Look into JumpCloud for password and account management, it will be better than nothing. I use it for smaller clients and it actually works well, I am working on the SSO portion of it when I can.
You can also use PDQ deploy for the software deployment.
Also without knowing your network size, our suggestions are useless.
I'm not an expert by any means, but I'm going to take a swing at this anyways since I'm taking my Network+ test tomorrow and need to have some understanding of this.
RADIUS is used for general authentication to get onto the network, but its not necessarily used as a database the way LDAP is for other things like groups and permissions. It might be useful to delegate and separate some functions of authentication to a RADIUS server which then gives a thumbs up to the LDAP server to allow you whatever permissions you have in your particular group.
You might go, "Hey, RADIUS server, can I get onto the network? Here is my username and password."
RADIUS will be all like, "Alright, bro. You're good. Let me just hit up LDAP real quick and let it know you're solid."
RADIUS will hit up LDAP and be like, "Yo. LDAP. I just authenticated this dude wolfman5091 to get onto the network. Can you like do your thing and figure out what they are allowed to do now that they are here. Because I got like...other stuff to do."
LDAP will then be like. "Sure thing, dog. I got it from here. I know who that is, I'll take over from here."
That way you kind of have the RADIUS server isolated somewhat. I guess kind of like a bodyguard. You're trying to get into the club and then RADIUS either lets you in or doesn't then it lets LDAP know if you're on the list. Then once you are in, LDAP will show you around and will let you know if you're allowed in VIP or if you have free drinks or whatever cool stuff you have access to. It manages all that for all the people in the club."
I have no idea if this answers your question, but I did my best.
Edit: I found an article that is pretty helpful
To my knowledge, relatively few of those apps you mentioned support SAML or OAuth (i.e., single sign-on). You might find it more convenient to just have all of your applications authenticate against your LDAP directory, so you can use the same credentials but wouldn't have SSO (see: https://jumpcloud.com/blog/sso-vs-ldap)
That said, if you ever need help, please feel free to pm me or join the Authentik discord server - I'm active in there as well
If you're all Windows10 you can get licensing and join them to Azure AD Premium and push policy from there. There are also Directory-As-A-Service type operations like https://jumpcloud.com/ (which I have no experience with).
You can set group policy on individual workstations - with some limitation - but there's no way to monitor it and responding to things like user departures will be a mess.
I encountered JumpCloud recently, AD-like function for cross-platform networks. Free up to 10 users. https://jumpcloud.com/
For HR, SmartRecruiters is free as long as you are posting 10 or fewer jobs. It's an applicant tracking system so they don't have to manually sort resumes and applicants. https://www.smartrecruiters.com/
For non-profits, schools, churches - there is techsoup. Office 365 is free through them, and lots of other software is ridiculously inexpensive.
I'm not sure if it's exactly what you're looking for, but someone mentioned yesterday that they were looking into a cloud based directory service:
I don't know anything about it, we're using Active Directory and have our Macs bound to that. I don't know if the advantages of a cloud-based subscription are worth it to us, since hosting AD in house is basically free.
https://jumpcloud.com/solutions/replace-ad
I did some googling around for a cloud AD syncing tool and found this. I've never heard of it before obviously but am interested to see if anyone here has any experience with it.
Instructions to configure google for various applications can be found here:
https://support.google.com/a/answer/9089736?hl=en
Note this can get pricy, as you need a fairly expensive Google Workspace plan.
A much cheaper alternative to look into is jumpcloud: https://jumpcloud.com/
Hey, Brandon with JumpCloud here — chiming in to second that suggestion of JumpCloud earlier in the thread. Alongside your computers in Azure AD, do you also have user identities in AAD integrated with Microsoft 365? If so, JumpCloud integrates seamlessly with M365, in turn allowing those users to authenticate to our cloud RADIUS servers, without further infrastructure to build and maintain. There could be other integration options, depending on what else you have in place, and we have an implementation team that helps iron out the answers to any questions there. You can check us out for free at https://jumpcloud.com/product/cloud-radius.
I believe you would need to setup a RADIUS server regardless for authentication purposes for 802.1x, however cloud services now are available. This might be a good read on that idea.
JumpCloud - Among other things, they provide cloud-hosted RADIUS & LDAP, which is what this client is using
RADIUS is the Authentication Source
LDAP is used to pull Authorization attributes (i.e. Group membership, etc)
If it is a company owned device then that means the mobile configuration is so the organization can secure the device by using MDM (Mobile Device Management).
This, by itself is not something that can "monitor" your machine outside of when you access company resources. Such as SSO, and when you attempt to login to the machine. This is actually very common, world-wide.
There are many MDM solutions on the market, JAMF, Kandji, JumpCloud etc. If you would like to read more about what an MDM solution is please read this.
This is not a "monitoring" or surveillance solution. This is a device management solution that is likely a result of some compliance requirement for Data Loss and Prevention.
If you remember during installation, you will be given an option to encrypt the harddrive. This is the login screen for that disk encryption.
https://jumpcloud.com/blog/how-to-enable-full-disk-encryption-on-an-ubuntu-20-04-desktop
Hello, Ben with JumpCloud.
Just in case you weren't aware. There is a native integration with AutoPKG. Not sure if this might solve your issue or if homebrew is another route to go. I think some of these things (installing software) will always require some sort of elevated permission.
Might get creative with some policies that could "whitelist" packages though.
https://jumpcloud.com/blog/install-macos-software-autopkg-jumpcloud
Issue comes down to the usual, $$$. SSO is seen as a value add. For the record its not and should be job one for authentication.
That said; one should push and/or select vendors to start adopting just in time provisioning. Its literally the automation answer to all of this problem.
Wouldn’t surprise me in the least. I did find a blog post from jumpcloud that seems to hint that it’s doable if one jumps through the correct hoops, which may include manual admin approval of the change, or installing an MDM profile.
I think I may give this a try. I can’t promise to report back for several weeks, but if I make progress, I’ll update.
>https://jumpcloud.com/blog/zero-touch-enrollment-macos
In order to set this up did you have to do all the steps mentioned here: https://github.com/TheJumpCloud/MDM-Prestage-User-Enrollment/wiki/Step-6-postinstall-script
so after thinking it was not possible, i found a traffic log showing user id info from jumpcloud.com ....anyone else get this working consistently?
​
Source User
jumpcloud.com\tom.smith
Source
172.30.100.2
Source DAG
Country
172.16.0.0-172.31.255.255
Port
65469
Zone
L3-OpenVPN-Mobile
Interface
ae1.1102
X-Forwarded-For IP
[ Source User jumpcloud.com\tom.smith Source 172.30.100.2 Source DAG
Country 172.16.0.0-172.31.255.255 Port 50604 Zone L3-OpenVPN-Mobile Interface ae1.1102 X-Forwarded-For IP ](https://jumpcloud.com)
I know this is an old topic, but I had lost all hope for user-id mapping from jumpcloud after reading User-ID Ip Mapping pdf but i saw this appear in my logs tonight after syncing a local domain controller with Jumpcloud and updating my palo to the latest version. I do not know which one prompted the change. Is there an update on best practices or was this a fluke?
If you have an onsite Windows DC prolly via GPO or even thru PDQdeploy,
Looks like jumpcloud supports software installs via "commands". When you click new>agent in Atera, you can get the command line to pass thru jumpcloud commands. Assuming the agent is already install on windows pcs.
https://jumpcloud.com/blog/remotely-installing-applications-using-jumpclouds-commands
Google Workspace is a great service, but the user directory is not a great replacement for purpose-built directory services such as AAD and even some SAML directories like onelogin and okta.
https://jumpcloud.com/blog/replace-exchange-and-active-directory
So I don't want to put words in your mouth, but that sounds like you're conflating MSAD with client-side Windows-exclusive functionality, GPOs. I should have foreseen that, because I've had this conversation before, with similar responses.
We've successfully used a unified (Linux, Mac, Windows) client Configuration Management tool to pull GPO changes for Windows clients. DSC, Desired State Configuration, is the interface that the vendor wants everyone to use, and "DSC Pull Service" is how you want to control it. Various vendors also offer SaaS-based control over GPOs. The first-party SaaS uses the DSC mechanism.
Naturally we could run MSAD on Samba4, but the goal here wasn't merely to avoid CAL complications, it was to avoid having the Windows users jump through hoops to get securely online before certain things could happen. Windows users will often be familiar with the situation where there's no cached credential, or something is broken until a VPN allows access to some MSAD. The goal was to provide a good user experience by eliminating any need for a VPN, which users dislike.
Ben with JumpCloud here,
So there are a few ways you can remotely install the agent on. You can install via the terminal if you have. way to remotely execute an installation https://support.jumpcloud.com/support/s/article/Installing-the-Mac-Agent#InstallMacfromTerminal
Of course, you have to have the Chicken before the Egg in this scenario (or the other way around?) ha. You have to have a way to initiate the installation first in order to install the agent. That's pretty much universal in any situation.
Lastly, we have an integration with AutoPKG if you wanted to integrate with Munki.
https://jumpcloud.com/blog/install-macos-software-autopkg-jumpcloud
I actually found an option to encrypt the home and swap file without needing to wipe the entire ubuntu partition. Root is left unencrypted, but the important items such as the SSH keys are in the home. I think this is a good compromise solution (without having a dedicated client PC) since even if the Windows partition was compromised, the SSH keys would be inaccessible since the Ubuntu home and swap partitions where SSH keys could be are encrypted.
In case anyone else interested: https://jumpcloud.com/blog/how-to-encrypt-ubuntu-20-04-desktop-post-installation
Now my next concern is if there are other devices on my network which are compromised (especially IoT devices). I heard a separate vLAN for the client machine is one option, but I do not know if that an option in my router. I am thinking maybe using a guest network siloed from my LAN and using it only for the laptop (not currently using guest anyway). Seems easier than trying to setup vLANs and possibly needing to upgrade my router.
> Does it make sense to host an LDAP server at a cloud provider?
No. If you're on GApps for Business, they have a secured LDAP service. And it's nearly guaranteed that they can secure any given LDAP endpoint better than you can.
More generally, if you have a mostly remote workforce, there are SaaS options 1 2 that require less day-to-day maintenance, and have an easy-to-digest cost model (usually per-user).
Freeradius, Jumpcloud (Free up to 10 devices). I know you didn't want these, but throwing them here: Microsoft NPS, built in Unifi Radius, I'm sure there are others out there as well. This is just off the top of my head.
Are you using an MDM? We are using Jamf and automated device enrollment to onboard our computers and apply profiles. I haven’t had any issues. I used this website to understand the changes in Big Sur. https://jumpcloud.com/blog/macos-big-sur-mdm-required
You can synchronize your on-premises AD to Azure Active Directory but not migrate your computer accounts, group policies, OU etc. This post https://jumpcloud.com/blog/can-i-replace-ad-with-azure-ad gives you good idea.
Hey, Brandon with JumpCloud here — worth mentioning, we steeply discount pricing for education, starting at only $2 per user. https://jumpcloud.com/education-highered-directory-service-pricing. I'm not in sales, but feel free to let me know if I can help, I'm happy to make intros.
Good to hear that company is dead set on Apple.. I hope you connect to some resources that can make you a standout Mac admin.
Regardless of how many users, you will need to explore that MosyleAuth tool or something similar at some point. Essentially it manages the authentication and access on each machine. An Identity provider becomes the source of truth as to who can log on to which machine. There really isn't anything wrong with 10, 50, or 100 accounts on a Mac other than managing the list of users from machine to machine. Ensuring that you keep users data in the cloud, then it won't matter which machine they sign into. You want to avoid have a user sign in on a Mac for the first time and then have them wait as the Mac syncs up.
Mosyle is a great MDM. Moving to another MDM is a f'n pain. Others in this thread have recommended JumpCloud, and I would too. BUT if they already use 0365 which would also give them access to Azure AD (can't have one without the other) you might just use that. If you/they have access to Azure, then you can use federation in Apple Business Manager. which allows your users to use their work email from Azure as a Managed AppleID.
Are you using Apple Remote Desktop so you don't need to be in front of a Mac to work on it?
Are you connected to any mac admin group at all yet?
Good luck!
I found links in your comment that were not hyperlinked:
I did the honors for you.
^delete ^| ^information ^| ^<3
1) I Wouldnt use a NAS as a domain controller. However I would speak to JumpCloud.com about looking into there Directory as a Service. IT would allow you to fully control the users and machines with GPO like policies from the cloud.
2) Are the PCS similar hardware? You could create an image and netboot the image using clonezilla or something similar?
Hey, no worries at all — as you can see from my response time, I’m not on reddit with regular frequency, apologies for that. I hope you will engage our sales team, as they can in turn pair you with an implementation team that can really dive in to the specifics of your deployment, to make sure you start off on the right foot there.
It is indeed possible to manually set UIDs and GIDs within JumpCloud. The setting in JumpCloud, for “Enable UID/GID management for users”, will not automagically resolve any ID conflicts that might occure there. The setting will instead result in you receiving in-console notifications about any conflicts, so that you would know where to work to resolve those. If you can possibly plan these IDs up front rather than changing them later, you may save yourself some effort.
You are correct that licenses are user-based. One user on 5 systems is simply one user license.
On the Windows side, you’re correct on the basic concept there. Depending on scale, you may want to look into our JumpCloud AD Migration Utility:
https://jumpcloud.com/blog/active-directory-migration-utility
https://support.jumpcloud.com/support/s/article/migrating-users-from-active-directory1
https://github.com/TheJumpCloud/jumpcloud-ADMU/wiki
Hope this helps!
ProfWiz isn't Azure AD aware. There is no clean path. Although this link is from a vendor that sells an identity management solution, they explain it perfectly.
https://jumpcloud.com/blog/replace-on-premise-ad-azure-ad
If you want simple, moving Azure AD Directory Services and use Profwiz is most likely your best bet. It's basically AD SaaS, with some limitations (You can't add another DC, cant extend schema,etc)
How many endpoints? Users?
If you’re looking for complete automation I would look into HR as a master (HRaaM) early on. With that being said an example would be:
https://jumpcloud.com/daas-product/hr-system-integration/
JAMF is a great Mac only MDM. If you’re environment stays Mac then you are set.
I would be cautious with GSuite as a master.
Due to the size of the company JumpCloud might be a great complement to JAMF. Depending on what you’re doing with JAMF JumpCloud might even be a viable solution to replace it and give you more flexibility with expansions on types of devices supported.
GSuite has its advantages and disadvantages depending on how you’re trying to use it.
All the above really depends on if you have AD or are on some kind of Directory as a Service (DaaS).
https://jumpcloud.com/blog/nist-800-63-password-guidelines/
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
Password guidelines are moving away from "expire every 60 days, require at least 16 characters with at least 4 special characters and mixed case, etc." because they've found it generally leads to weaker overall passwords. Users end up using hunter2summer2019!, hunter2fall2019!, hunter2winter2019!, etc. it's too hard to remember n#N3BXRaf@4TuY7!9g9. Require MFA + password managers to stop password re-use.
You should look into cloud ldap service like "https://jumpcloud.com/", it will make your life much easier to manage, a different sets of users on a different set of EC2 machines.
PS. Terraform is not for this purpose, ansible can be used but I feel it hacky (It can be good for one-time configuration of users but doing it on regular basis is more effort than fun), may be it's me.
Curious if you've come across JumpCloud?
They've recently (in the last 2 weeks) released a new AD integration product which includes password write-back from non AD bound macOS machines to AD.
Check out info on this feature here: https://jumpcloud.com/product/active-directory-integration/
Using this you can use JumpCloud to takeover existing local accounts (given the username of the account's align with AD UPN's) and use AD as the source of truth for logging into the local accounts.
You can also layer on 2FA macOS login using JumpCloud and take advantage of other features in their platform like cloud Radius, LDAP, GSuite/Office365 sync, and SSH key management.
I am in the same boat. My company supports numerous clients from 5 users up to my biggest client who has 100 users spread over three cities. The biggest plus of onprem AD for me is Group Policy modelling. I am looking at https://jumpcloud.com/ as a means to not have the cost associated with the hardware and licensing of an onprem AD. I have yet ti implement it so cant give any feedback as yet on it.
This is true - seems like it would be a mish-mash of a lot of different software/services.
I've connected Jumpcloud to my AD and I can use that for LDAP - then it'd just be a matter of setting up LDAP client software on all the different clients, which is enough work as but would likely be required for any other infrastructure too because I don't know of any other auth system for NIX besides Samba+Kerberos.
One reason why I was asking - are there easier to set-up technologies out there I just don't know about? Is LDAP really as easy as universal auth framework as it gets?
Also, what about RSAT, has anyone come out with RSAT for Mac+Linux yet? hehe
I wonder if you could bridge in something like JumpCloud to create the solution:
​
I don't personally have much experience with it but, I think it will do what you want.
Hence the need to establish full connectivity between all outposts ;) Back to that - if SD-WAN exceeds your budget, have a look at cloud-based virtual routers/firewalls. On outgoing tunnel and a single route at each location might just do the trick, I guess! You could even host your own instance(s) of virtual routers (Mikrotik, VyOS, etc.) or rely on ready-made network stacks.
On the other hand - with possibly limited needs for GPOs, etc. - maybe AAD and Intune might make sense. Or - but I have no clue how stuff like that performs in real life - some Directory as a service? https://jumpcloud.com/daas-product/
https://www.keycloak.org/ is Open Source and backed by Red Hat. You have to run it yourself though. We're using this.
https://jumpcloud.com/pricing/ - SaaS - similar pricing to cloud providers, but I think they might do better pricing for MSP.
Since I started JumpCloud for managing users on my personal computers/lab/whatever I’ve taken to generating a SSH keypair for my main clients (work laptop, personal desktop/Mac/laptop, etc.) and adding the public keys to JumpCloud to pushed out.
Mostly though it’s just me using the tools available to be lazy and not have to transfer my ssh keys to multiple computers. It’s easy to add and remove ssh keys, so I don’t feel the need to use the same key pair on every client.
Option 4) Office 365 E3 + JumpCloud
JumpCloud acts as the master backing directory and the password authority to Office 365 and local system accounts. The JumpCloud agent manages policy enforcement and account provisioning / access across Mac, Windows, and Linux. Office 365 for email, OneDrive for personal storage and Sharepoint for shared.
No need to invest in any infra with this model and JumpCloud has a new MSP offering which allows for multi-tenant management so your dogfood account could act as a template for your MSP businesses. Another perk of this model is that JumpCloud is vendor neutral so you're not locked into this template and can leverage other platforms like G-Suite or even AD with future JumpCloud tenants configured for MSP clients.
Not sure if this is an exact fit for your use case, but I'm looking to implement jumpcloud in my RHEL environment basically ASAP. It's about 1,000x easier to manage than an on-premise AD solution.
I would look at JumpCloud over AD, Azure AD. You’ll setup your users in JumpCloud, install JumpCloud agents on your Windows/Mac/Linux systems. Then in the JumpCloud web interface assign users to machines.
JumpCloud will create local users with synced passwords on all the machines. You can also use JumpCloud SSO for one or two apps like O365 or Gsuite.
Free for up to 10 users. Depending on your needs you might lose a free user or two to service accounts.
Quick and easy and quite slick within its limitations. Looks like a good fit based on the minimal information you provided.
Otherwise look into Azure AD, though you may need to update your O365 subscription to a more expensive plan depending on your current plan.
JumpCloud | Engineering | Boulder, Colorado, USA | Full-time | On-Site | www.jumpcloud.com JumpCloud offers a Directory-as-a-Service product in the cloud. Work with technology like Go, Vagrant, Docker, Saltstack, ELK Stack, Redis… -Sr. Software Engineer: (Gophers wanted, or experience with C++, Java, Python or Node is ok too) -Software Engineer in Test (SDET)-(5 yrs Go or Python ideal or exp with multi-lang (C++, Ruby, Perl); SQL; Open to former DevOps/sysadmins with coding exp who want to do more development -Software Engineer (OS Applications): Develop agent technology; Native desktop devs; system-level api work More details here: https://jumpcloud.com/careers#careers
Here are some useful readings for you http://www.itprotoday.com/microsoft-azure/azure-active-directory-vs-premises-active-directory https://jumpcloud.com/blog/active-directory-azure-active-directory/
With regards to provided information, if you do not plan to open more BOs, use 3rd DC.
Notation that you can test jumpcloud with 10 users or less.
Walked away impressed during a trial but was unable to move forward due to extended attributes not being offered at the time.
https://jumpcloud.com/daas-product/index
This is something you may be interested in. I am looking to migrate a cloud DC pretty soon, and I will be considering them as one of my options. There are a couple other services that do what they do, but I am not at my office, so I can't look at my notes. Jumpcloud just stuck in my head.
OP said "(10 or less) desktops" JumpCloud is free for up to 10 users. So in this limited use case JumpCloud wins on price.
But beyond that for larger deployment cases of where you would have to pay for JumpCloud, I'd argue it's still not such a clear win for the plan of upgrading to Win10 for Basic Azure AD. There are PROs and CONs to both approaches:
JumpCloud will cost more as you note. But JumpCloud offers a lot of Single Sign-on integrations with other services and features like a Cloud Radius service to secure your client's Wifi networks that you wouldn't get with just Basic Azure AD.
A CON to the Windows 10 upgrade plan is you will have to spend your staff labor on the upgrade process. Unless your charging for this labor in which case you need to include the labor cost in the price comparison...
What's better depends on needs and the situation....
https://jumpcloud.com/? I'm going to be testing them out soon for at least managing access to customer sites that don't have AD. I don't have any Macs atm to test it out. It's currently free for 10 users. Also, they don't have a multi-tenant offering just yet.
So, I tried different solutions, but I couldn't find anything that works as I expected (or wished).
Then I found jumpcloud, and I understood that I really need something similar to the Directory-as-a-service service that they provide.
Here a list of pros and cons for my use case:
Pros:
Cons:
This is not a good solution for my needs, but it definitely helped me understand what I need