Using Centrify s DirectControl with Mac OS X

Transcription

1 WHITE PAPER CENTRIFY CORP. OCTOBER 2008 Using Centrify s DirectControl with Mac OS X Centralized, Active Directory-based authentication, access control and policy enforcement for Mac OS X systems in Windows environments ABSTRACT Macintosh computers have found widespread usage within several industries such as education, marketing and advertising, and have been adopted by government agencies for a broad range of uses. Many of these Macs have been managed either individually or as a group using tools provided by Apple. As the Mac continues to gain in popularity particularly within large organizations where Windows computers and administration tools are predominant, or within government agencies where security concerns are heightened there is a growing need to manage and secure Macs using a common set of Windowsbased administration tools. Centrify DirectControl for Mac OS X enables IT administrators to add Macintosh computers to their Windows Active Directory infrastructure to centrally manage the authentication, authorization and configuration of Mac OS X systems as well as to lock down the user s desktop environment. This lets IT administrators manage and secure Mac OS X systems using the same tools and processes already in place to manage Windows systems. This white paper provides an overview of the features and benefits of using Centrify DirectControl, and describes how an organization can realize substantial benefits by using DirectControl to integrate and centrally manage Mac OS X systems with Active Directory.

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Centrify Corporation. All rights reserved. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. [WP ] CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE II

3 Contents 1 Introduction IT Support Challenges for Mac OS X in the Enterprise DirectControl Provides the Tools Required for IT to Support Mac OS X Centrify and the Enterprise Desktop Alliance Active Directory Authentication and Access Control for Mac OS X Active Directory User Authentication with DirectControl User Account and Administration Considerations with DirectControl Key Differences between DirectControl and Apple s Active Directory Plug-in Centralized Configuration and Policy Management for Mac OS X DirectControl Group Policy Enforcement on Mac OS X Common UNIX Group Policies for Mac OS X Computer Group Policies for Mac OS X User Group Policies for Mac OS X Streamlined Deployment: Workstation Mode and Automated Installation Strong Authentication and Single Sign-on through Smart Card Login to Active Directory Customer Benefits of the Centrify DirectControl Solution Summary How to Contact Centrify CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE III

4 1 Introduction Most organizations have standardized on Windows computers. However, Macintosh computers are becoming increasingly popular in a number of different areas. Where they were once relegated to educational organizations or specific departments within large organizations, they are now seen breaking out of the traditional roles of the creative marketing and advertising groups into the general computer population. However, many of these organizations have never truly seen these Macs as part of their global IT infrastructure. It is very common to see Mac OS X systems flying under the radar as standalone systems without any oversight from a central IT organization. 1.1 IT Support Challenges for Mac OS X in the Enterprise In the past, Macintosh users have typically acquired their own systems and were expected to support themselves or even work together within their own departments to support each other. Apple has focused their Windows and Active Directory integration services on providing tools that enable the Macintosh owner or group administrator to plug into these Windows-centric networks themselves, enabling Active Directory-based authentication and providing seamless access to Windows services using Macintoshcentric administrative tools. However, the configuration of these integration tools is managed locally on the individual Macintosh system and does not lend itself to the type of mass deployment or centralized administration most enterprise IT departments expect. And although Mac OS X systems can be configured with Macintosh-centric tools and services such as Apple Workgroup Manager, this requires you to set up a Mac management infrastructure using Apple s Open Directory Server that is independent and parallel to your Windows management infrastructure. This is a very typical configuration called the golden triangle, where authentication is performed by Active Directory and centralized configuration management is handled by Open Directory and Workgroup Manager. While the golden triangle configuration will work to provide basic integration, it still leaves the Macintosh community within the enterprise to support themselves. The real problem is that the IT staff spends the majority of their time supporting the Windows network, and they simply do not have the time to learn a new set of tools, nor do they have proper tools to manage or support Macintosh systems within their Windows centric environment. Consequently, they have left these groups of Macintosh users to manage and support their own systems. This lack of support and integration into the enterprise results in several problems that face the typical Macintosh user: IT staff do not have the tools or abilities to provide support and resolve problems on Macintosh systems. Security policies are not enforced consistently on Macintosh systems. Common services are simply not supported or provided to Macintosh users CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 1

5 Several factors are driving the need within IT to centralize authentication, authorization and support services as well as configuration management. IT must address regulatory compliance requirements across the organization, improve service levels, and enhance efficiency for both itself and end-users. Given these drivers, IT needs tools that enable them to provide a consistent level of service to all users regardless of the type of computer they use, preferably administering with the same tools that they use today without having to learn a new tool set. Although government and industry regulations are typically focused on systems where confidential customer or business data is stored, organizations in highly regulated industries or governmental agencies have an interest in ensuring best practices around secure and responsible use of personal workstations. Barriers to Macintosh adoption may be lowered in these organizations if IT security managers can be assured they have the tools at hand to lockdown the Mac desktop; for example, to require smart card-based log in, to prevent mounting of external storage devices, to disable the ability to create unsecured wireless networks, to limit access to applications, and to define the configuration of applications. 1.2 DirectControl Provides the Tools Required for IT to Support Mac OS X DirectControl for Mac OS X enables IT to integrate Macintosh systems into Active Directory and provide the level of support that these users require. DirectControl provides Active Directory-based authentication services as well as Group Policy enforcement leveraging the same administrative tools that IT currently uses to manage Windows systems. DirectControl authentication services are designed to integrate the Macintosh computer into Active Directory to provide authentication and login policy enforcement exactly like a Windows computer that is joined to Active Directory. Group Policy enforcement is also provided for both a) computer policies on the system to enable centralized management of the System Preferences configuration and b) user policies to enable centralized desktop configuration lockdown and application access controls on the Macintosh systems. DirectControl also supports smart card-based login. For large organizations, DirectControl provides the granular access controls and delegated administration features they need to manage logical groups of Mac systems separately. Using DirectControl s unique Zone technology, IT administrators can create groups of Mac systems that have their own set of users, administrators, and policies. Centrify also enables quick deployment of DirectControl through an automated installation program and a workstation mode that joins Macs to Active Directory immediately without the need for any additional setup sets CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 2

6 1.3 Centrify and the Enterprise Desktop Alliance As Centrify worked with large organizations to define requirements for Mac integration within a Windows-centric IT environment, customers frequently also asked questions regarding additional services that would further ease deployment and management of Macs. As a result, Centrify decided to spearhead the creation of the Enterprise Desktop Alliance (EDA), a consortium of Macintosh vendors that are delivering enterprise-class software solutions for Mac integration and interoperability with Windows environments. Along with Centrify s identity and access management solution for the Mac, the EDA partners also offer solutions for systems lifecycle management, enterprise data protection, file and print services, and virtualization. The EDA s web site provides a wide range of white papers to help customers research solutions, and the organization is sponsoring a series of online webinars demonstrating how their solutions can be used in tandem to lower barriers to acceptance of Macs within the enterprise.. The following sections describe the services provided by DirectControl, explain how DirectControl differs from Apple s management tools, and details the unique features and benefits of using DirectControl to manage populations of Macintosh computers, both large and small. 2 Active Directory Authentication and Access Control for Mac OS X While every Mac OS X system that Apple ships comes with a built-in repository for user and group information stored in a local NetInfo database, any time there is more than one Mac OS X system in a network where the users will need to either access shared resources or log in to other systems, it is best to configure a directory service to centrally manage these accounts, making them available to all the systems in the network. Apple provides many different options for configuring a network-based directory service, from plug-ins that allow usage of existing LDAP directories to their own Open Directory server. Apple also delivers an Active Directory plug-in that provides the basic functions of establishing a trusted relationship between the computer and Active Directory, which enables Active Directory user accounts to be used for login to the Mac OS X system. However, this plug-in requires local configuration to define how the user s UID and GID will be defined based on their Active Directory account; in most cases it is configured to automatically generate UIDs and GIDs for Active Directory users logging into the system. While this may be acceptable for smaller deployments where the configuration can be manually set for each system, it does not scale well for deployment in larger environments with larger numbers of Mac OS X systems CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 3

7 There are several key differences between DirectControl and the Active Directory plug-in that Apple provides with Mac OS X for authentication, such as centralized administrative control over the user s underlying Unix UID and GID assignment as well as the granular access controls which are centrally managed within Active Directory. DirectControl is designed as a complete Active Directory client for non-windows systems, including the Mac OS X platform, making it a direct replacement for the Apple Mac OS X Active Directory plug-in. All administration of user accounts, password policies and security policies are managed using Active Directory administrative tools, including Active Directory Users and Computers, the Group Policy Management Console, and the Group Policy Object Editor as well as the Centrify DirectControl Administrative Console CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 4

8 2.1 Active Directory User Authentication with DirectControl DirectControl for Mac OS X consists of two main architectural components. DirectControl for Systems DirectControl for Systems DirectControl for Applications Windows Computer DirectControl for Systems Microsoft Active Directory + Centrify DirectControl DirectControl Management Tools Administrator Figure 1. Components of the DirectControl Suite. On the Macintosh platform, a DirectControl Agent is installed on each server or workstation. The DirectControl Agent is not just a directory service plug-in; rather, it is a central service that provides both authentication and authorization services as well as Group Policy enforcement. The Agent also determines which DirectControlenabled users can log in to the system or network services using their Active Directory credentials. On the Windows platform, the optional DirectControl Management Tools can be installed on one or more Windows computers in the domain. These tools include the Centrify Administrator Console, property extensions to Active Directory Users and Computers, and a web-based Administrator s Console. If you are deploying DirectControl in workstation mode, it is not strictly required to install these tools. However, most organizations will want to use the management tools to implement CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 5

9 Group Policy on their Mac systems and to run the administrative reports. The management tools are required if you decide to implement the advanced access controls and delegated administration features provided by DirectControl Zones.. The optional DirectControl Management Tools are the only Windows software you might need. You are not required to install software on your Windows domain controllers, and DirectControl installation never requires modifications to your Active Directory schema. If you choose to use Zone-based access controls, as Macintosh users and computers join your Active Directory domain, the Centrify DirectControl Agent unobtrusively stores its data in an Active Directory program data container using a standardized method. Centrify DirectControl also works seamlessly and unobtrusively with Active Directory if you have previously installed Microsoft Services for UNIX (SFU), which applies its own schema changes to Active Directory to store UNIX attributes for user accounts. DirectControl also works with Microsoft s UNIX schema extensions that are included in Windows Server 2003 R2. The DirectControl Agent in effect turns the Mac OS X system into an Active Directory client. The Agent enables the Mac client to consume and respond to Active Directory services in the same way a Windows client does. Login Apps (login, ftp, ssh, etc.) Kerberized Apps (ssh, SMB etc.) System Config Files Directory Plugin Service Kerberos Libraries Group Policy Module Offline Credential Cache CLI Admin Tools DirectControl Daemon (adclient) Centrify DirectControl Agent Windows Domain Controllers Microsoft Active Directory Figure 2. Architecture of the DirectControl for Mac OS X Agent The DirectControl Agent is responsible for the following functions in order to provide a secure authentication framework for integrating Mac OS X into Active Directory. Enables the Macintosh computer to join an Active Directory domain. Once the Macintosh system has been joined to the Active Directory domain, it is visible as a standard computer object in the Active Directory Users and Computers console CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 6

10 Locates the relevant domain controllers based on the Active Directory forest and site topology, also known as being site-aware. Maintains time synchronization with Active Directory domain controllers if desired. Maintains an MIT-based Kerberos environment so that existing Kerberos applications will work seamlessly with Active Directory to provide users with single sign-on access to network resources such as Windows file servers and print queues. Ensures network security by resetting the password on its machine account at regular intervals according to Active Directory domain policies. Enables logins using users Active Directory credentials. Logging on in this context means not only logging into the Mac OS X graphic interface, but also connecting to the Macintosh through a remote SSH or Apple Remote Desktop interface. Enables authentication with smart cards, including PIV, CAC and.net cards. Updates a user s last login time upon Active Directory login to ensure that password expiration policies are being enforced properly. Stores user credentials and profiles so that users can log on when the computer is disconnected from the network, which is especially useful for laptop computers without requiring a locally defined mobile user. Caches responses from Active Directory information queries to reduce the load on the domain controllers. Validates that the user has appropriate permissions to log in to the Macintosh system based on account policies. For example, Active Directory provides a set of accountspecific controls enabling the administrator to activate or disable a user s Active Directory account as well as to control the time of day the user is allowed to log in. When the Mac is a member of a DirectControl Zone, validates that the user has appropriate permissions to log in based on Zone memberships and allowed group membership. Determines a user s full UNIX-enabled Active Directory group membership (including nested groups) the first time the user logs on. Supports users managing their Active Directory passwords from Macintosh systems both for the ad hoc password change as well as for expired password at login. Validates privileged account logins centrally from Active Directory when needed without requiring previously defined local administrator accounts. Dynamically creates home directories locally on the computer for users whose profile defines a local home directory path. DirectControl also supports seamlessly mounting network-based home directories from Windows servers or AFP servers as CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 7

11 well as providing the option to define a locally synchronized version of the network home directory for laptop users. Enforces user Group Policies that control the user s desktop experience such as application access control and dock settings as well as to control the user s ability to execute privileged operations. Provides authenticated single sign-on access to Windows print queues using the user s Active Directory credentials to ensure proper access and accounting for user access to printers. 2.2 User Account and Administration Considerations with DirectControl Many organizations will have more than one grouping of computer systems that are used for a specific purpose, and typically it is neither desirable nor practical to allow all users in an enterprise to log on to any system. To deal with this, Centrify has developed the concept of Zones to create a way of grouping systems in order to provide fine-grained access controls and delegated administration. In addition to using Zones for access control, organizations with a diverse environment of UNIX, Linux and Mac systems also have the option of using Zones to avoid collisions in user IDs and group IDs. Although Mac end-users rarely also need login privileges on UNIX or Linux systems, IT administrators will want to read this section for the complete picture of how Zones work within a large, mixed environment. Keep in mind in this section that Zones are not available for Macs that were added to Active Directory using DirectControl s workstation mode. Figure 3. Example of an Enterprise Organized into Departmental Zones The DirectControl Zone technology, as shown in the illustration above, works like this: CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 8

12 Each DirectControl-managed UNIX, Linux or Mac system can be placed into a DirectControl Zone, typically directly mapping to an existing logical security boundary or administrative grouping such an organizational department or lab. A user (Joan Smith in Figure 3) is configured in Active Directory with her normal Windows information, such as name, password, group membership and so on. In addition, the Centrify Profiles that Centrify adds to her Active Directory account indicates which Zones she can access. For each Zone, Joan s UNIX/Mac profile in Active Directory stores account information specific to that Zone: UNIX user name, user ID, shell, and home directory for example. Thus, a single Active Directory account can be mapped to any number of UNIX/Mac identities. Joan can log in to computers only in the Zones to which she has been granted access. Whereas Joan has access to several Zones, another user for example, a student in a university setting could be given rights to access only Macs in a Zone set up for a classroom lab, and not be given access to Macs or other systems in Zones set up for computers used in administrative or research departments. As Figure 3 illustrates, Joan authenticates through Active Directory regardless of which system she logs in to. The Zones are part of the same Active Directory domain where Joan s account exists. Delegation and separation of duties is a critical component of any centralized administration solution where security is a concern. DirectControl Zones provide an environment with Active Directory that leverages native access control rules within Active Directory to delegate UNIX profile management as well as UNIX/Mac system access rights management to UNIX administrators without requiring domain administrator rights. With DirectControl, UNIX and Mac administrators do not need rights to modify or create user objects, which is typically a privileged operation within the enterprise. Additionally, each Zone can have its own set of administrators, each with specific privileges within the Zone. In our university example, Joan may be an IT administrator who has the right to create and modify user accounts in Active Directory for students and employees, and the right to create Zones and add users to Zones. However, a graduate student who runs a Macintosh lab could be given rights only to add or remove existing user accounts to the Mac lab Zone. This added security feature means not only can users and computers be compartmentalized into logical secure groups, but the administrators who manage those systems can also be segregated. For many organizations, the ability to finely control the elevated privileges for administrators is essential for maintaining appropriate levels of confidentiality and for complying with regulatory controls CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 9

13 2.3 Key Differences between DirectControl and Apple s Active Directory Plug-in DirectControl is designed to provide what seems on the surface as an equivalent solution to the Active Directory plug-in that Apple provides with Mac OS X out of the box; however, there are several key differences between the solutions. Fundamentally, DirectControl is designed to provide the centralized administration staff with the tools required to centrally manage heterogeneous computing environments from existing Windows administrative tools. Here are some of the key differences: DirectControl provides consistent Active Directory integration across multiple platforms. DirectControl provides a single integration solution not only for Mac OS X but for popular UNIX and Linux platforms as well. DirectControl Zones can be used to further control user access as well as to segregate the Macintosh user population and administrative staff and keep their rights at a minimum within Active Directory. Offline login is provided with locally cached account profiles for users with local home directories. However, if the user has a network home directory he will be prompted to create a mobile account to take advantage of the synchronization between the local and network-based home directories. DirectControl enables common account administration of both Windows and Macintosh systems leveraging tools such as Active Directory Users and Computers. UID and GID assignment is managed centrally within Active Directory as additional attribute information about these objects versus a local configuration within the Directory Services configuration interfaces. There are many security-related benefits to using DirectControl for Active Directory integration. For example, the machine account password is periodically changed, all communications to Active Directory are Kerberized, and user access to Windows print queues is authenticated in a single sign-on fashion. DirectControl provides a reporting facility to enable generation of several reports on Active Directory information such as computer access reports. DirectControl provides delegated administration with separation of duties between Active Directory and Macintosh administrators as well as between groups of Macintosh administrators. Additionally, the DirectControl Agent that provides user authentication and authorization services also provides Group Policy enforcement to enable centralized configuration management. Centralized configuration and Group Policy services are described in more detail in the next section CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 10

14 3 Centralized Configuration and Policy Management for Mac OS X Configuration management and policy enforcement across an enterprise is extremely important to most organizations, especially if there is a need to ensure that security policies are properly enforced across all computers. Additionally there are several benefits to centralizing the configuration of workstations and servers, including: Reducing the effort required to bring a new computer into the environment, configuring it properly and ensuring that it stays configured properly throughout its lifecycle, resulting in a much lower total cost of ownership. Ensuring that security policies are properly enforced across the enterprise to ensure that no holes exist for potential attackers to exploit. Automatically configuring the user environment so that all users have a consistent computing experience that provides them the services they need to accomplish their work. Apple provides a tool to centrally manage the configuration and security policies of Mac OS X computers. However, this tool, Workgroup Manager, requires either a set of schema modifications to Active Directory in order to integrate or a separate Open Directory deployment in order to provide centralized management. However, in Windows environments, most administrators use Group Policy to centrally configure Windows workstations to enforce consistent security policies as well as to ensure a consistent end-user experience across all workstations deployed within the environment. DirectControl provides broad and robust support for Group Policy on the Mac. IT administrators thus have a single tool to configure and enforce consistent security policies to all non-windows computers, including Mac OS X systems. DirectControl also enables IT administrators to configure and secure their Mac environment through Group Policy without having detailed knowledge of Mac desktop configuration. In environments where workstation security is particularly important, giving IT security administrators the ability to lockdown Mac workstations through Group Policy can help lower barriers to adoption DirectControl Group Policy Enforcement on Mac OS X Windows Group Policy works by forcibly setting user and computer registry keys on Windows machines, and since almost all of a Windows system is configured through registry settings, this is a very natural and simple way to enforce almost any policy. However, in UNIX and Mac environments there is no equivalent to the Windows registry. The de-facto standard for configuration is ASCII text files. To deliver Active Directory s Group Policy capabilities in UNIX and Mac environments, DirectControl creates a virtual registry of the policies that apply to either the computer itself or tp the users who log in to the system. The enforcement of these virtual registry settings is handled by two different mechanisms depending on the service or configuration that needs to be controlled. For applications CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 11

15 that use a configuration file to manage their settings, DirectControl provides a specific mapper program that knows what needs to be set in the configuration file or, on Macintosh systems, in the plist file for the application associated with the particular virtual registry setting. Additionally, many of the System Preference settings and user environment controls are provided by the MCX subsystem within Mac OS X. Several of DirectControl s the user Group Policies are enforced through the MCX subsystem. The DirectControl Agent first must update the Group Policy settings into its virtual registry based on the computer account or the user who is logged in to the system. This load event is triggered by: System startup. When the DirectControl daemon starts up (usually when the system boots up), it updates the computer s registry. User log on. When a user logs on, the DirectControl Agent creates or updates the user s registry settings. adgpupdate command. The DirectControl Agent can be forced to immediately update the user and computer registries through this command line. Periodic refresh interval. The DirectControl Agent will also refresh the virtual registry on a periodic basis according to the Group Policy refresh interval setting in the domain policy. The loading of policy is asynchronous, which is equivalent to the behavior in recent Windows versions. The loaded settings are stored on the local machine for disconnected operation. Once the virtual registry has been updated through one of the events described above, then either the appropriate mapper program is activated to update or create the configuration or plist file, or the appropriate MCX setting is defined for the application or System Preference being controlled. 3.2 Common UNIX Group Policies for Mac OS X Centrify includes a set of Active Directory Group Policies that are common to UNIX, Linux and Mac OS X platforms that can be applied to users or systems, as appropriate. DirectControl includes more Group Policy objects than any other solution, including policies to manage all aspects of DirectControl: how users log on, password prompts, network and cache timeout settings, Kerberos settings, name lookup and user authentication overrides, password caching, LDAP settings, locally defined user/group maps, and more. There are also several other policies that can be generically applied to UNIX, Linux and Mac OS X systems, such as managing crontab settings, iptables-based firewall configuration for Linux systems, file system mount points as well as running commands or scripts at login and managing the sudo permissions file. DirectControl enforces both computer and user policies and additionally supports advanced Group Policy features such as filtering of policies as well as loop back processing for those environments that require this level of control CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 12

16 A good example of the value of enforced policy can be seen with the administration of the sudoers file, since this file defines who can run privileged programs on Mac OS X systems such as unlocking privileged System Preferences items. Using this common Group Policy, you can ensure that end-users are automatically configured with the rights they require at login. It is also possible to configure IT administrator accounts with the appropriate rights they need on all Mac OS X systems regardless of any locally defined configuration, even if they do not have a local account, since DirectControl will provide access based on centrally managed security policies. The sudo Group Policy can now be used as a direct replacement for the checkbox in the Accounts System Preference to Allow user to administer this computer since it will accomplish the same results, but is now centrally controlled via Group Policy. If the configuration of this file is not strictly controlled across every system in your organization, then security is not only compromised on an individual system but also potentially compromised across your organization. Centrify s Group Policy enforcement ensures that your systems are secured in a consistent, enforced manner. For added flexibility, you can also create your own custom administrative templates to describe any additional policy settings that you would like to enforce for your own application or other service which DirectControl does not provide already. In order to enforce these policies on the Mac OS X systems, you can use standard Perl scripting to create your own mapping programs that will update or create relevant configuration or plist files. Several example policies are provided to make creating your own policies much simpler. 3.3 Computer Group Policies for Mac OS X DirectControl for Mac OS X extends beyond the common UNIX policies described above to provide additional Mac OS X-specific policies to enable the administrator to centrally control the security policies and services of the computer. These policies are delivered as part of the standard DirectControl for Mac OS X and only need to be enabled within the Group Policy Object Editor while editing a policy such as the Default Domain Policy. The following table shows the categories of computer policies and what each controls as seen within the System Preferences. Computer Policy Category Individual Policies That Can Be Enforced Security Require password to unlock each secure system preference Disable automatic login Use secure virtual memory Log out after n number minutes of inactivity Enable smart card support Require smart card login CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 13

17 Computer Policy Category Individual Policies That Can Be Enforced Sharing Services Services settings (to turn on off sharing for each service, such as personal file sharing, remote login, etc.) Network Adjust list of searched domains Adjust list of DNS servers Enable proxies (FTP, HTTP, HTTPS, etc.) Configure proxies Firewall Settings Enable the firewall Firewall settings (to turn on off firewall for each service such as ichat, etc.) Block UDP traffic Enable network time Enable firewall logging Enable stealth mode Internet Sharing Disallow all Internet sharing Accounts Display Login Window settings Show the Restart, Sleep and Shutdown buttons Set the Display Banner Control the login Window to show either Name and Password or List of users Control password hint display Enable fast user switching Map Zone admin groups to local admin groups Energy Saver Configure different energy saver settings listed below for both AC Power and Battery power Put display to sleep if inactive Put computer to sleep if inactive Put the hard disk(s) to sleep when possible Wake when the modem detects a ring Wake for Ethernet network administrator access Allow power button to sleep the computer Restart automatically after a power failure Software Update Settings Automatically download and install software updates Specify software update server Remote Management Enable ARD administrator group Enable ARD report group Enable ARD management group Enable ARD interactive group CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 14

18 You can apply these policies to the domain or to an organizational unit (OU), and the policies will be applied to the Mac OS X system as soon as it has been joined to the Active Directory domain. This enables rapid bulk configuration of these security policies for all Mac OS X computers within the domain or OU without having to manually configure each system by hand, greatly reducing the total cost of ownership of these computers. Most of these computer policies serve an important role in managing the computer s more important settings, but let s take a closer look at one of these policies to see how the computer settings are managed with Active Directory Group Policy Object Editor. The screen shot below shows the Group Policy interface for controlling the Login Window settings. Figure 4. Using Group Policy to control Login Window settings for Mac OS X Once the settings you want to enforce have been defined within this dialog, they are then retrieved and enforced on the Mac OS X system by the DirectControl Group Policy services. The result of the policy being enforced on the system can be seen in the Mac System Preferences panel after the Group Policy is refreshed on the system with the adgpupdate command or after the periodic update interval has lapsed CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 15

19 Figure 5. The Mac OS X System Preferences panel shows the new setting distributed through Group Policy The enforcement of these computer policies can help to address regulatory compliance requirements since many of these policies are designed to provide centralized control over the defined requirements, such as enforcing machine security when the user is not present. 3.4 User Group Policies for Mac OS X DirectControl also provides an extended set of Group Policies to control the user s desktop environment, which would normally be controlled with Workgroup Manager. These policies enable the administrator to not only configure how the desktop environment appears, but also to control the applications that the user is allowed to run as well as whether or not the user is allowed to access external or recordable media to prevent data theft from the controlled environment. These policies are delivered as part of the standard DirectControl for Mac OS X and only need to be enabled within the Group Policy Object Editor while editing a policy such as the Default Domain Policy. The following table shows the categories of user policies and what each controls as seen within the System Preferences. User Policy Category Individual Policies That Can Be Enforced Application Access Control access to specific applications Control access to UNIX tools and utilities Control access to Apple Script CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 16

20 User Policy Category Desktop & Screen Saver Individual Policies That Can Be Enforced Enforce screen saver Screen saver timeout Dock Settings Dock size Magnification Position on screen Animation for application opening Auto hide the Dock Lock the Dock display to prevent changes Control applications displayed in the Dock Display other folders or documents in the Dock Finder Settings Set Finder Type to Normal or Simple Folder Redirection At Login, Logout or periodic intervals perform the following folder redirection settings. Delete a user s path Delete symbolic links Create symbolic links Rename symbolic links Other Application Settings Media Access Controls Mobility Sync Settings Distribute application specific plist files Control access to CDs and CD-ROMs Control access to DVDs Control access to recordable discs Control access to internal disks Control access to external disks (including USB Flash disks and ipods) Force eject of removable media at logout Control synchronization Control what items will sync at login/logout Control what items will sync in the background Control what items should be skipped Scripts Specify login and logout scripts Security Require password to wake this computer from sleep or screen saver Smart card removal policy to lock screen or logout Prohibit screen saver unlock with expired password (when offline) System Preference Settings Limit which items will be shown in System Preferences Control display of each item in System Preferences CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 17

21 User policies such as these can be applied in many ways. The typical method is to apply the policy to an OU within Active Directory, which will apply the policy to all the users within that OU of the directory. Other methods of applying these user policies include group filtering, which allows the policy to be applied at a higher level within the Directory tree structure so that an Active Directory group can be used as the filter so that the policy would apply only to the members of that group. Another more complex method is to apply the policy to an OU of computers so that the specific user policies will be applied to the users when they login to these specific computers, which is called loop back processing. Once policies have been applied to the appropriate domain, OU or filtered on a group, the policies will be applied to the Mac OS X system as soon as the user logs into the Active Directory domain. This ensures that the most current policy is enforced at all times across the enterprise. These user policies can be used to ensure that the user is presented a consistent and controlled desktop environment as well as to prevent the user from changing system settings that are under administrative control either manually or via Group Policy control. The following Group Policy is used to define the user s ability to see the System Preferences, specifically the System items within the System Preferences. Figure 6. With Group Policy you can control the Mac OS X desktop environment and prevent users from using specific System items. Once these settings are defined and a user logs into the system, they will be able to see only the System Preference items that are enabled; disabled items are not shown. Based CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 18

22 on the settings defined in Figure 6 across all the System Preference visibility settings, the user will see the following interface after login. Figure 7. Specific System settings have been disabled through Group Policy. Other policies are designed to lock down the environment and control what the user is allowed to do, including locking the Dock, controlling which applications the user can run, and preventing the user from accessing removable media of any kind that would allow data to be extracted. Application access controls are easily enforced in the Group Policy interface by selecting the specific applications that the user should be able to run, denying the user the right to run any program they are not authorized for CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 19

23 Figure 8. This user policy specifies that the Chess, DVD Player, and ichat applications cannot be launched. With the policy settings specified in Figure 8 in place, an Mac OS X user who tried to launch the DVD Player would see the following message CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 20

24 Figure 9. Mac OS X users are notified when they try to launch a proscribed application. 4 Streamlined Deployment: Workstation Mode and Automated Installation The Centrify DirectControl for Mac OS X installation program, provided in universal binary format, makes it easy to deploy DirectControl whether you need to install on Macs individually or centrally install on hundreds or thousands of Macs across your enterprise. A pre-installation environment analysis tool and DirectControl s workstation mode also streamline deployment. On individual systems, a graphic, interactive installation program walks users through the setup. System administrators can of course also use this interactive installation program on individual systems, but for large deployments they will want to extract the package file for use with Apple Remote Desktop; see Using Apple Remote Desktop to Deploy Centrify DirectControl on the Centrify web site for instructions. The installation package can also be distributed using third-party systems management solutions such LanREV. The ADcheck analyzer can identify any issues that could prevent a successful installation. The most common problems are DNS configuration issues that prevent the Mac from locating an Active Directory domain controller on the network. End-users can run the ADCheck tool themselves prior to installing DirectControl as long as the ADcheck tool does not identify any issues; although they would probably need assistance from IT if ADcheck discovers any problems CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 21

25 In many organizations, Mac OS X workstations can be treated just like Windows workstations for access control purposes, permitting anyone with an Active Directory account to log in once the Mac has joined the domain. For those organizations, DirectControl s workstation mode streamlines installation using the same methodology to add a Mac workstation to an Active Directory domain as that used to add Windows workstations. The interactive installation program offers users the option to add the Mac in workstation mode. Remote installations can specify workstation mode through command-line parameters. Figure 10. Administrators can join Mac OS X systems into AD just as any other Windows system in Workstation Mode into a Centrify Zone for more complex environments. Macs operating in workstation mode have almost identical features to Macs operating in standard DirectControl mode. For example, end-users have transparent access to local or network home directories, and they enjoy the same single sign-on benefits to other Active Directory integrated services and applications. Administrators can also use Group Policy to remotely manage security and configuration settings on DirectControl-managed Macs in workstation mode. However, workstation mode differs from standard mode in two regards. First, the installation process has been streamlined. You do not need to install the Centrify Administrator s Console first. You simply install DirectControl on a Mac and it is automatically joined to Active Directory and appears as a computer object in Active Directory Users and Computers. Second, the Mac is added to Active Directory without being associated to a DirectControl Zone. This means that any user with an Active Directory account can log into that Mac, just as any user with an Active Directory account can log into a Windows workstation. If you need to limit access to a subset of Active Directory users, it is easy enough to install the Centrify Administrator Console CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 22

26 and add those Macs to a Zone. You can have a mixture of Macs in workstation mode and standard mode in Active Directory, giving you the flexibility to apply tighter access controls to select systems as needed. Organizations can view workstation mode as a permanent solution for managing Macs centrally from Active Directory. Or the workstation mode installation may simply represent a way to quickly deploy DirectControl and add Macs to Active Directory while deferring the implementation of Zone-based access controls to a later date. On UNIX and Linux server systems that have not been centrally managed, Zones are also frequently useful for enabling the mapping of multiple UIDs and GIDs that may exist for a single user to that user s Active Directory account. This issue does not exist on Macs because logins and permission-based access to, say, network shares are not managed using UIDs or GIDs but through Kerberos credentials. When a user logs in to a Mac joined to Active Directory in workstation mode, the DirectControl Agent automatically derives a valid, globally unique UID from the user s Active Directory SID, which ensures consistency on all Mac OS X systems where the user logs in. DirectControl-managed Macs can also be configured to leverage your organization s centralized Windows home directory servers as specified in the user s Active Directory network home profile setting. If an Active Directory user has a network home folder defined in their profile, then the DirectControl Agent mounts this network share as the user s home directory. If the workstation is a portable system, then the portable home directory feature can be used to establish a local home directory that is synchronized to the user s network home directory. IT administrators can control these settings for user accounts using Group Policy. There is also a computer Group Policy that can override these settings for example, to prevent local local home directories on a kiosk machine or to provide roaming profiles for Mac users. 5 Strong Authentication and Single Sign-on through Smart Card Login to Active Directory Smart card-based authentication is a requirement in some industries and is gaining in popularity in other organizations that, for security and/or compliance reasons, want to move beyond user authentication based solely on an individual knowing a user name and password. DirectControl provides broad support for smart card login to Active Directory on Mac OS X supporting CAC, PIV and.net smart cards, enforces Active Directorydefined user account policies for smart card use, and supplies Group Policies that enable you to fine-tune smart card settings CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 23