You’ve heard of Azure Active Directory (AAD), right? If not, here’s the TLDR: It’s Microsoft’s cloud based directory for users, groups, and devices; It’s the back end, that holds all the users, user attributes, and licenses for Office 365 (using AAD Free), and can be scaled up via Azure AD Premium licenses to provide enough functionality that some are replacing on-premises Active Directory with the solution. However, when it comes to device joining/binding, and Single Sign-On (SSO), many often forget that the AAD is currently limited to only some Windows 10 devices.
Recently, while discussing the deployment and authentication solution we have in place for our own Apple devices, the question was asked if the above restriction is still a thing. Not knowing that answer of the top of my head, I started searching, and I quickly came across a number of forums and social media posts that asked some version of:
We are looking to use Azure AD for sign-in functionality, so that our Mac and Windows users can perform Single Sign-On to our cloud services. However, we are not sure what to enter when we try to set the Mac up. We’ve tried everything in the Network Server settings (in Users & Groups), but it always says that it cannot find the server.
The answer of course, is that AAD-Join is still limited to Windows 10 devices, but this was an interesting development. Clearly, people were still hoping to leverage Directory Services on Mac devices, and many small businesses (SMBs) and cloud-first sites were turning to Azure AD and Office 365 for answers, but not having the success they desired. Can Microsoft even do anything about this, though?
Unfortunately for Microsoft, failures in being able to AAD-Join Macs is still an issue for them to address: A number of sites are looking to decommission their on-premises Active Directory environment in favour of moving Directory Services to the cloud, and as long as these sites currently support Apple computers and AD-Join, this may prevent a number of cloud migration projects and deny Microsoft the cloud migration momentum it desires. While it is possible to retain local AD servers for the Mac users, move everything else to pure AAD, and then fill the gaps with Azure AD Connect (synchronisation), that’s not a strategy that many would consider a long-term solution.
All this being said, and according to Apple and their various MDM partners, the best solution for Macs is to simply not Domain-Join them at all. To be fair, Directory Services on a Mac operates as a ‘plug-in’ rather than being fully-integrated; does not support Group Policy or other useful DS management functionality; doesn’t cache credentials for logon when the Domain Services server (or Domain Controller) is unavailable, resulting in login failures unless local and/or Mobile accounts are created; and tend to not fully integrate with password management, password change requests, or even KeyChain update processes. The current recommendation for sites that intend to leverage on-premises AD, at the time of writing, is simply the use of normal local user accounts on the device, and software such as JAMF Connect (formerly NoMAD) to create Kerberos tickets for local authentication, and to help map any AD-specified network home folder. Conveniently, this process does actually work fairly well. Unfortunately, people running around with local accounts on devices, with no identity management solution, is far from ideal.
Outside of retaining local AD, and looking past the “don’t bind at all” recommendation above, what else is there? Well a third option might be a third-party Directory Service provider, that can perform federation among your needed solutions such as Azure, AWS, and Google (to name a few). A popular version of this, which appeared quite regularly in my search, is JumpCloud. According to JumpCloud’s Azure AD page:
With the move to cloud-hosted directory services, there is a common question that comes up relative to Azure Active Directory. That question is… whether Azure AD can serve as the core identity provider for on-premises devices such as Macs. The simple answer is, “No”.
The page goes on to explain some of the reasons why AAD-Join is currently limited to Windows devices, but then goes on to say that:
There is another path that allows IT admins to not only leverage Azure but also authenticate their Macs and other non-Azure IT resources. Leveraging a core, cloud-based identity provider… The Directory-as-a-Service platform from JumpCloud is able to federate identities to Azure, Google Apps, AWS, SSO solutions, and more.
While cool, this does raise the of the question of why we must use a third party, and if they are able to provide a solution, why can’t Microsoft? I’m not saying that JumpCloud is a bad option, nor that I have any issues with using a third party solution, but I again feel this is something that Microsoft needs to take more ownership of.
Unfortunately, while the Azure AD Team has recently announced Conditional Access for MacOS, there was nothing I could find on the roadmap to indicate that AAD-Join was even being considered for other platforms. Taking to the Azure Feedback site, there are several feature suggestions for this exact functionality, but even if there has been an official response to this by Microsoft, it’s seems to be a quick “no” followed by locking the requests and disallowing additional up-voting.
Two feedback posts of note are “Azure AD join Mac OS X”, and “Enable Apple Mac binding with Azure AD Domain Services“. A number of people in the comments suggest that they, or their clients, are a cloud-first environment that currently runs server-less, and that they want to support Apple computers in the same way they do Windows PCs. Some specific comments include “Since Apple refuses to support the enterprise, we really need Microsoft step up on this“, and “I think this feature is essential for a cloud-only company that relies on office365 and Azure“. Unfortunately, if not met with silence, these users are simply getting an answer like this from the Azure AD Team: “Thanks for your feedback. Azure AD Join is unique to Windows 10 as it uses Windows components to generate/store the artifacts used for subsequent logins and enable SSO to other resources. AADJ on Mac OS or any non-Windows OS is not a possibility currently”. That’s a shame, especially if this is being solved by third parties right now.
To be fair, Azure AD-Join is not even available across all currently-supported versions of Windows, it is a very risky solution as far as security goes, and this often means that it needs to tie-in closely with an Operating System’s logon and authentication subsystem. As Apple’s ‘loginWindow‘ and associated credential providers are secured, unable to be modified or extended, and are tightly controlled by Apple, there may not be anything that Microsoft could do to support Mac clients in the way various users and IT admins were hoping. But the fact that there are third party solutions offering exactly the needed functionality, numerous threads discussing the need for this, as well as several direct feedback items requesting the functionality… maybe there is a chance.