Earlier in October, Google announced Cloud Identity for partners and customers. One of the features of Cloud Identity I was most excited about was the cloud LDAP feature that is part of this service. LDAP is an open source directory protocol that a lot of enterprise services support. Google is heavily investing in its cloud identity service. They expect by 2021, more than 50% of all enterprises will adopt an “all in cloud strategy.” Could Google LDAP login on macOS become a reality in the future?
If you are a G-Suite customer now, you are used to being able to “add apps” to your domain and have them support Google login. One key aspect that G-Suite only customers (meaning they don’t run Active Directory on-premise) have missed out on is syncing data with services that only support LDAP. In a few weeks, G-Suite customers will now have that ability.
What is LDAP?
LDAP is technically a legacy service compared to traditional single sign-on (SSO) methods, but it is still widely used in the enterprise. I have at least three services I manage that I would love to sync with G-Suite today using LDAP, so this new had been very excited.
I watched a demo of how it works on day 3 of the JNUC conference, and a Product Manager for Google Cloud and Product Managers for Jamf showed how the integration would work between the two products. Earlier this week, Jamf announced it would be adding support for Azure Active Directory as a macOS login service (bypassing the need for local accounts), and this new LDAP technology would technically make it possible to do with same with Google LDAP login on macOS.
During the demo, Jamf noted that the setup process was a little complicated right now, but they would be simplifying it soon (Google’s LDAP feature isn’t coming out for a few weeks). Jamf Pro was easily able to pull in your G-Suite groups and users, and I was beaming with excitement. My excitement was immediately removed when Google announced on stage that it would be $6 per user per month. My G-Suite account has 200 users right now, so that would be $7,200 per year. We currently pay nothing for the education version of G-Suite. Enterprise customers will get it at no additional cost since their version isn’t free. On Google’s website, they mention a $2/user per month plan introductory for staff and faculty, but the student accounts are free. There is some vague wording about renewals being honored, but until there is more concrete pricing information, I couldn’t roll it out school-wide.
Technically, this announcement is fantastic. In the future (assuming Jamf adds support), it will be possible for Apple Schools who use G-Suite for email to have a single unified directory system with no hardware onsite. This feature would eliminate the reason for enterprise/education customers to have an on-site Active Directory server. When employees get new Macs or iOS devices, they would be sent through the corporate on-boarding experience which would ask them for their LDAP/G-Suite login. They would then get the appropriate device settings and apps.
Hopefully, the pricing information can be sorted out soon. $2/staff member per month might be a workable approach for some smaller school districts, but adding students to the cost would make it unsustainable. For the large districts who rely on a no-cost G-Suite account, anything but free will be a non-starter.