Mac OS X Server 10.14, how to set up a network home folder, aka mobile account, share point

ZombiePhysicist

macrumors 6502a
Original poster
May 22, 2014
712
475
Hi All:

Does anyone have any pointers for how to properly setup network home folders in mac os x server 10.14?

First, sorry, i'm not even sure what to call these network home folders. Apple seems to have called them 30 different names including: mobile account, network account, mobile users, portable home directories, share point, network home folder, network users, and probably a few more.

What I'm trying to set up: If I understand it, os x server lets you set up a network home folder. In it you have all your documents, fonts, apps, etc. Your entire world. Then, when you walk up to any machine on your home network, you can log in to that account and the mac you use to login will get access to that network account. It will in a sense "drop box" sync down all your network home folder stuff down to that client mac and you can work on your stuff locally, and any changes get sync'd back to the server.

Further magic, if you VNC into your home network, you can basically have any machine in the world be a client to your home folder and have local access to your data from where you are. For me this is the "holy grail". You set up this one home account, and any time you get a new computer, zero set up. You just log in, and your world comes to that new machine.

So that's what I'm trying to do.

I got a mac mini and I want to set up a network home folder that I can use on my laptop/desktop. That way anything I do on my laptop will get updated to the desktop and vice versa.

I'm tying to find the "right" way to set up these network home folders. I'm trying to find a modern manual on this. The "latest" manual I found was for mac os x server user management 10.6:

https://manuals.info.apple.com/MANUALS/1000/MA1181/en_US/UserMgmt_v10.6.pdf

I also found a couple of threads on topic, but nothing modern:
https://discussions.apple.com/thread/6488132?page=1
https://discussions.apple.com/thread/5448742

Does anyone have any pointers to modern documentation on how to properly setup such a magical network home folder? Thanks so much.
 

DJLC

macrumors 6502a
Jul 17, 2005
761
143
North Carolina
This USED to work fabulously, but this feature has been deprecated since macOS Sierra (10.12) and hadn't really worked well since the Snow Leopard or Lion days. You can still have a "network home" (personal share on the server), but you can't get a synced mobile account anymore.
 

ZombiePhysicist

macrumors 6502a
Original poster
May 22, 2014
712
475
This USED to work fabulously, but this feature has been deprecated since macOS Sierra (10.12) and hadn't really worked well since the Snow Leopard or Lion days. You can still have a "network home" (personal share on the server), but you can't get a synced mobile account anymore.
Oh man, that is terrible. I'm shocked they would let this feature go. Wouldn't people within Apple itself want to use this feature?
 

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
This USED to work fabulously, but this feature has been deprecated since macOS Sierra (10.12) and hadn't really worked well since the Snow Leopard or Lion days. You can still have a "network home" (personal share on the server), but you can't get a synced mobile account anymore.
I might not agree with the fabulous part....maybe adequately? Or a decent compromise?

Used to use it in a classroom setting on 10.10, and 10.11. It was pretty solid, once setup...when accounts were fresh and clean, with little data getting pushed. But as users saved data, our log in times got to be really, really long. Unacceptably long.

----

OP: Even when it worked fairly well, it was a bit fiddly and a longish learning curve, and challenging to troubleshoot.

Mobile accounts with syncing:
Sync data on log in and log out (typically). Too much data, and log in syncs are painfully long.

Network accounts: No syncing...always working on the server, so no substantial log in/log out delay. When the server is down or unavailable, nobody can log in or access ANYTHING.

If I were in your shoes, I would consider:

mobile user accounts, which is just log in credentials being set a server. Could be MacOS, could be Windows Active Directory, could be another LDAP server...so you don't need a MacOS server for this. That's important as who knows what Apple will do with Server moving forward.

It give you the ability to set/reset passwords, and accounts are automatically created when a user logs in on each work station. Reasonable account creation and management WITHOUT syncing user data.

For data, consider a syncing tool or service. More reliable, more flexible, and available everywhere for mobile users, including other platforms and mobile.

Something like Dropbox or Box or OneDrive would be the most robust and easiest to setup, but if you are talking about alot of data, the cost may be prohibitive.

Or....for some $ up front, but no monthly costs, something like a Synology NAS and run your own cloud server to sync user data. Pretty slick and easier to manage than MacOS server IMHO. You also have lots of compelling benefits: Built in RAID redundancy, ability to grow live volumes, multiple NICs, redundant power supplies, automatic versioning and snapshots, etc.

One downside to syncing a modern OS entire home directory is that there are alot of tiny user files constantly changing (primarily user specific cache and temp files in the ~/Library). At this point I don't sync the user Library, but one could build a list of the specific files that need to be sync'd, like browser history/bookmarks, etc. An easy work-around for browsers is to use a browser specific syncing tool; I recommend to users they go with Fireox as it has built-in user syncing that is seemless and takes no administration....and can be had on any device including mobile.

Similar for email: Syncing 10 or 20 or more GB of mail can be onerous; but using a browser for a hosted solution (Google, O365, etc) means that entire mail boxes don't need to get pushed, and are available all the time everywhere.

The notion of syncing user data is the right one...but picking the right tool is the most important choice. MacOS Server is not the right tool anymore, at least for me.
 
  • Like
Reactions: ZombiePhysicist

DJLC

macrumors 6502a
Jul 17, 2005
761
143
North Carolina
I might not agree with the fabulous part....maybe adequately? Or a decent compromise?
Granted, haha. I had kinda forgotten about all the fiddling I used to have to do until I read your post... we used to have our 1:1 MacBooks set up with mobile homes for every student + staff member on our trusty Xserve. But I'm remembering now that we lost files all the time and had login issues constantly. Nevermind Open Directory being trash; that's a slightly different conversation. You're right though — it worked fabulously AT FIRST. But once users really started using it, everything became a mess.

At this point we're using Active Directory for centralized Mac + Windows logins. I also provide them a network home on our Windows Server to back stuff up. It's auto-mounted in the Dock for every user, but they have to manually manage copying / retrieving files. Looking forward, what I'd really like to do is get rid of AD and use Google Suite as our identity provider. But I don't think Google is quite at the point where they can replace AD in my environment. Literally, my Windows Server really doesn't do anything except run AD — most users aren't even aware it exists for file storage! Most file storage stuff is in Google Drive at this point; much more powerful than any on-prem file storage and collaboration solution I've ever seen.
 

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
Not using the feature, buy Synology could be the directory server too....quick setup guide here.
[doublepost=1552321722][/doublepost]
Granted, haha. I had kinda forgotten about all the fiddling I used to have to do until I read your post... we used to have our 1:1 MacBooks set up with mobile homes for every student + staff member on our trusty Xserve. But I'm remembering now that we lost files all the time and had login issues constantly. Nevermind Open Directory being trash; that's a slightly different conversation. You're right though — it worked fabulously AT FIRST. But once users really started using it, everything became a mess.

At this point we're using Active Directory for centralized Mac + Windows logins. I also provide them a network home on our Windows Server to back stuff up. It's auto-mounted in the Dock for every user, but they have to manually manage copying / retrieving files. Looking forward, what I'd really like to do is get rid of AD and use Google Suite as our identity provider. But I don't think Google is quite at the point where they can replace AD in my environment. Literally, my Windows Server really doesn't do anything except run AD — most users aren't even aware it exists for file storage! Most file storage stuff is in Google Drive at this point; much more powerful than any on-prem file storage and collaboration solution I've ever seen.

Good to hear Google is working out well. Similar here with AD, but using O365/OneDrive, so I can't speak to the Google side. Would have preferred that, but nobody listens to the techs! :rolleyes:
 

ZombiePhysicist

macrumors 6502a
Original poster
May 22, 2014
712
475
I might not agree with the fabulous part....maybe adequately? Or a decent compromise?

Used to use it in a classroom setting on 10.10, and 10.11. It was pretty solid, once setup...when accounts were fresh and clean, with little data getting pushed. But as users saved data, our log in times got to be really, really long. Unacceptably long.

----

OP: Even when it worked fairly well, it was a bit fiddly and a longish learning curve, and challenging to troubleshoot.

Mobile accounts with syncing:
Sync data on log in and log out (typically). Too much data, and log in syncs are painfully long.

Network accounts: No syncing...always working on the server, so no substantial log in/log out delay. When the server is down or unavailable, nobody can log in or access ANYTHING.

If I were in your shoes, I would consider:

mobile user accounts, which is just log in credentials being set a server. Could be MacOS, could be Windows Active Directory, could be another LDAP server...so you don't need a MacOS server for this. That's important as who knows what Apple will do with Server moving forward.

It give you the ability to set/reset passwords, and accounts are automatically created when a user logs in on each work station. Reasonable account creation and management WITHOUT syncing user data.

For data, consider a syncing tool or service. More reliable, more flexible, and available everywhere for mobile users, including other platforms and mobile.

Something like Dropbox or Box or OneDrive would be the most robust and easiest to setup, but if you are talking about alot of data, the cost may be prohibitive.

Or....for some $ up front, but no monthly costs, something like a Synology NAS and run your own cloud server to sync user data. Pretty slick and easier to manage than MacOS server IMHO. You also have lots of compelling benefits: Built in RAID redundancy, ability to grow live volumes, multiple NICs, redundant power supplies, automatic versioning and snapshots, etc.

One downside to syncing a modern OS entire home directory is that there are alot of tiny user files constantly changing (primarily user specific cache and temp files in the ~/Library). At this point I don't sync the user Library, but one could build a list of the specific files that need to be sync'd, like browser history/bookmarks, etc. An easy work-around for browsers is to use a browser specific syncing tool; I recommend to users they go with Fireox as it has built-in user syncing that is seemless and takes no administration....and can be had on any device including mobile.

Similar for email: Syncing 10 or 20 or more GB of mail can be onerous; but using a browser for a hosted solution (Google, O365, etc) means that entire mail boxes don't need to get pushed, and are available all the time everywhere.

The notion of syncing user data is the right one...but picking the right tool is the most important choice. MacOS Server is not the right tool anymore, at least for me.
So thank you for this. I have a Synology currently and you cannot sync a lot of data. For example, it cannot even correctly sync your photos library because of all the weird hard/soft links inside there. Forget the ~/Library and ~/Apps directories. They wont sync properly. I think this is mostly because those file systems are not HFS+ and cannot be.

As for the speed, inside the house I have 10GBe and outside the house I have gigabit FiOS so I'm hoping after the first "initial" sync, that subsequent sync's are not bad.

For example, I use the synology cloud station service to sync all my documents and it works great, and even good enough outside the home.

The problem is all the mac specific stuff, all my preferences, all my photos, all my mail, all that stuff is tedious to impossible to keep in sync.

Would love to hear how you guys would do something else to get that same level of sync going? I'm at a loss. I thought this would be the holy grail, but it just seems impossible to get the very Mac'y parts of an account sync'd, ie ~/Applications ~/Library ~/Pictures

Im not terribly familiar with Active Directory and LDAP. Would they be able to accomplish this?
[doublepost=1552322537][/doublepost]
Granted, haha. I had kinda forgotten about all the fiddling I used to have to do until I read your post... we used to have our 1:1 MacBooks set up with mobile homes for every student + staff member on our trusty Xserve. But I'm remembering now that we lost files all the time and had login issues constantly. Nevermind Open Directory being trash; that's a slightly different conversation. You're right though — it worked fabulously AT FIRST. But once users really started using it, everything became a mess.

At this point we're using Active Directory for centralized Mac + Windows logins. I also provide them a network home on our Windows Server to back stuff up. It's auto-mounted in the Dock for every user, but they have to manually manage copying / retrieving files. Looking forward, what I'd really like to do is get rid of AD and use Google Suite as our identity provider. But I don't think Google is quite at the point where they can replace AD in my environment. Literally, my Windows Server really doesn't do anything except run AD — most users aren't even aware it exists for file storage! Most file storage stuff is in Google Drive at this point; much more powerful than any on-prem file storage and collaboration solution I've ever seen.
Does active directory let you do this? Sync your server side account to the local mac client for use including ~/Applications ~/Library and ~Pictures? If so, is there some beginners book/site for how a Mac user might go about setting this up? Thanks for any pointers!
 

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
I moved away from trying to sync everything...hit the same wall you did, and Apple threw in the towel. The good just did not outweigh the bad.

Every org I have been around or supported (with more savvy & experienced techs than me too), won't do a full sync. They just do user documents via Synology or any other of the myriad of sync tools out there, and push everything else out from valorous cloud services or cloud supported apps:
  • No mail client - use web client
  • No Photos - use a hosted service
  • No user preferences sync'd - use Profiles to push out major/security required settings, let users tweak the rest on each work station
  • No central sync'd browser - use built-in or third party browser/password manager tool
How about letting users setup an iCloud account for preferences? Seems like Apple is pushing (pun intended) syncing that direction. Mail, Safari, Preferences, Photos...etc. all there.

One could sync nearly everything beyond actual user docs that way, except for a large photo collection, and stay within the free 5GB of space. Use Synology for docs, and consider either served images, or Google Photos?
 
Last edited:
  • Like
Reactions: ZombiePhysicist

ZombiePhysicist

macrumors 6502a
Original poster
May 22, 2014
712
475
I moved away from trying to sync everything...hit the same wall you did, and Apple threw in the towel. The good just did not outweigh the bad.

Every org I have been around or supported (with more savvy & experienced techs than me too), won't do a full sync. They just do user documents via Synology or any other of the myriad of sync tools out there, and push everything else out from valorous cloud services or cloud supported apps:
  • No mail client - use web client
  • No Photos - use a hosted service
  • No user preferences sync'd - use Profiles to push out major/security required settings, let users tweak the rest on each work station
  • No central sync'd browser - use built-in or third party browser/password manager tool
How about letting users setup an iCloud account for preferences? Seems like Apple is pushing (pun intended) syncing that direction. Mail, Safari, Preferences, Photos...etc. all there.

One could sync nearly everything beyond actual user docs that way, except for a large photo collection, and stay within the free 5GB of space. Use Synology for docs, and consider either served images, or Google Photos?
Ug, this is so disappointing. Yea, I'm already using Synology for a LOT of documents being sync'd.

But the three main folders ~/Library ~/Pictures and ~/Applications are the last things that Synology just corrupts over time.

~/Library has more than just some prefs, it has Microsoft office app templates that are lunatic levels buried. iCloud does handle the notes/contacts/browser links, but there are so many other apps with so many prefs it's just too much.

~/Pictures, I guess I could pay use iCloud Photos, but I hate paying for a service and worse than that, I hate storing things in the cloud. I'd rather have my own private cloud.

Lastly, I hate having to manually sync application installs. But unfortunately apps always seem to have some settings that get corrupted via Synology when you try to sync those directories.

I guess one thing to try is get an old mac mini with 10.6, or maybe 10.11 and equal version of server and then set it up to do nothing but remote accounts? It's sad that I'd have to resort to retro computing to do this.

I wonder what causes the corruption. For example, I wonder is it just that HFS+ has some custom stuff for hard links or something like that?
 

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
Not much to add...other than yes, there is a ton in ~/Library, and yes, most orgs don't attempt to sync it that I am aware of.

Each one of those things you listed are nice to haves, but are they essential to sync?

All I can say is, stick to actual user data as much as you can, or be ready for a full time job chasing down the rest.

Even if you get 10.11 or something working, the clock is ticking. 10.15 is right around the corner...you could be right back where you started in the very near future.

As for corruption, hard to say. I wonder if file locking is part of the issue...for something that constantly changes, what happens when the file gets locked? Dunno. I do know that Synolgy has a hard number of max numbers of files that can be sync'd, so many many thousands of tiny changes could break things.

I once did a test user acount sync (everthing except invisible files) and it clocked in at 63,000 files. The first day. That's not sustainable.

As for applications, you could look at a good tool for installs and updates, like Munki. lots of paid tools out there....but pricey. Meraki was free up to 100 devices last I checked.

Apple is pushing everybody to DEP, so imaging and updates with traditional methods are nearly gone these days.

BTW...if you don't have a directory server now, you might consider out the Synology option, just to see if it is useful in your org. I have never run it—never a need—so I can't say how good or easy it is to bind Macs to. They even talk about user's home folders...but I would test heavily and be a bit skeptical.
 
  • Like
Reactions: ZombiePhysicist

DJLC

macrumors 6502a
Jul 17, 2005
761
143
North Carolina
Does active directory let you do this? Sync your server side account to the local mac client for use including ~/Applications ~/Library and ~Pictures? If so, is there some beginners book/site for how a Mac user might go about setting this up? Thanks for any pointers!
Well — yes and no. Active Directory and a file share on Windows Server can provide a network home. But since the mobile account sync functionality has been deprecated in macOS, you won't be able to get it working unless you're using 10.11 or earlier on the client side. We provide those network homes, but we don't sync anything at all — it's just a "cloud flash drive" as I tell my users. macOS 10.14 will auto-mount that share in the Dock if bound to AD and the user has a home path populated in AD, but it will not allow any auto-syncing.

In the old days when we used to sync our homes (before it was deprecated), we'd only sync ~/Desktop and ~/Documents. Syncing other folders almost always caused major issues in my testing. It was never a very reliable feature. GREAT idea; mediocre execution.

FWIW, I've seen this type of setup work pretty well on both RedHat and Windows — log in to any workstation, get all your apps, prefs, and docs (okay, mostly just RedHat). But macOS just isn't there. I agree with others though; everything now is all about the cloud, and I wouldn't be surprised to see a feature soon that would store your entire home folder in iCloud. They're already halfway there!
 
  • Like
Reactions: hobowankenobi

ZombiePhysicist

macrumors 6502a
Original poster
May 22, 2014
712
475
@hobowankenobi and @DJLC, thank you both so much for all your great info. I guess the real answer is youre s*** out of luck on having a mobile account, and in essence, I already have one.

I guess at home, with 10GBe I could almost get away with the "network flash drive" setup, and then I'm actually working on the same data, but then when I'm abroad, the best I'll get is around 1GBe, which would be a bit pokey. But maybe that's the best you can do these days...

I currently have the sync working on everything but those 3 folders, so it's not the end of the world, it's nice, but it's still annoying. With regard to the ~/Applications directory, I almost wonder if it's not the lack of HFS support... Like would running a Drobo running Owncloud for file sync give a different result...

Yes, and synology works great for syncing the ~/Documents folder, it even works well for ~/Music. It has a limitation of 1million files per share point.

Anyway, back to the drawing board! Thank you guys so much again!
 
  • Like
Reactions: DJLC

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
We would all love it if it would work...and it may come, but it will likely be via iCloud or the like.

I still think it could be possible to sync selective sub items within ~/Library.....but it is just not worth the work in my world: it would be harder to test and maintain than the benefit would justify, or it was/is fragile and needs to be tended to way too much.

Maybe somebody smarter than me has it sorted out. I just haven't found them yet.

One other thing that used to be handy to minimize first log in tweaks on shared machines was modifiying the user template, so that the vast majority of preferences were set the way the org wanted them, plus other things like first run on common apps done...all those little first run things. Apple keeps making it harder to tweak the user template, and most orgs have moved away from it.

Stuff that should be useful for the foreseeable future:


Enjoy the ride. Will be interesting to see what gets added and killed in in 10.15.
 

guzhogi

macrumors 68030
Aug 31, 2003
2,947
812
Wherever my feet take me…
I might not agree with the fabulous part....maybe adequately? Or a decent compromise?

Used to use it in a classroom setting on 10.10, and 10.11. It was pretty solid, once setup...when accounts were fresh and clean, with little data getting pushed. But as users saved data, our log in times got to be really, really long. Unacceptably long.
Same. Took forever to log in & out. Partially because we did a bit of iMovie stuff. Of course, some people would press the stop button on the sync window, and then wonder why they can't find all of their files.

We eventually went to 1:1 iPads at the grade 3-5 level, Chromebooks at grades 6-8. Works decently. For the iPads, we use Apple School Manager which gives 200 GB free storage to each student & staff member. Many/most apps we have sync to iCloud. Chromebooks have the Google Suite for Education which has unlimited storage for free.

I like the idea of mobile accounts for when you have multiple devices, but the internet infrastructure in general hasn't kept up with the data demands.

At this point we're using Active Directory for centralized Mac + Windows logins. I also provide them a network home on our Windows Server to back stuff up. It's auto-mounted in the Dock for every user, but they have to manually manage copying / retrieving files. Looking forward, what I'd really like to do is get rid of AD and use Google Suite as our identity provider. But I don't think Google is quite at the point where they can replace AD in my environment. Literally, my Windows Server really doesn't do anything except run AD — most users aren't even aware it exists for file storage! Most file storage stuff is in Google Drive at this point; much more powerful than any on-prem file storage and collaboration solution I've ever seen.
My school district uses OD for some user accounts. I'd like to move to AD, though my boss put the kibosh on that. Kinda sad, because we could consolidate a lot more of our online resource user accounts with AD. Just hard to remember my password for a dozen or so different accounts.
 
  • Like
Reactions: hobowankenobi

DJLC

macrumors 6502a
Jul 17, 2005
761
143
North Carolina
My school district uses OD for some user accounts. I'd like to move to AD, though my boss put the kibosh on that. Kinda sad, because we could consolidate a lot more of our online resource user accounts with AD. Just hard to remember my password for a dozen or so different accounts.
We used to be all split up like that with tons of different logins and systems we'd have to manually manage accounts. Since I've been here, I've been on a warpath to simplify and implement as much SSO as I can. It's easier for our users, it's easier for me to maintain, and ultimately it results in less wasted time and money for everyone.

At this point, I've narrowed it down to 3 identity providers. Systems either interface with one or more of those or we don't get them. We have Google, Active Directory (which is synced to AzureAD for Office365 but I'm planning to federate O365 to use GSuite as the idp), and a state-provided RapidIdentity instance. RapidIdentity can't go away due to state requirements and we're limited as to how much we can integrate it (a little; not a lot). Really the only bit of the puzzle I still want to solve is how I can use GSuite as our LDAP source — wanna log in to a Mac, Windows, or ChromeOS system at school? Just use your Google login. If my Macs and Windows machines could use Google as a login directory, I could get rid of AD completely and sell off that Windows server. That'd leave our users with only two logins to remember: Google + state.

Hopefully soon I can take this next step... :)
 
  • Like
Reactions: hobowankenobi

guzhogi

macrumors 68030
Aug 31, 2003
2,947
812
Wherever my feet take me…
We used to be all split up like that with tons of different logins and systems we'd have to manually manage accounts. Since I've been here, I've been on a warpath to simplify and implement as much SSO as I can. It's easier for our users, it's easier for me to maintain, and ultimately it results in less wasted time and money for everyone.

At this point, I've narrowed it down to 3 identity providers. Systems either interface with one or more of those or we don't get them. We have Google, Active Directory (which is synced to AzureAD for Office365 but I'm planning to federate O365 to use GSuite as the idp), and a state-provided RapidIdentity instance. RapidIdentity can't go away due to state requirements and we're limited as to how much we can integrate it (a little; not a lot). Really the only bit of the puzzle I still want to solve is how I can use GSuite as our LDAP source — wanna log in to a Mac, Windows, or ChromeOS system at school? Just use your Google login. If my Macs and Windows machines could use Google as a login directory, I could get rid of AD completely and sell off that Windows server. That'd leave our users with only two logins to remember: Google + state.

Hopefully soon I can take this next step... :)
Does Google allow syncing with AD servers, as in log in to Google with your AD creds (maybe with @domain.com)? I'm kind of a low man in my IT department's proverbial totem pole, so I don't have access to all the "cool" features.

Looks like you also work (or at least worked) in a school setting. One thing I've found is OneRoster, which helps with syncing class rosters between different services. Looks like it's more of a standard (or at least trying to become one). Looks like a number of companies use it, so it might help you.
 
  • Like
Reactions: hobowankenobi

DJLC

macrumors 6502a
Jul 17, 2005
761
143
North Carolina
Does Google allow syncing with AD servers, as in log in to Google with your AD creds (maybe with @domain.com)? I'm kind of a low man in my IT department's proverbial totem pole, so I don't have access to all the "cool" features.

Looks like you also work (or at least worked) in a school setting. One thing I've found is OneRoster, which helps with syncing class rosters between different services. Looks like it's more of a standard (or at least trying to become one). Looks like a number of companies use it, so it might help you.
So yes — we could use GADS to sync our AD user credentials into Google. That would keep their Google credentials in-sync with Active Directory. But long-term, we're not interested in continuing to support Windows in our environment; nobody here likes it or needs it. Further, I consider our Google credentials far more secure because we enforce 2 factor authentication for all users. The only reason AD is still in our environment is because it's currently my only option to manage Mac login credentials (and OD was a nightmare).

The OneRoster format (and indeed, IMSGlobal as a whole) is making this a bit easier — as are other players like Clever. At the state level (North Carolina), a lot of work is happening in regards to secure data integration between PowerSchool (the state's student information system provided to all schools) and other systems that can be purchased by schools and districts directly. Things have come a long way in the last several years; MOST things we have now sync rosters from PowerSchool and additionally allow SSO through either Clever or RapidIdentity (the state's IAM system). Clever is then also connected with RapidIdentity and (loosely) AD, so they can use either AD credentials or state credentials to get to Clever-connected applications. So most learning systems can be accessed with just the state credentials — and those same credentials follow students and employees to any public school in the state.

The only two in the room who aren't getting along with everyone else are Google and AD. I could federate Google with RapidIdentity for provisioning and SSO, but it would require us to disable 2 factor authentication on the Google side. They're getting ready to roll out 2FA in RapidIdentity though, so we may revisit that this summer. At that point, my only hanging issue would be Mac logins. RapidIdentity may then be able to fill that gap, which would bring us down to only needing state credentials + everyone's accounts for everything would be automatically provisioned when my HR dept. entered them into payroll or my SIS team enrolled them — no tech involvement at all for onboarding; just put them in the system and hand them a device. That would be my dream — one set of credentials, zero work for me.

One day... :)
 
Last edited:
  • Like
Reactions: hobowankenobi

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
In a similar boat. At a large university, and we run AD with federated SSO. Same credentials for everything: Wifi, Macs, PCs, web portal, printing, and more. We rolled out Duo 2FA last year for some services, slowing adding it to more.

I am pretty far down the food chain, so I don't have much say in design, but get to be in the trenches on the user level, where it is felt when there are any connectivity issues, plus keychain fun when users change passwords.

Works well overall, but it is a big operation, and there are lots of folks to design, build and maintain everything. Big budgets....not really a model I could see a smaller K-12 or other org duplicating.

If I were at a small org, I would want to roll out Google or perhaps AWS directory services...if possible. Running a minimum of 3 virtual AD boxes plus everything required (cooling, UPS, backups, etc.) for dedicated SSO is not small undertaking.

Or maybe an alternative? Would like to think that redundant Synology boxes could be a reasonable directory server....but no experience with their directory tools.
 

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
Spot on. The cost for JumpCloud -- which sounds like it would solve my problem -- is laughable. It's more than my salary!
True that. But...my link to JumpCloud was just for their overview of AWS directory options. AWS info is less than clear and concise. Pricing is always a challenge to estimate: not expensive, but not simple.

Ultimately...the question stands, what else is out there that Macs can bind to, and can support SSO, and is NOT MS AD, and all that entails (hardware, licensing, etc.) I have hope AWS can soon rise to the occasion.
 
  • Like
Reactions: DJLC

L0ngspeak

macrumors newbie
Mar 20, 2019
1
0
Co
Spot on. The cost for JumpCloud -- which sounds like it would solve my problem -- is laughable. It's more than my salary!
Just curious but isn't it pretty reasonable per user compared to what AD CALs plus SSO solutions plus some mac system management tool would add up to?
 

DJLC

macrumors 6502a
Jul 17, 2005
761
143
North Carolina
Just curious but isn't it pretty reasonable per user compared to what AD CALs plus SSO solutions plus some mac system management tool would add up to?
Not in my environment. I'll say up front I don't know jack about CALs; for our last upgrade, I just bought Windows Server 2012 Standard from a reseller for a couple hundred bucks and installed it on a refurbished Dell R710. There is no recurring cost. Our SSO solution, Identity Automation's RapidIdentity product, is provided free-of-charge by the state. We also use Clever for some apps — Clever is an SSO and roster sync portal that's free for schools, and it supports SSO from RapidIdentity. So if you can't get in with just the RapidIdentity portal, you can get it by logging in to RapidIdentity + click to Clever + click to app. We pay about $3 per Apple device per year for our MDM, which syncs with PowerSchool for rosters and user information. BUT — my AD isn't syncing anywhere or federated to anything. So although I have my "one login" for EDU apps, I don't have it for computer logins or web filter logins.

Based on JumpCloud's online pricing, we'd be looking at over $60k per year if we paid annually per user. Ain't no way.
 

gregorymkeller

macrumors newbie
Mar 21, 2019
1
0
Not in my environment. I'll say up front I don't know jack about CALs; for our last upgrade, I just bought Windows Server 2012 Standard from a reseller for a couple hundred bucks and installed it on a refurbished Dell R710. There is no recurring cost. Our SSO solution, Identity Automation's RapidIdentity product, is provided free-of-charge by the state. We also use Clever for some apps — Clever is an SSO and roster sync portal that's free for schools, and it supports SSO from RapidIdentity. So if you can't get in with just the RapidIdentity portal, you can get it by logging in to RapidIdentity + click to Clever + click to app. We pay about $3 per Apple device per year for our MDM, which syncs with PowerSchool for rosters and user information. BUT — my AD isn't syncing anywhere or federated to anything. So although I have my "one login" for EDU apps, I don't have it for computer logins or web filter logins.

Based on JumpCloud's online pricing, we'd be looking at over $60k per year if we paid annually per user. Ain't no way.
@DLJC - I'm Greg and I run product for JumpCloud. We'd be happy to chat with you about pricing...and ensure you are seeing/engaging with our EDU pricing which I am not sure you were viewing when you did your analysis. We serve a huge swath of educational institutions, public and private, for the exact reasons you're articulating here...e.g., to no longer manage AD infra, ensure Apple + SSO + RADIUS + LDAP - backed services, etc, can singularly authenticate with a common set of creds. Please just let us know if you want to chat!
 
Last edited:

DJLC

macrumors 6502a
Jul 17, 2005
761
143
North Carolina
@DLJC - I'm Greg and I run product for JumpCloud. We'd be happy to chat with you about pricing...and ensure you are seeing/engaging with our EDU pricing which I am not sure you were viewing when you did your analysis. We serve a huge swath of educational institutions, public and private, for the exact reasons you're articulating here...e.g., to no longer manage AD infra, ensure Apple + SSO + RADIUS + LDAP - backed services, etc, can singularly authenticate with a common set of creds. Please just let us know if you want to chat!
My apologies — I did miss the EDU price in my initial calculations! But even at $2 per user / month, ain't no way. We'd need pricing closer to 27¢ per user / month before we could even consider it (keeping in mind our current cost of $0 per user / month; I recognize you're providing a cloud service and infrastructure isn't free, but...). I can't justify over $10k annually just to save myself having to import CSVs to AD with PowerShell a couple times a year; that does nothing to actually enhance student learning outcomes. Getting rid of that server might reduce our power bill a bit, but it would be negligible.
 
Last edited:

hobowankenobi

macrumors 6502a
Aug 27, 2015
984
266
on the land line mr. smith.
I should also make clear...I was not referring to JumpCloud as being pricey.

I was talking about the full cost of a redundant AD on-site environment: MS licenses, redundant hardware (multiple enterprise grade servers, raid controllers, etc.) virtualization with fail-over capabilities, a conditioned space, redundant power, backups, plus skilled AD tech(s) to run it.

My experience is that most small orgs don't have that kind of budget.

Also been my experience that traditionally leadership often underestimates TCO. They tend to not think about preemptively replacing server hardware (boxes, HDs,) every 3-5 years, etc.

My org is all in with a huge MS license: O365 + email + OneDrive space, server seats, etc., plus a conditioned room with maybe 100 server racks. Easy to hide actual, individual costs in existing infrastructure.

Probably a separate conversation, but it would interesting to see what the true cost of running an AD environment is, vs. cloud options.