Hmmmm, I've always dealt with FM not having single server signon for Mac's and the solution was storing passwords in the keychain. I've never seen FM work as single server sign on for a Mac, but I would be interested. Good question if there really is an option to do that. But probably the nicest thing about storing passwords in the key chain is that your operating system user account does not have to match the user account on FileMaker security. Then again, in a real enterprise network, everything would be using the same directory service to sign onto their computers as well as get into databases, file share, email, etc.
The major reason why we like to stick with SSO through AD is that, when the user changes their password (every six months, per company policy), there is no need to update the password that is saved for use with FileMaker. There are already so many places they have to change saved passwords, it's important to us to keep the amount of confusion to a minimum.
Oh I fully agree with that reasoning. It makes AD the one source password location which is ideal for an enterprise system. The biggest problem I have on Mac's is the inability in FileMaker to turn off the ability to store passwords in the keychain.
Maybe someone will chime in on the SSO functionality on a Mac. It sure would be convenient and I would like to know more if it is available.
Before I spend too much time tinkering, does anyone know how to make this work, or if it is even possible?
It is not possible in any version of FM.
SSO currently only works in an all-windows line-up.
...and the list of things that frustrate me about FileMaker grows by one. If the OS supports it, I wonder why the application doesn't. Not high on their list of priorities, I'm sure.
Thanks for the quick answer, Wim. I guess it's keychain for us for now!
I think most of the blame is on Apple for this one though. Apple has had very troubled support for AD binding over the years and tends to break things more often than not.
Check MacWindows.com for some good reading on this
I'm not sure it should be a priority, but I agree it would be useful for certain specific use cases. Increasingly, IT departments are having to support non windows devices brought in by users anyway. AD is not supported on FM Go either, but that isn't FMI's fault.
For me, I enjoy the flexibility of choosing that to keep in my keychain and have not found it overly burdensome. I doubt I am the typical user though.
iOS itself doesn't support Active Directory - so I wouldn't expect Go to support it, either. It's unclear right now why we would ever bind an iOS device to a Directory service - the go-to solution for mobile management seems to be MDM, and directory services like AD are just used for authentication.
To Wim's point, AD integration in OSX is extremely touchy - I still view joining a Mac to AD as an experiment rather than a given, and am amazed when it works without having to drop into the command line. It's not really all that clear what benefits we get from binding a Mac to AD, either, since we don't use Home Folders the way OSX expects us to, and GPOs (one of many reaons for binding a PC) don't apply to the Mac. I'm sure the advantages of joining the domain are more subtle and help the Mac user get along better with file servers and remote desktops within the domain.
As I think about all of this, it might be interesting if Go was able to support Keychain - especially since it sounds like Mac users are already making that work. That could replace some of the layout and security gymnastics we go through right now to avoid having to log in all the time on Go. If we're not going to get SSO on any Apple platforms, maybe we can get better support for the native Apple tools like Keychain to get the experience to at least be closer!
Check out AdmitMac from Thursby software. It does not help with FileMaker on the desktop and SSO, but it addresses a lot of the other items you mention. I used to live/work in the Washington DC area a few years ago, and knew several Mac users in larger companies/government who used this (or their "Dave" product) and said it worked really well. Link below to main company page. Look for "AdmitMac" and "Dave" in their product list. Second link is brief description of how they view their products in the joining the Windows and Mac worlds in an enterprise.
The other product I am aware of is ExtremeZ-IP. It takes the opposite approach in being software that runs on Win servers to provide Mac services above what is there natively.