Windows

Windows Active Directory options simplify Mac integration

With Macs continuing to flow into the enterprise, integration with Windows systems is even more important. Erik Eckel covers some of the options for Active Directory-Mac integration.

While Macs enjoy growing market share and higher visibility within businesses, most Mac environments are heterogeneous, requiring some form of co-existence with Windows servers. Whether Windows servers are powering email, printer connectivity, remote access, file sharing or all of the above and more, several options exist for integrating with Active Directory.

10.7.2 made things better

Organizations reported a fairly wide range of issues trying to integrate Active Directory services and authentication, especially across larger networks, with Mac OS X Lion's release. However, Apple's 10.7.2 update is commonly accepted as having addressed many integration issues and errors.

Open Directory

Apple touts its Open Directory, a foundation of the Lion release, as leveraging standard protocols. Due to its support for LDAP, Kerberos and SASL, Open Directory integrates with Active Directory with little effort and enables extending Windows PC username/password authentication to Macs, enforcing Windows-based password policies on Macs, deploying single sign-on access to Active Directory administered resources and forcing client management policies and administration strategies.

Of course, every directory services implementation is different. Adding a heterogeneous OS in the form of Mac OS X to a Microsoft Windows network introduces complexity that sometimes benefits from the assistance of third-party tools. Several options exist.

Centrify Suite for Mac OS X

In addition to helping extend Active Directory authentication and policies to Macs, Centrify Suite for Mac OS X adds features to perform auditing functions, support mounting home directories on Mac desktops, and connect Macs to DFS-enabled shares. Centrify also enhances security by adding support for Smart Cards, automated certificate enrollment and encrypted disk access.

PowerBroker Identity Services Open Edition

Open source integration products are available, too. PowerBroker (formerly Likewise Open) offers an open source alternative for helping manage identities, authentication, password policies and even single sign-on when integrating Macs within an Active Directory environment. A vast array of OSs are supported. Administrators can review the complete list online.

Thursby Software ADmitMac / Dav v9

Similar to Centrify, Thursby Software offers tools to support both Active Directory integration and the ability to connect to DFS-based volumes. Thursby's ADmitMAC v6.0 extends Active Directory administration to Mac systems, while its DAVE v9.0 product powers DFS support for Macs. DAVE also provides full support for home directories using native Microsoft protocol implementation as opposed to protocol conversion. ADmitMac, meanwhile, supports extending Windows group policy administration to Macs along with single sign on and additional authentication features while maintaining SOX, PCI and HIPAA compliance.

Quest Software Authentication Services

Quest Software maintains a wide range of Active Directory tools and utilities. The company also offers cross-platform tools to assist Unix, Linux and Mac administrators in integrating those systems with Microsoft directory services. Authentication Services is one such product. The utility assists in extending Active Directory-based authentication, authorization and administration to Mac systems, among others. Authentication Services helps Windows administrators more easily integrate Macs, leverage existing Windows server infrastructure, and investments better manage access controls while further extending the reach of Windows-based group policies.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

6 comments
cybershooters
cybershooters

In my experience, nowadays the only reason people want to use Apple is because they want to use Apple, there used to be good reasons for it but the Windows versions of the apps are just as good really (although users don't want to admit it). So the obvious option is to dual-boot it with Windows and they use Windows on the domain and for work purposes. I know it sounds stupid but frankly I can't help thinking that people paying more for a device made in the same Foxconn plant as a Dell or whatever that uses essentially the same technology and has an in-house OS on it (i.e. cheaper than licensing Windows) is actually what is stupid.

SS64UK
SS64UK

I don't think it is so much to do with accommodating designers and their Macs on the network as all those people who just want a Mac for their day-to-day work. There're two areas where this seems to be happening... 1) Where execs want them, and they also filter down the organisational hierarchy for aspiration reasons, and, 2) the various "Bring/Buy your own device" schemes that some organisations are backing. IT departments, in both those cases, have no option but to integrate those Macs into AD.

jwilly71
jwilly71

Binding your MAC's with the native support in OS X is a bad plan. The reason is that about time you get it working Apple will release an update that will break it and then you have lots of Authentication issues. We fought that battle for a few years and then did testing and switched to Centrify. The product does everything as advertised (Hear this Apple?) and the support is great if you do have questions or issues. Centrify also works well with Linux if you have a mixed environment like ours.

mcquiggd
mcquiggd

This is just my personal experience, but actually I have seen the reverse of attempts at integration; my mid-range clients are acting more like my corporate clients, and are really outsourcing the niche graphic design , which is not their core business and is largely campaign oriented, to specialist firms that tend to use Apple. Again, just my personal experience, but just like the last 10 years, I see design beureaus with lots of Macs, but their clients are PCs running Windows. I really cannot see any signs of change in this area.

TNT
TNT

I've done it before, it works and once the research is done can be accomplished in a day. Even so, in most companies there is little reason to mix the two platforms. Neither platform is compellingly better at one thing over another to waste IT's time trying to integrate a Windows PC on a Mac network or a Mac onto a Windows network. Pick a flavor, stick with it. That's my advice.

ShaneD
ShaneD

I let Management and Corporate Staff BYOD for Mac's (on approval) providing they boot to a supported Pro version of Windows. We have no MAC compatible apps in our organisation. The expense and overheads involved in converting to a Windows and MAC OS house are not justifiable (just because some people like to be 'Apple-people'). This way at least they can still use their Apple hardware for work and home and not cause interoperability headaches. If your organisation needs to use applications that require mac os, then it's a different story - otherwise - why would you bother?

Editor's Picks