OSX Server OD in an AD environment

Discussion in 'Mac OS X Server, Xserve, and Networking' started by flamingclaptrap, Jan 14, 2015.

  flamingclaptrap

    Jan 14, 2015

    I've been trolling through the documentation the best I can however, I've been unable to find information regarding the question I have. Unfortunately, I have no real background with OSX, aside from minor support for friends and coworkers.

    Situation, I have an OSX Server in an AD environment and would like to implement MDM to manage iOS devices. My question is if implement OD, which is required for MDM, then how would it respond to the fact the server is already connected to AD? I would prefer not to have OD at all associated with AD for security reasons.

    Does OD automatically replicate, or does it act as it's own entity and ignore AD unless told otherwise?

    I unfortunately don't have a test machine to mess with or I'd play with it more.

    Hoping some wise OSX folks can help me out with this.
  Yebubbleman


    May 20, 2010
    Los Angeles, CA
    You can set up OD to work with AD and to otherwise function as the means of managing Macs and iOS devices with the account info from AD. This is often called "The Golden Triange". If you have Macs in place anyway, you should be doing this anyway. If you don't, then I wouldn't sweat it as it doesn't do you much for iOS (seeing as iOS doesn't utilize front-facing user accounts anyway); setting up OD won't interfere or cause issues.

    As for security concerns for setting up an OD server with AD, unless your networking and other IT staff really don't know what they're doing, there shouldn't be any. It's done all the time in several companies that do mixed environments. AD is king and OD piggy-backs onto AD in those cases. No security risk whatsoever.
  DJLC


    Jul 17, 2005
    North Carolina
    I have a similar setup at the school I work for — an Xserve with Mavs Server running OD and Profile Manager + AD for authentication. AFAIK, OD doesn't really talk to AD. Authentication requests are just passed over to AD by both the clients and the Xserve. Clients are bound to AD, then OD, then enrolled in Profile Manager. Users can authenticate to both Profile Manager and SMB on the Xserve using AD credentials. Been working well since I set it up last summer!
  unplugme71

    May 20, 2011
    OD will only replicate if you tell it to. And if you want it to replicate, it will only do so with another OS X server install. Preferably with the same OS and Server app version for best compatibility.

    You don't need OD for Profile Manager: https://support.apple.com/en-us/HT202285

