the AD information directly to your Jamf server. This allows you to cut out the requirement for Jamf Pro to talk to AD at all, while still giving you much of the same functionality.

This session will cover:

* Reasons your security team said no to AD and why they are right
* Setting up an AD LDS Server
* Basic syntax of the XML config file
* Ways to get it to sync
* Mapping it to Jamf Pro and getting it to do stuff
* BONUS – Using UserProxy Objects to proxy authentication without lockout issues
* Reasons you may want to ditch AD all together for other options
* Using extension attributes to query a NoMAD Plist for AD info
* When you need AD to be a source of truth but NoMAD isnt enough cause users can change it what can I do?
* Create a one time query in BASH and store it in an Extension Attribute
* Crafting a custom daemon to query AD attributes and post them to Jamf via API

About the speaker

Edward Shorrock (Twitter: @thatMacAdmin) – Engineer, Apple Technologies and Innovation – Cardinal Health

I have been in and around computers my whole life. I have always loved Apple. Before moving into the enterprise space I had the pleasure of being a part of the AppleCare organization. Today I am the lone Mac wrangler for Cardinal Health. Although my mac tenant is small (less than 400 Macs) they range over 20 countries. We have some of the most stringent security and privacy requirements around necessitating some creative solutions to some old problems.

When I am not working, I am probably playing video games or board games with my wife!

This entry was posted in MacAdmins 2018 Sessions. Bookmark the permalink.