Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 2399 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disk Encryption for Macs - Directly to server not in AD Does this matter.

StephanieGelder

Hi.

So our Mac Users we are basically not usng AD for them.  So they appear in the Safeguard Tree directly under the safeguard server and not in the AD Section.  They are just authenticating to the Macs using a password that we've set for them that matched their LDAP Password. They appear in safeguard and we have an admin account that we enable on each of them and also add to encryption so there is always at least a second user on each Mac that we can use to get in, in case they delete or corrupt their profile.

Does this Matter? Are there are any big reasons why we shouldn't do this? 

Cheers



This thread was automatically locked due to age.
  • 0

    Just to confirm, we do backup our Safeguard VM so can restore this easily to the previous evenings version if there are any issues. So we can restore the Server and not loose all the keys.

  • 0 in reply to StephanieGelder

    This is fine Steph.

     

    I would personally create a group for the Macs - either in AD or locally on the SSG server. This way it'll be neater and aid management, but it'll work as you've done it.

     

    Personally I have bound our Macs to AD but NOT as a user - just as a computer object. This means they still log onto their Mac with their own personalised username/password and NOT their AD creds. There's no real impact to the user but does make it look neater for management.

    Don't forget that if you added the secondary admin account BEFORE you encrypted the machine, that Admin account may not be able to "unlock" the machine. See Security & Privacy for "Some users are not able to unlock the disk" and then add the users with enable users. Worth double checking so you don't get locked out of your Macs without the ability to decrypt/unlock the drives

  • 0

    I would domain join the macs, personally, this is the practice I have on our side here. It's fairly simple, you domain join them, delete the local account but keep the folder, then chown -R the folder to the domain user after renaming it to the domain user's name. I've done this multiple times without a hitch.

     

    From there the client's AD will show up in the SGN tree and will inherit policies etc. Doing it any other way would IMO be messy but I have multiple companies under our SGN tenant.

Unfiltered HTML