Hello, I just started working in a small company that has yet to implement a way to control the endpoints in the domain and have login credentials be handled by a server instead of locally.
My question is, how are you guys and gals here managing a domain with Windows Macs And Linux machines? I’ve seen Azure Active directory has some management capabilities with macs but not Linux. and google workspace is also limited.
I’ve looked into open source solutions as well but haven’t found a solution that can do basic stuff on all platforms.
So when I say basic, I mean username and password policies, logging in to the endpoint with said credentials, enforcing security policies from the controller like GPO on windows.
If there is such a player and my google-fu is just weak, I’d love to hear about it.
thanks for reading and have a great day!
For Macs, JAMF is what you want. Integration into AD or LDAP domains is supported natively in macOS and JAMF extends that. They (your employer) should also have an Apple Business account. You can set it up so that any Apple devices you buy through the business account will come already provisioned by JAMF.
SSSD (security system service daemon), SSSD-AD and adcli will easily join a Linux computer to Active Directory domains. Make sure you set the AD servers as DNS.
You can play with the LDAP fields in the SSSD configuration in case you need some custom stuff. You can also enable advanced view on Active Directory Users and Computers and edit some RFC2307 Unix attributes like homeDirectory and userShell.
Thats the dead easy lazy approach.
If you ask me a proper implementation would be to install FreeIPA servers in a different domain and create a trust relationship between the IPA and AD domains in a way that AD users can log into IPA joined machines. I think this is the best approach because IPA will give you very good fine Linux controls like who can log in on which PAM service, who can use sudo and so on.
FreeIPA also uses SSSD. Red Hat creates and maintains both free open source products. They have guides and documentations available.
There is also Centrify but I have not much knowledge about that. It seems to be the preferred approach in big enterprise but I don’t think its free or even cheap.
MacOS has out of the box integration. Just go into settings and user panel. Again, DNS. Consider having a Mac mini with MacOS server and Profile manager for central management.
Solaris implements CIFS file sharing on kernel level and can join a domain and offer ZFS volumes as CIFS shares with a single command, ACLs and user mapping and all. FreeBSD and others might need either Samba+Winbind or NSSLDAP+Kerberos. SSSD might work but depends on a lot of Linuxisms.
not really a solution. there’s a reason they work on oses other than windows.
I have run into that on my search but from what I could tell, it doesn’t do the whole trifecta, only windows and mac.
that’s assuming I have AD servers, which I don’t, sorry I should have clarified. there are no solutions in place, but we do have google workspace and office 365 licenses.
I should clarify further, storage is not an issue I need to deal with. so ACLs and shares are not the things I seek in a solution. I am looking for a more security-minded solution, enforcing passwords and resetting them from a server, enforcing screen lock after x number of minutes, that stuff.
I will look into that next week. thank you so much for the time you invested in writing all these solutions down!
I didn’t even know it handled Windows, I was just saying you should use it to tie the Macs into an AD or LDAP and add Mac device management and volume licensing. Afaik, nothing is going to do the equivalent of GPO across disparate OS’s. You can have have a unified directory, Kerberos and network homes, but config management will have to be per OS.
Almost anything can bind to AD. If you have enough Linux hosts to warrant it, FreeIPA and AD can do 2-way trust. Use RADIUS to extend to oddball BSD machines and network hardware.
If your config management is relatively simple, you could just use ansible which can be made to accommodate basically anything that can run Python.
For Mac I agree with @oO.o jamf is at the top of the podium, it will do all the management of macs (and iOS) and has AD integration.
For Linux you want FreeIPA (Red Hat IdM if your buying from red hat), it will do most of the AD equivalent functions like policy, very management, and identify with integration to windows AD.
There isn’t one solution fits all, but you can integrate native solutions to talk with each other, especially on the identity side.
If you just want identity management you can do this with more basic options. Linux you can use sssd.
Are you using Google as your source for account management / identity?
Jamf integrates with Google. I’m not sure if you can do a standalone LDAP integration with Google for Mac.
For windows you want Google credential provider for windows (GCPW)
For Linux you’ll likely want to look at LDAP integration with Google workspace. Setting up a freeipa server may be the best way to do this anyway.
The other option for windows is setting up AD and syncing Google workspace identify info to AD. This will allow you to manage the computer with GPO etc as well as Google has some options but no where near as extensive as AD.
(These are all just options, you can plan which options work best for your environment)
We have an MS Windows DC that acts as our AD server and then we use PAM integration into the LDAP for the Unix-like machines.
At home I have only one MS Windows machine and the rest are BSD and GNU/Linux. I use Samba-AD for that network. It runs on a raspberry pi. There is a recent how to thread. You can give this a try if you have a lab at work to see if it is viable.
Sorry for the lack of updates, it’s been a crazy couple of weeks just starting.
I’ve yet to sink my teeth into any of the data you posted here, but I do have one request that was added.
I thought Microsoft defender was a free AV for Mac and Linux, but it requires a 365 subscription we do not own. my question is, do any of these solutions include a good AV solution? If not, would you recommend biting the bullet and paying for Microsoft defender for these platforms, or would you recommend something else?
AV applications and the likes are something completely different and unrelated.
I would recommend talking with your CIO/CISO and go through a risk analysis, business continuity plan, and risk assessment based on the solutions out there.
Basically, before you start cobbling random things together, get a 10,000 foot view of what you have and do not have, what you absolutely need, and what are nice to haves. then at each major lower level, discuss, review until you are at ground level, then implement.
Also, free is not always good. You get what you pay for. I would recommend getting an AV that is best for each type of system that it will serve. Defender may be fine for your MS Windows needs, but may not be good enough for your alternative OS needs. You need to figure out what you are trying to protect in order to better protect it.
I am working with my CISO directly, but the goal is first to educate myself on what is possible then present solutions that I know we can implement and see if they meet the needs of the CISO and work from there. because like Wendell always says “you don’t know what you don’t know.” and there might be things we didn’t think about.
I know back in the day Cisco and other brands like that had endpoint management that tracked AV and if it’s up to date, some of them even offered that service in the endpoint management software itself. so I was wondering if the solutions brought up here are close to that or should I launch a separate search for the best AV on each platform?
Also as the last question, what would you do in the meantime? let these machines run “naked” until a solution is found? or install the first free solution that looks good in testing and replace it later when there’s a more defined policy?
It depends on what you can afford and how much effort it is to remove the previous software.
It seems that your CISO is giving you a lot of freedom which is nice, but considering that he is ultimately responsible, he should be at least making some guidelines and policies for you to follow and conform to. Security infrastructure should really be designed into your IT infrastructure and should be evaluated so that it meets the requirements of the company and how it operates. Testing stuff in a lab is great. Testing a security implementation in a production environment is not ideal and adds significant risk to the company’s day to day operations.
I am not trying to hound you. I am sorry if it does seem that way. I am just seeing some red flags as a Cyber Security/IT person and as a register CISSP. Your CISO and CIO really should be more hands on in this process.
Thanks for your input, I don’t see this as you hounding me, both the CISO and I are new in the company and have a ton of catching up to do.
We didn’t replace anyone in these roles when we arrived, these are both new roles in the company so you can understand the amount of work both of us have.
From my perspective, I have a lot of things to fix where programmers had to solve IT issues instead of working on critical code. I don’t mean to disrespect programmers, I dabble in programming as well, but when you deal with code and someone takes you away from it to solve a printer issue, or god forbid a network switch problem you’re not in the correct mindset to do that properly.
the same for the CISO, in that department there are a lot of policies that need to be written for the first time, and ISOs that need to be passed. so we are both under a heavy load, and I am just trying to help out where I can.
Ah. Okay. That explains a lot then. You are both hitting the ground running.
I have had to deal with my fair share of this. Just because someone can develop programs does not mean that they may be tech savvy or even have the right mindset to put sane fixes in place. I don’t envy your job, but I hope that you are having fun at least.
You are definitely a good person. I don’t envy your CISO either because planning should happen before implementing and it seems like the company got it backwards. I can only imagine what the CIO is doing then.
There are a lot of IT, Sys Admin, Software/System Analysts, and Development specialists on this forvm. You are in good hands.
Thanks, I’m trying, there’s still a lot of things I have to root out but they take time to develop trust with the people in charge. for example, one of the founders insisted on everything being Dell, from monitors to laptops to servers. and sadly their products are not that great, so I have to deal with them, and work from a laptop myself and get 5 bluescreens in one workday.
but as I said I’m hoping to get in good enough graces with them to get to change that.
Yep, I inherited a network rack that consists of MikroTik products that are badly configured, half of that is one of the r&d people who knew MikroTik and the other half was the price of the equipment. and I don’t know if you had experience with that brand, but it is not a normal router/switch software. and I have a ccna and jncis certificates, plus a work experience with FortiGate.
Thanks, I try to be and try to help out where I can. I agree the planning should be done before and not after the fact but most startups here don’t know what they need before they start a company and just learn along the way. I’m pretty sure we don’t have a CIO, as the CISO reports to the CFO because the CEO had too many direct reports.
Thank you, I’m sure I am, which is why I posted my question here, it’s not my first time in this forum, there are a lot of wise and intelligent people here for sure.
Something that might be worth considering is something like the KACE Systems Management Appliance from Quest. It’s not a free option but would allow you to manage all your endpoints including updates and patches. Some of the solutions used on KACE SMA could also work on an Open Source solution such as login and deployment scripts. Their is an extensive knowledge site about KACE at [www.itninja.com]. Quest takes care of the hard part by providing an endpoint client used to control and collect data on all your devices.
For an Active Directoy like environment OpenSUSE has/had a decent SAMBA solution and interface to join and manage workstations. I haven’t used it in a while but it might meet your minimal needs. Not sure how well it works with Macs.
Don’t be quick to judge. Dell has a reasonably ok set of management options, and I’ve had their server equipment deployed a lot , and their laptops and desktops deployed in multiple projects without issue.
Every manufacturer has their oddities, at least your not using Cisco servers
