Open directory

Please note that only Apple has the answer for this. What follows is my opinion based on product and industry trends. OD remains in Monterey and based on the Kbase article, Server will continue to work on Monterey into the future. Just don't expect any fixes. What we have now is what we will have forever. As for the fate of OD in the operating system, we all will find out more in June with the WWDC announcements. I am betting it is gone and only a handful of tools will remain.

Now that Apple has Business Essentials out of beta, there is no reason for Profile Manager (there is some debate there ever was a reason for Profile Manager aside from it being a reference implementation). And since Open Directory's only role since Big Sur has been to support Profile Manager and Xsan, it is no longer needed (Xsan was already removed from Monterey's Server.app GUI making the creation of a new Xsan challenging at best unless you have a long history with the product).

In the case of Business Essentials, the assumption is that you are (or will be) using a Cloud Identity Provider like Azure or G Suite. That becomes your directory system. If you don't have either of those, you can still manually create managed Apple IDs. These options negate the function of OD while opening up capabilities OD could only dream of, like federation of cloud services.

The old days of mobile accounts or dual directory system configurations (AD and OD) are long gone. While much of it is still possible even in Monterey, the move to the cloud and mobility is driving everyone to local accounts with password sync. This is possible with tools like the SSO Extension (available in every MDM) or with 3rd party products like Jamf Connect or NoMAD.

This is also driving the end of Mac file servers as OD and authentication has been a challenge since Big Sur. And mobility and work from home have made on-prem servers cumbersome to access and have slowed workflows to a halt, especially for video and print workflows.

It has been a long run but I think we all need to say goodbye to OD. I don't think it will have a place in the next OS.

Hope this is helpful. Remember, this is my opinion based on the trends. A fond farewell to slapconfig.

Reid

In addition, FileMaker/Claris apps hosted on macOS authenticate against Open Directory.

So do Kerio Connect and Kerio Control platforms

I know it's been on the cards for a while, but it's hard to lose that ease of connectivity and security.

What are people moving to instead of OD?

Valid point on FM and Kerio. Also Firewalls that allow LDAP auth passthrough for VPN.

I can say for my customers, we are moving anyone with FileMaker to FileMaker Cloud. It supports cloud IdPs and now I no longer need to maintain a mini just for FileMaker.

As for Kerio, we've moved everyone to O365 or G Suite years ago. O365/Azure has been easier to integrate as only recently has Apple started supporting G Suite integration into ABM/ASM. While I still keep a small Kerio Connect system running for testing, I am concerned that hosting on macOS may not be supported for much longer. We can look at Jamf as an example as they have dropped self-hosting on macOS with one of the recent releases. Service hosting on macOS is becoming more and more of a challenge as Apple continues to simplify and deprecate parts of the OS. Also, if I recall, it took Kerio a long time to support Big Sur. I've left my system on Catalina mostly out of laziness but also because it is working.

The piece that I've struggled with is for VPN into customer LANs. I've relied on LDAP auth on a VPN to pass authentication through to OD for some time. This allowed the creation of one ID and that ID would be used for LAN resources in the OD domain but also for remote connectivity. It also meant that if I disabled the account in OD, then VPN would stop working. And users would have a unified password for company resources. This started getting funky in late releases of Catalina and I continue to struggle with Big Sur on some firewall models. In many customer cases, the pandemic has pushed us to the cloud so the need for VPN is dropping fast. With services in the cloud, there is no need to connect to the office. I still have a few deployments with OD acting as the VPN auth endpoint so they will fall soon enough.

I know my plans are to guide everyone away from on-prem deployments and favor the cloud. This has its risks. But so does LAN based resources. With the continued uncertainty and the drive for mobility, the cloud is providing to be the best for flexibility and accessibility of data. Tools like OneDrive/Sharepoint or Dropbox allow for selective data sync and mostly removes the human from file management tasks.

We have a few weeks to go to see where this nets out. The direction should be clear pretty soon.

Thanks for the reply and discussion. I'm in a slightly different position since I admin a small shop (about 100 Macs), rather than supporting/consulting with clients.

But yes, it seems like we are in a time of big changes both in terms of migration to cloud and identity providers. And there does not seem to be a blueprint or roadmap to follow.

Since Apple now offers Apple Managed ID's for Business, all the parts seem to be in place for them to offer some kind of iCloud Service for Managed Business to provide Identity, Mail Contacts & Calendars to compete with MS and Google.

Any vague chance they could announce something like that out of WWWDC? :)

Having admin'd Macs for decades it's somewhat ironic that the main options now seem to be to use Microsoft or Google's cloud for Authentication, Mail, Contacts & Calendars.

Internally here, company ownership has been resistant to using cloud services (rather than on-prem) for anything business-sensitive, so increased cloud-for-business is going to require a recalibration of expectations. Using Microsoft & Google will require additional recalibration :)

So, rather than immediately jumping in with MS or Google, I am currently looking at Okta as an IdP.

Evidently Claris/FileMaker v19.4 can natively connect to Okta through OAUTH2 (I think to Okta's Universal Directory). Earlier FileMaker versions seem to require modification of .xml files under-the-hood to authenticate against Okta, but can do it.

The main reason I am looking at Okta is because we use Jamf & whenever I have spoken to anyone at Jamf about the OD EOL issue they point me in the direction of Okta.

However, it's not yet clear to me whether Okta will allow Kerio Connect & Kerio VPN to authenticate.

I think I'm gonna live in hope for WWDC and will not be making any decisions at least until after then :)