Skip to content

Macs and Binding

By: John Straffin

On October 11, 2022, some security patches for Microsoft Windows Domain Controllers went from being optional to being enforced. With this change, we may see some issues and changes with our Apple/Mac systems binding to Active Directory. We wanted to share with all of you what we know, what we don’t know, and what we’ve tried so far as alternatives.

What we know:

This security patch has been on the books for a long time and delayed several times. It is CVE-2021-42287. I’ll put a link to this and a few other things at the bottom here for you all to review if you like.

The short version is this: Microsoft is putting in some important security enhancements to on-prem Domain Controllers. Unfortunately, Apple has decided they will not be patching macOS to support these new changes and at that point, it will most likely be impossible for Apple devices to bind to AD at all and may result in some user accounts (network accounts, mobile accounts should still be ok) being unable to login.

What we don’t know:

There was a mention that Microsoft had instituted changes in this patch that would correct the issue, but most folks online in smaller setups who have tested it, have had to back out of the changes after their Mac’s stopped binding. There is a small chance this is a false alarm, but most likely we’re about to see a very real, seismic change in how we’ve deployed and managed our Apple systems. I wish we could give you a hard list of things that will and will not work, but in this case that just hasn’t been possible. Because testing this would require Duke to patch ALL of its production Domain Controllers, this is not something we nor any other large Enterprise has been able to experiment much with prior to enforcement.

What we’ve tried:

Because over half our Duke systems are bound to our on-prem AD, we’ve been looking at various alternatives that would not only replace the features that binding gives us but also add some much-needed bonus feature and enhancements. Many of these products didn’t work due to Duke’s infrastructure. We are working with IdM to see if it’s possible to tweak them so we have a more robust and unified response, but the work is still on-going and we have no guarantees at present.

  1. Apple Kerberos Extension (TL;DR: doesn’t work): When Apple sunset the “Enterprise Connect” package you could buy, they very quietly moved all the features into macOS itself, starting with Catalina. The way the Apple documents were written, we thought this could at least provide a partial fix, and we were able to get it setup and partially working, but all of the features we would need like password synchronization, just-in-time account creation, were either missing or not supported due to Shibboleth.
  2. Jamf Connect (TL;DR: doesn’t work): Jamf Connect is a paid product that we got a trial of for testing. It integrates with Azure and would handle account creation and password syncing from that. All-in-all, a magic bullet solution…or so we thought. Shibboleth was again an issue getting this to work.
  3. Xcreds by TwoCanoes Software (TL;DR: doesn’t work), exact same issue as Jamf Connect. Very easy to setup and seems a valid solution but doesn’t integrate with Shibboleth
  4. NoMAD (TL;DR: it works…for now): NoMAD was a standalone product made by a company called Orange Grove. Jamf bought them back in 2018 and turned the NoMAD product into Jamf Connect. The freeware versions available up until the time of purchase are still available for download. As an emergency stopgap to keep the computer labs going, we rolled out NoMAD in the OIT and Trinity computer labs this past summer in-lieu of binding. So far it has worked very well, but two big caveats: A. It only works with on-prem AD Domain Controllers so there isn’t any hope of utilizing it for Zero Touch for off campus faculty/staff. B. The freeware version we are using hasn’t been updated since 2018 when Jamf bought them. It is possible a future macOS update will kill this product. There are no guarantees on how long it will work for. If you want to try NoMAD we have everything setup and would be happy to work with you on a test.
  5. The final one we have not tested yet is the SSO extensions that will be built into macOS Ventura when it comes out in a few weeks. In theory this does support SAML2 protocol that Shibboleth uses, but detailed information is sketchy right now on how this works. This will have to be something we try on release day.

This is where we stand right now. When we started testing the various products it was our hope to be able to hand a bundled/working solution to you along with the news about binding. This unfortunately is not the case. It has required a much more complex solution than we ever thought it would.

As we get new information on possible alternatives, we’ll of course share them out to everyone.

If you encounter any issues after this change is enforced, wand to try NoMAD, or need help converting network/mobile accounts to local ones, please open a ticket, we’ll be glad to help you out in any way we can.

Links:

CVE-2021-42287:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
https://www.jamf.com/blog/advisory-macos-ad-cve/
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
https://support.microsoft.com/en-us/topic/february-8-2022-kb5010359-os-build-14393-4946-e47d743b-9026-4390-bca6-5ad4ddb40ca8

macOS Kerberos SSO extension:
https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

NoMAD: https://nomad.menu/products/

Jamf Connect: https://www.jamf.com/products/jamf-connect/

Xcreds: https://twocanoes.com/products/mac/xcreds/

macOS 13 Ventura SSO: https://9to5mac.com/2022/07/09/apple-identity-vision/

Categories: