SteveB.99087 (digital partners incrporated) asked a question.
TLDR: Can Okta help Mac users not bound to AD not have to initially login to AD/Okta with a PC first?
Here is the long version:
Company with several thousand Windows PC users and around 100 Mac users. I help support the Mac users.
Currently the group that supports Active DIrectory says that any new Mac user must first login and set their initial password for their Active DIrectory Network account via a PC before they can log on to their Mac. The Macs currently use a product called JAMF Connect which syncs their local Mac account password to their Okta password. This also makes the Mac user authenticate against Okta when logging into their Macs. The Macs are not bound to AD and use local accounts, not network accounts.
The issue is that all the Mac users are being issued PC laptops as well a Mac laptop. The only thing most of the PC laptops are being used for is the initial login via AD, set the new password and then they get put in a drawer.
The Mac users need an AD entity associated with their Okta credentials because that how the security guys assign group rights for to apps like Zscaler Service-Now etc.
Since I'm not a Windows/AD guy I was wondering if anyone could offer guidance on how I could avoid all my Mac users also being issued a PC but still having an AD entity without binding?
Thanks
Hi @SteveB.99087 (digital partners incrporated) , Thank you for reaching out to the Okta Community!
You mentioned that " The Macs currently use a product called JAMF Connect which syncs their local Mac account password to their Okta password. "
From what I'm seeing here, there might be a way for users to authenticate with an IDP - In your case you might be able to configure Okta as the IDP for JAMF (if you don't have it already). So in theory, the users should be able to connect using their AD credentials via Delegated Authentication.
The only problem that I'm seeing with this whole flow is the fact the new users need to set an initial password. While Okta does have the capability to allow users to set a password in the AD, I'm no sure how this would work with JAMF in the middle though.
Referenced docs:
https://docs.jamf.com/jamf-connect/1.18.1/administrator-guide/Jamf_Connect_Login_User_Experience.html
https://help.okta.com/en-us/Content/Topics/Security/policies/about-password-policies.htm
https://help.okta.com/en-us/Content/Topics/Directory/Directory_AD_Delegated_Authentication.htm
https://docs.jamf.com/jamf-connect/1.18.1/administrator-guide/Integrating_with_Okta.html
https://docs.jamf.com/jamf-connect/1.18.1/administrator-guide/Deploying_Jamf_Connect_Login.html
https://docs.jamf.com/jamf-connect/1.18.1/administrator-guide/Configuring_Jamf_Connect_Login_with_Okta.html
Check the docs out and see if it helps.
If possible, I would recommend testing this in a preview/sandbox environment though.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope it helps!