Using Centrify s DirectControl with Mac OS X

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Using Centrify s DirectControl with Mac OS X"

Transcription

1 WHITE PAPER CENTRIFY CORP. OCTOBER 2008 Using Centrify s DirectControl with Mac OS X Centralized, Active Directory-based authentication, access control and policy enforcement for Mac OS X systems in Windows environments ABSTRACT Macintosh computers have found widespread usage within several industries such as education, marketing and advertising, and have been adopted by government agencies for a broad range of uses. Many of these Macs have been managed either individually or as a group using tools provided by Apple. As the Mac continues to gain in popularity particularly within large organizations where Windows computers and administration tools are predominant, or within government agencies where security concerns are heightened there is a growing need to manage and secure Macs using a common set of Windowsbased administration tools. Centrify DirectControl for Mac OS X enables IT administrators to add Macintosh computers to their Windows Active Directory infrastructure to centrally manage the authentication, authorization and configuration of Mac OS X systems as well as to lock down the user s desktop environment. This lets IT administrators manage and secure Mac OS X systems using the same tools and processes already in place to manage Windows systems. This white paper provides an overview of the features and benefits of using Centrify DirectControl, and describes how an organization can realize substantial benefits by using DirectControl to integrate and centrally manage Mac OS X systems with Active Directory.

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Centrify Corporation. All rights reserved. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. [WP ] CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE II

3 Contents 1 Introduction IT Support Challenges for Mac OS X in the Enterprise DirectControl Provides the Tools Required for IT to Support Mac OS X Centrify and the Enterprise Desktop Alliance Active Directory Authentication and Access Control for Mac OS X Active Directory User Authentication with DirectControl User Account and Administration Considerations with DirectControl Key Differences between DirectControl and Apple s Active Directory Plug-in Centralized Configuration and Policy Management for Mac OS X DirectControl Group Policy Enforcement on Mac OS X Common UNIX Group Policies for Mac OS X Computer Group Policies for Mac OS X User Group Policies for Mac OS X Streamlined Deployment: Workstation Mode and Automated Installation Strong Authentication and Single Sign-on through Smart Card Login to Active Directory Customer Benefits of the Centrify DirectControl Solution Summary How to Contact Centrify CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE III

4 1 Introduction Most organizations have standardized on Windows computers. However, Macintosh computers are becoming increasingly popular in a number of different areas. Where they were once relegated to educational organizations or specific departments within large organizations, they are now seen breaking out of the traditional roles of the creative marketing and advertising groups into the general computer population. However, many of these organizations have never truly seen these Macs as part of their global IT infrastructure. It is very common to see Mac OS X systems flying under the radar as standalone systems without any oversight from a central IT organization. 1.1 IT Support Challenges for Mac OS X in the Enterprise In the past, Macintosh users have typically acquired their own systems and were expected to support themselves or even work together within their own departments to support each other. Apple has focused their Windows and Active Directory integration services on providing tools that enable the Macintosh owner or group administrator to plug into these Windows-centric networks themselves, enabling Active Directory-based authentication and providing seamless access to Windows services using Macintoshcentric administrative tools. However, the configuration of these integration tools is managed locally on the individual Macintosh system and does not lend itself to the type of mass deployment or centralized administration most enterprise IT departments expect. And although Mac OS X systems can be configured with Macintosh-centric tools and services such as Apple Workgroup Manager, this requires you to set up a Mac management infrastructure using Apple s Open Directory Server that is independent and parallel to your Windows management infrastructure. This is a very typical configuration called the golden triangle, where authentication is performed by Active Directory and centralized configuration management is handled by Open Directory and Workgroup Manager. While the golden triangle configuration will work to provide basic integration, it still leaves the Macintosh community within the enterprise to support themselves. The real problem is that the IT staff spends the majority of their time supporting the Windows network, and they simply do not have the time to learn a new set of tools, nor do they have proper tools to manage or support Macintosh systems within their Windows centric environment. Consequently, they have left these groups of Macintosh users to manage and support their own systems. This lack of support and integration into the enterprise results in several problems that face the typical Macintosh user: IT staff do not have the tools or abilities to provide support and resolve problems on Macintosh systems. Security policies are not enforced consistently on Macintosh systems. Common services are simply not supported or provided to Macintosh users CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 1

5 Several factors are driving the need within IT to centralize authentication, authorization and support services as well as configuration management. IT must address regulatory compliance requirements across the organization, improve service levels, and enhance efficiency for both itself and end-users. Given these drivers, IT needs tools that enable them to provide a consistent level of service to all users regardless of the type of computer they use, preferably administering with the same tools that they use today without having to learn a new tool set. Although government and industry regulations are typically focused on systems where confidential customer or business data is stored, organizations in highly regulated industries or governmental agencies have an interest in ensuring best practices around secure and responsible use of personal workstations. Barriers to Macintosh adoption may be lowered in these organizations if IT security managers can be assured they have the tools at hand to lockdown the Mac desktop; for example, to require smart card-based log in, to prevent mounting of external storage devices, to disable the ability to create unsecured wireless networks, to limit access to applications, and to define the configuration of applications. 1.2 DirectControl Provides the Tools Required for IT to Support Mac OS X DirectControl for Mac OS X enables IT to integrate Macintosh systems into Active Directory and provide the level of support that these users require. DirectControl provides Active Directory-based authentication services as well as Group Policy enforcement leveraging the same administrative tools that IT currently uses to manage Windows systems. DirectControl authentication services are designed to integrate the Macintosh computer into Active Directory to provide authentication and login policy enforcement exactly like a Windows computer that is joined to Active Directory. Group Policy enforcement is also provided for both a) computer policies on the system to enable centralized management of the System Preferences configuration and b) user policies to enable centralized desktop configuration lockdown and application access controls on the Macintosh systems. DirectControl also supports smart card-based login. For large organizations, DirectControl provides the granular access controls and delegated administration features they need to manage logical groups of Mac systems separately. Using DirectControl s unique Zone technology, IT administrators can create groups of Mac systems that have their own set of users, administrators, and policies. Centrify also enables quick deployment of DirectControl through an automated installation program and a workstation mode that joins Macs to Active Directory immediately without the need for any additional setup sets CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 2

6 1.3 Centrify and the Enterprise Desktop Alliance As Centrify worked with large organizations to define requirements for Mac integration within a Windows-centric IT environment, customers frequently also asked questions regarding additional services that would further ease deployment and management of Macs. As a result, Centrify decided to spearhead the creation of the Enterprise Desktop Alliance (EDA), a consortium of Macintosh vendors that are delivering enterprise-class software solutions for Mac integration and interoperability with Windows environments. Along with Centrify s identity and access management solution for the Mac, the EDA partners also offer solutions for systems lifecycle management, enterprise data protection, file and print services, and virtualization. The EDA s web site provides a wide range of white papers to help customers research solutions, and the organization is sponsoring a series of online webinars demonstrating how their solutions can be used in tandem to lower barriers to acceptance of Macs within the enterprise.. The following sections describe the services provided by DirectControl, explain how DirectControl differs from Apple s management tools, and details the unique features and benefits of using DirectControl to manage populations of Macintosh computers, both large and small. 2 Active Directory Authentication and Access Control for Mac OS X While every Mac OS X system that Apple ships comes with a built-in repository for user and group information stored in a local NetInfo database, any time there is more than one Mac OS X system in a network where the users will need to either access shared resources or log in to other systems, it is best to configure a directory service to centrally manage these accounts, making them available to all the systems in the network. Apple provides many different options for configuring a network-based directory service, from plug-ins that allow usage of existing LDAP directories to their own Open Directory server. Apple also delivers an Active Directory plug-in that provides the basic functions of establishing a trusted relationship between the computer and Active Directory, which enables Active Directory user accounts to be used for login to the Mac OS X system. However, this plug-in requires local configuration to define how the user s UID and GID will be defined based on their Active Directory account; in most cases it is configured to automatically generate UIDs and GIDs for Active Directory users logging into the system. While this may be acceptable for smaller deployments where the configuration can be manually set for each system, it does not scale well for deployment in larger environments with larger numbers of Mac OS X systems CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 3

7 There are several key differences between DirectControl and the Active Directory plug-in that Apple provides with Mac OS X for authentication, such as centralized administrative control over the user s underlying Unix UID and GID assignment as well as the granular access controls which are centrally managed within Active Directory. DirectControl is designed as a complete Active Directory client for non-windows systems, including the Mac OS X platform, making it a direct replacement for the Apple Mac OS X Active Directory plug-in. All administration of user accounts, password policies and security policies are managed using Active Directory administrative tools, including Active Directory Users and Computers, the Group Policy Management Console, and the Group Policy Object Editor as well as the Centrify DirectControl Administrative Console CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 4

8 2.1 Active Directory User Authentication with DirectControl DirectControl for Mac OS X consists of two main architectural components. DirectControl for Systems DirectControl for Systems DirectControl for Applications Windows Computer DirectControl for Systems Microsoft Active Directory + Centrify DirectControl DirectControl Management Tools Administrator Figure 1. Components of the DirectControl Suite. On the Macintosh platform, a DirectControl Agent is installed on each server or workstation. The DirectControl Agent is not just a directory service plug-in; rather, it is a central service that provides both authentication and authorization services as well as Group Policy enforcement. The Agent also determines which DirectControlenabled users can log in to the system or network services using their Active Directory credentials. On the Windows platform, the optional DirectControl Management Tools can be installed on one or more Windows computers in the domain. These tools include the Centrify Administrator Console, property extensions to Active Directory Users and Computers, and a web-based Administrator s Console. If you are deploying DirectControl in workstation mode, it is not strictly required to install these tools. However, most organizations will want to use the management tools to implement CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 5

9 Group Policy on their Mac systems and to run the administrative reports. The management tools are required if you decide to implement the advanced access controls and delegated administration features provided by DirectControl Zones.. The optional DirectControl Management Tools are the only Windows software you might need. You are not required to install software on your Windows domain controllers, and DirectControl installation never requires modifications to your Active Directory schema. If you choose to use Zone-based access controls, as Macintosh users and computers join your Active Directory domain, the Centrify DirectControl Agent unobtrusively stores its data in an Active Directory program data container using a standardized method. Centrify DirectControl also works seamlessly and unobtrusively with Active Directory if you have previously installed Microsoft Services for UNIX (SFU), which applies its own schema changes to Active Directory to store UNIX attributes for user accounts. DirectControl also works with Microsoft s UNIX schema extensions that are included in Windows Server 2003 R2. The DirectControl Agent in effect turns the Mac OS X system into an Active Directory client. The Agent enables the Mac client to consume and respond to Active Directory services in the same way a Windows client does. Login Apps (login, ftp, ssh, etc.) Kerberized Apps (ssh, SMB etc.) System Config Files Directory Plugin Service Kerberos Libraries Group Policy Module Offline Credential Cache CLI Admin Tools DirectControl Daemon (adclient) Centrify DirectControl Agent Windows Domain Controllers Microsoft Active Directory Figure 2. Architecture of the DirectControl for Mac OS X Agent The DirectControl Agent is responsible for the following functions in order to provide a secure authentication framework for integrating Mac OS X into Active Directory. Enables the Macintosh computer to join an Active Directory domain. Once the Macintosh system has been joined to the Active Directory domain, it is visible as a standard computer object in the Active Directory Users and Computers console CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 6

10 Locates the relevant domain controllers based on the Active Directory forest and site topology, also known as being site-aware. Maintains time synchronization with Active Directory domain controllers if desired. Maintains an MIT-based Kerberos environment so that existing Kerberos applications will work seamlessly with Active Directory to provide users with single sign-on access to network resources such as Windows file servers and print queues. Ensures network security by resetting the password on its machine account at regular intervals according to Active Directory domain policies. Enables logins using users Active Directory credentials. Logging on in this context means not only logging into the Mac OS X graphic interface, but also connecting to the Macintosh through a remote SSH or Apple Remote Desktop interface. Enables authentication with smart cards, including PIV, CAC and.net cards. Updates a user s last login time upon Active Directory login to ensure that password expiration policies are being enforced properly. Stores user credentials and profiles so that users can log on when the computer is disconnected from the network, which is especially useful for laptop computers without requiring a locally defined mobile user. Caches responses from Active Directory information queries to reduce the load on the domain controllers. Validates that the user has appropriate permissions to log in to the Macintosh system based on account policies. For example, Active Directory provides a set of accountspecific controls enabling the administrator to activate or disable a user s Active Directory account as well as to control the time of day the user is allowed to log in. When the Mac is a member of a DirectControl Zone, validates that the user has appropriate permissions to log in based on Zone memberships and allowed group membership. Determines a user s full UNIX-enabled Active Directory group membership (including nested groups) the first time the user logs on. Supports users managing their Active Directory passwords from Macintosh systems both for the ad hoc password change as well as for expired password at login. Validates privileged account logins centrally from Active Directory when needed without requiring previously defined local administrator accounts. Dynamically creates home directories locally on the computer for users whose profile defines a local home directory path. DirectControl also supports seamlessly mounting network-based home directories from Windows servers or AFP servers as CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 7

11 well as providing the option to define a locally synchronized version of the network home directory for laptop users. Enforces user Group Policies that control the user s desktop experience such as application access control and dock settings as well as to control the user s ability to execute privileged operations. Provides authenticated single sign-on access to Windows print queues using the user s Active Directory credentials to ensure proper access and accounting for user access to printers. 2.2 User Account and Administration Considerations with DirectControl Many organizations will have more than one grouping of computer systems that are used for a specific purpose, and typically it is neither desirable nor practical to allow all users in an enterprise to log on to any system. To deal with this, Centrify has developed the concept of Zones to create a way of grouping systems in order to provide fine-grained access controls and delegated administration. In addition to using Zones for access control, organizations with a diverse environment of UNIX, Linux and Mac systems also have the option of using Zones to avoid collisions in user IDs and group IDs. Although Mac end-users rarely also need login privileges on UNIX or Linux systems, IT administrators will want to read this section for the complete picture of how Zones work within a large, mixed environment. Keep in mind in this section that Zones are not available for Macs that were added to Active Directory using DirectControl s workstation mode. Figure 3. Example of an Enterprise Organized into Departmental Zones The DirectControl Zone technology, as shown in the illustration above, works like this: CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 8

12 Each DirectControl-managed UNIX, Linux or Mac system can be placed into a DirectControl Zone, typically directly mapping to an existing logical security boundary or administrative grouping such an organizational department or lab. A user (Joan Smith in Figure 3) is configured in Active Directory with her normal Windows information, such as name, password, group membership and so on. In addition, the Centrify Profiles that Centrify adds to her Active Directory account indicates which Zones she can access. For each Zone, Joan s UNIX/Mac profile in Active Directory stores account information specific to that Zone: UNIX user name, user ID, shell, and home directory for example. Thus, a single Active Directory account can be mapped to any number of UNIX/Mac identities. Joan can log in to computers only in the Zones to which she has been granted access. Whereas Joan has access to several Zones, another user for example, a student in a university setting could be given rights to access only Macs in a Zone set up for a classroom lab, and not be given access to Macs or other systems in Zones set up for computers used in administrative or research departments. As Figure 3 illustrates, Joan authenticates through Active Directory regardless of which system she logs in to. The Zones are part of the same Active Directory domain where Joan s account exists. Delegation and separation of duties is a critical component of any centralized administration solution where security is a concern. DirectControl Zones provide an environment with Active Directory that leverages native access control rules within Active Directory to delegate UNIX profile management as well as UNIX/Mac system access rights management to UNIX administrators without requiring domain administrator rights. With DirectControl, UNIX and Mac administrators do not need rights to modify or create user objects, which is typically a privileged operation within the enterprise. Additionally, each Zone can have its own set of administrators, each with specific privileges within the Zone. In our university example, Joan may be an IT administrator who has the right to create and modify user accounts in Active Directory for students and employees, and the right to create Zones and add users to Zones. However, a graduate student who runs a Macintosh lab could be given rights only to add or remove existing user accounts to the Mac lab Zone. This added security feature means not only can users and computers be compartmentalized into logical secure groups, but the administrators who manage those systems can also be segregated. For many organizations, the ability to finely control the elevated privileges for administrators is essential for maintaining appropriate levels of confidentiality and for complying with regulatory controls CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 9

13 2.3 Key Differences between DirectControl and Apple s Active Directory Plug-in DirectControl is designed to provide what seems on the surface as an equivalent solution to the Active Directory plug-in that Apple provides with Mac OS X out of the box; however, there are several key differences between the solutions. Fundamentally, DirectControl is designed to provide the centralized administration staff with the tools required to centrally manage heterogeneous computing environments from existing Windows administrative tools. Here are some of the key differences: DirectControl provides consistent Active Directory integration across multiple platforms. DirectControl provides a single integration solution not only for Mac OS X but for popular UNIX and Linux platforms as well. DirectControl Zones can be used to further control user access as well as to segregate the Macintosh user population and administrative staff and keep their rights at a minimum within Active Directory. Offline login is provided with locally cached account profiles for users with local home directories. However, if the user has a network home directory he will be prompted to create a mobile account to take advantage of the synchronization between the local and network-based home directories. DirectControl enables common account administration of both Windows and Macintosh systems leveraging tools such as Active Directory Users and Computers. UID and GID assignment is managed centrally within Active Directory as additional attribute information about these objects versus a local configuration within the Directory Services configuration interfaces. There are many security-related benefits to using DirectControl for Active Directory integration. For example, the machine account password is periodically changed, all communications to Active Directory are Kerberized, and user access to Windows print queues is authenticated in a single sign-on fashion. DirectControl provides a reporting facility to enable generation of several reports on Active Directory information such as computer access reports. DirectControl provides delegated administration with separation of duties between Active Directory and Macintosh administrators as well as between groups of Macintosh administrators. Additionally, the DirectControl Agent that provides user authentication and authorization services also provides Group Policy enforcement to enable centralized configuration management. Centralized configuration and Group Policy services are described in more detail in the next section CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 10

14 3 Centralized Configuration and Policy Management for Mac OS X Configuration management and policy enforcement across an enterprise is extremely important to most organizations, especially if there is a need to ensure that security policies are properly enforced across all computers. Additionally there are several benefits to centralizing the configuration of workstations and servers, including: Reducing the effort required to bring a new computer into the environment, configuring it properly and ensuring that it stays configured properly throughout its lifecycle, resulting in a much lower total cost of ownership. Ensuring that security policies are properly enforced across the enterprise to ensure that no holes exist for potential attackers to exploit. Automatically configuring the user environment so that all users have a consistent computing experience that provides them the services they need to accomplish their work. Apple provides a tool to centrally manage the configuration and security policies of Mac OS X computers. However, this tool, Workgroup Manager, requires either a set of schema modifications to Active Directory in order to integrate or a separate Open Directory deployment in order to provide centralized management. However, in Windows environments, most administrators use Group Policy to centrally configure Windows workstations to enforce consistent security policies as well as to ensure a consistent end-user experience across all workstations deployed within the environment. DirectControl provides broad and robust support for Group Policy on the Mac. IT administrators thus have a single tool to configure and enforce consistent security policies to all non-windows computers, including Mac OS X systems. DirectControl also enables IT administrators to configure and secure their Mac environment through Group Policy without having detailed knowledge of Mac desktop configuration. In environments where workstation security is particularly important, giving IT security administrators the ability to lockdown Mac workstations through Group Policy can help lower barriers to adoption DirectControl Group Policy Enforcement on Mac OS X Windows Group Policy works by forcibly setting user and computer registry keys on Windows machines, and since almost all of a Windows system is configured through registry settings, this is a very natural and simple way to enforce almost any policy. However, in UNIX and Mac environments there is no equivalent to the Windows registry. The de-facto standard for configuration is ASCII text files. To deliver Active Directory s Group Policy capabilities in UNIX and Mac environments, DirectControl creates a virtual registry of the policies that apply to either the computer itself or tp the users who log in to the system. The enforcement of these virtual registry settings is handled by two different mechanisms depending on the service or configuration that needs to be controlled. For applications CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 11

15 that use a configuration file to manage their settings, DirectControl provides a specific mapper program that knows what needs to be set in the configuration file or, on Macintosh systems, in the plist file for the application associated with the particular virtual registry setting. Additionally, many of the System Preference settings and user environment controls are provided by the MCX subsystem within Mac OS X. Several of DirectControl s the user Group Policies are enforced through the MCX subsystem. The DirectControl Agent first must update the Group Policy settings into its virtual registry based on the computer account or the user who is logged in to the system. This load event is triggered by: System startup. When the DirectControl daemon starts up (usually when the system boots up), it updates the computer s registry. User log on. When a user logs on, the DirectControl Agent creates or updates the user s registry settings. adgpupdate command. The DirectControl Agent can be forced to immediately update the user and computer registries through this command line. Periodic refresh interval. The DirectControl Agent will also refresh the virtual registry on a periodic basis according to the Group Policy refresh interval setting in the domain policy. The loading of policy is asynchronous, which is equivalent to the behavior in recent Windows versions. The loaded settings are stored on the local machine for disconnected operation. Once the virtual registry has been updated through one of the events described above, then either the appropriate mapper program is activated to update or create the configuration or plist file, or the appropriate MCX setting is defined for the application or System Preference being controlled. 3.2 Common UNIX Group Policies for Mac OS X Centrify includes a set of Active Directory Group Policies that are common to UNIX, Linux and Mac OS X platforms that can be applied to users or systems, as appropriate. DirectControl includes more Group Policy objects than any other solution, including policies to manage all aspects of DirectControl: how users log on, password prompts, network and cache timeout settings, Kerberos settings, name lookup and user authentication overrides, password caching, LDAP settings, locally defined user/group maps, and more. There are also several other policies that can be generically applied to UNIX, Linux and Mac OS X systems, such as managing crontab settings, iptables-based firewall configuration for Linux systems, file system mount points as well as running commands or scripts at login and managing the sudo permissions file. DirectControl enforces both computer and user policies and additionally supports advanced Group Policy features such as filtering of policies as well as loop back processing for those environments that require this level of control CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 12

16 A good example of the value of enforced policy can be seen with the administration of the sudoers file, since this file defines who can run privileged programs on Mac OS X systems such as unlocking privileged System Preferences items. Using this common Group Policy, you can ensure that end-users are automatically configured with the rights they require at login. It is also possible to configure IT administrator accounts with the appropriate rights they need on all Mac OS X systems regardless of any locally defined configuration, even if they do not have a local account, since DirectControl will provide access based on centrally managed security policies. The sudo Group Policy can now be used as a direct replacement for the checkbox in the Accounts System Preference to Allow user to administer this computer since it will accomplish the same results, but is now centrally controlled via Group Policy. If the configuration of this file is not strictly controlled across every system in your organization, then security is not only compromised on an individual system but also potentially compromised across your organization. Centrify s Group Policy enforcement ensures that your systems are secured in a consistent, enforced manner. For added flexibility, you can also create your own custom administrative templates to describe any additional policy settings that you would like to enforce for your own application or other service which DirectControl does not provide already. In order to enforce these policies on the Mac OS X systems, you can use standard Perl scripting to create your own mapping programs that will update or create relevant configuration or plist files. Several example policies are provided to make creating your own policies much simpler. 3.3 Computer Group Policies for Mac OS X DirectControl for Mac OS X extends beyond the common UNIX policies described above to provide additional Mac OS X-specific policies to enable the administrator to centrally control the security policies and services of the computer. These policies are delivered as part of the standard DirectControl for Mac OS X and only need to be enabled within the Group Policy Object Editor while editing a policy such as the Default Domain Policy. The following table shows the categories of computer policies and what each controls as seen within the System Preferences. Computer Policy Category Individual Policies That Can Be Enforced Security Require password to unlock each secure system preference Disable automatic login Use secure virtual memory Log out after n number minutes of inactivity Enable smart card support Require smart card login CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 13

17 Computer Policy Category Individual Policies That Can Be Enforced Sharing Services Services settings (to turn on off sharing for each service, such as personal file sharing, remote login, etc.) Network Adjust list of searched domains Adjust list of DNS servers Enable proxies (FTP, HTTP, HTTPS, etc.) Configure proxies Firewall Settings Enable the firewall Firewall settings (to turn on off firewall for each service such as ichat, etc.) Block UDP traffic Enable network time Enable firewall logging Enable stealth mode Internet Sharing Disallow all Internet sharing Accounts Display Login Window settings Show the Restart, Sleep and Shutdown buttons Set the Display Banner Control the login Window to show either Name and Password or List of users Control password hint display Enable fast user switching Map Zone admin groups to local admin groups Energy Saver Configure different energy saver settings listed below for both AC Power and Battery power Put display to sleep if inactive Put computer to sleep if inactive Put the hard disk(s) to sleep when possible Wake when the modem detects a ring Wake for Ethernet network administrator access Allow power button to sleep the computer Restart automatically after a power failure Software Update Settings Automatically download and install software updates Specify software update server Remote Management Enable ARD administrator group Enable ARD report group Enable ARD management group Enable ARD interactive group CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 14

18 You can apply these policies to the domain or to an organizational unit (OU), and the policies will be applied to the Mac OS X system as soon as it has been joined to the Active Directory domain. This enables rapid bulk configuration of these security policies for all Mac OS X computers within the domain or OU without having to manually configure each system by hand, greatly reducing the total cost of ownership of these computers. Most of these computer policies serve an important role in managing the computer s more important settings, but let s take a closer look at one of these policies to see how the computer settings are managed with Active Directory Group Policy Object Editor. The screen shot below shows the Group Policy interface for controlling the Login Window settings. Figure 4. Using Group Policy to control Login Window settings for Mac OS X Once the settings you want to enforce have been defined within this dialog, they are then retrieved and enforced on the Mac OS X system by the DirectControl Group Policy services. The result of the policy being enforced on the system can be seen in the Mac System Preferences panel after the Group Policy is refreshed on the system with the adgpupdate command or after the periodic update interval has lapsed CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 15

19 Figure 5. The Mac OS X System Preferences panel shows the new setting distributed through Group Policy The enforcement of these computer policies can help to address regulatory compliance requirements since many of these policies are designed to provide centralized control over the defined requirements, such as enforcing machine security when the user is not present. 3.4 User Group Policies for Mac OS X DirectControl also provides an extended set of Group Policies to control the user s desktop environment, which would normally be controlled with Workgroup Manager. These policies enable the administrator to not only configure how the desktop environment appears, but also to control the applications that the user is allowed to run as well as whether or not the user is allowed to access external or recordable media to prevent data theft from the controlled environment. These policies are delivered as part of the standard DirectControl for Mac OS X and only need to be enabled within the Group Policy Object Editor while editing a policy such as the Default Domain Policy. The following table shows the categories of user policies and what each controls as seen within the System Preferences. User Policy Category Individual Policies That Can Be Enforced Application Access Control access to specific applications Control access to UNIX tools and utilities Control access to Apple Script CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 16

20 User Policy Category Desktop & Screen Saver Individual Policies That Can Be Enforced Enforce screen saver Screen saver timeout Dock Settings Dock size Magnification Position on screen Animation for application opening Auto hide the Dock Lock the Dock display to prevent changes Control applications displayed in the Dock Display other folders or documents in the Dock Finder Settings Set Finder Type to Normal or Simple Folder Redirection At Login, Logout or periodic intervals perform the following folder redirection settings. Delete a user s path Delete symbolic links Create symbolic links Rename symbolic links Other Application Settings Media Access Controls Mobility Sync Settings Distribute application specific plist files Control access to CDs and CD-ROMs Control access to DVDs Control access to recordable discs Control access to internal disks Control access to external disks (including USB Flash disks and ipods) Force eject of removable media at logout Control synchronization Control what items will sync at login/logout Control what items will sync in the background Control what items should be skipped Scripts Specify login and logout scripts Security Require password to wake this computer from sleep or screen saver Smart card removal policy to lock screen or logout Prohibit screen saver unlock with expired password (when offline) System Preference Settings Limit which items will be shown in System Preferences Control display of each item in System Preferences CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 17

21 User policies such as these can be applied in many ways. The typical method is to apply the policy to an OU within Active Directory, which will apply the policy to all the users within that OU of the directory. Other methods of applying these user policies include group filtering, which allows the policy to be applied at a higher level within the Directory tree structure so that an Active Directory group can be used as the filter so that the policy would apply only to the members of that group. Another more complex method is to apply the policy to an OU of computers so that the specific user policies will be applied to the users when they login to these specific computers, which is called loop back processing. Once policies have been applied to the appropriate domain, OU or filtered on a group, the policies will be applied to the Mac OS X system as soon as the user logs into the Active Directory domain. This ensures that the most current policy is enforced at all times across the enterprise. These user policies can be used to ensure that the user is presented a consistent and controlled desktop environment as well as to prevent the user from changing system settings that are under administrative control either manually or via Group Policy control. The following Group Policy is used to define the user s ability to see the System Preferences, specifically the System items within the System Preferences. Figure 6. With Group Policy you can control the Mac OS X desktop environment and prevent users from using specific System items. Once these settings are defined and a user logs into the system, they will be able to see only the System Preference items that are enabled; disabled items are not shown. Based CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 18

22 on the settings defined in Figure 6 across all the System Preference visibility settings, the user will see the following interface after login. Figure 7. Specific System settings have been disabled through Group Policy. Other policies are designed to lock down the environment and control what the user is allowed to do, including locking the Dock, controlling which applications the user can run, and preventing the user from accessing removable media of any kind that would allow data to be extracted. Application access controls are easily enforced in the Group Policy interface by selecting the specific applications that the user should be able to run, denying the user the right to run any program they are not authorized for CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 19

23 Figure 8. This user policy specifies that the Chess, DVD Player, and ichat applications cannot be launched. With the policy settings specified in Figure 8 in place, an Mac OS X user who tried to launch the DVD Player would see the following message CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 20

24 Figure 9. Mac OS X users are notified when they try to launch a proscribed application. 4 Streamlined Deployment: Workstation Mode and Automated Installation The Centrify DirectControl for Mac OS X installation program, provided in universal binary format, makes it easy to deploy DirectControl whether you need to install on Macs individually or centrally install on hundreds or thousands of Macs across your enterprise. A pre-installation environment analysis tool and DirectControl s workstation mode also streamline deployment. On individual systems, a graphic, interactive installation program walks users through the setup. System administrators can of course also use this interactive installation program on individual systems, but for large deployments they will want to extract the package file for use with Apple Remote Desktop; see Using Apple Remote Desktop to Deploy Centrify DirectControl on the Centrify web site for instructions. The installation package can also be distributed using third-party systems management solutions such LanREV. The ADcheck analyzer can identify any issues that could prevent a successful installation. The most common problems are DNS configuration issues that prevent the Mac from locating an Active Directory domain controller on the network. End-users can run the ADCheck tool themselves prior to installing DirectControl as long as the ADcheck tool does not identify any issues; although they would probably need assistance from IT if ADcheck discovers any problems CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 21

25 In many organizations, Mac OS X workstations can be treated just like Windows workstations for access control purposes, permitting anyone with an Active Directory account to log in once the Mac has joined the domain. For those organizations, DirectControl s workstation mode streamlines installation using the same methodology to add a Mac workstation to an Active Directory domain as that used to add Windows workstations. The interactive installation program offers users the option to add the Mac in workstation mode. Remote installations can specify workstation mode through command-line parameters. Figure 10. Administrators can join Mac OS X systems into AD just as any other Windows system in Workstation Mode into a Centrify Zone for more complex environments. Macs operating in workstation mode have almost identical features to Macs operating in standard DirectControl mode. For example, end-users have transparent access to local or network home directories, and they enjoy the same single sign-on benefits to other Active Directory integrated services and applications. Administrators can also use Group Policy to remotely manage security and configuration settings on DirectControl-managed Macs in workstation mode. However, workstation mode differs from standard mode in two regards. First, the installation process has been streamlined. You do not need to install the Centrify Administrator s Console first. You simply install DirectControl on a Mac and it is automatically joined to Active Directory and appears as a computer object in Active Directory Users and Computers. Second, the Mac is added to Active Directory without being associated to a DirectControl Zone. This means that any user with an Active Directory account can log into that Mac, just as any user with an Active Directory account can log into a Windows workstation. If you need to limit access to a subset of Active Directory users, it is easy enough to install the Centrify Administrator Console CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 22

26 and add those Macs to a Zone. You can have a mixture of Macs in workstation mode and standard mode in Active Directory, giving you the flexibility to apply tighter access controls to select systems as needed. Organizations can view workstation mode as a permanent solution for managing Macs centrally from Active Directory. Or the workstation mode installation may simply represent a way to quickly deploy DirectControl and add Macs to Active Directory while deferring the implementation of Zone-based access controls to a later date. On UNIX and Linux server systems that have not been centrally managed, Zones are also frequently useful for enabling the mapping of multiple UIDs and GIDs that may exist for a single user to that user s Active Directory account. This issue does not exist on Macs because logins and permission-based access to, say, network shares are not managed using UIDs or GIDs but through Kerberos credentials. When a user logs in to a Mac joined to Active Directory in workstation mode, the DirectControl Agent automatically derives a valid, globally unique UID from the user s Active Directory SID, which ensures consistency on all Mac OS X systems where the user logs in. DirectControl-managed Macs can also be configured to leverage your organization s centralized Windows home directory servers as specified in the user s Active Directory network home profile setting. If an Active Directory user has a network home folder defined in their profile, then the DirectControl Agent mounts this network share as the user s home directory. If the workstation is a portable system, then the portable home directory feature can be used to establish a local home directory that is synchronized to the user s network home directory. IT administrators can control these settings for user accounts using Group Policy. There is also a computer Group Policy that can override these settings for example, to prevent local local home directories on a kiosk machine or to provide roaming profiles for Mac users. 5 Strong Authentication and Single Sign-on through Smart Card Login to Active Directory Smart card-based authentication is a requirement in some industries and is gaining in popularity in other organizations that, for security and/or compliance reasons, want to move beyond user authentication based solely on an individual knowing a user name and password. DirectControl provides broad support for smart card login to Active Directory on Mac OS X supporting CAC, PIV and.net smart cards, enforces Active Directorydefined user account policies for smart card use, and supplies Group Policies that enable you to fine-tune smart card settings CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 23

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac Making it easy to deploy, integrate and manage Macs, iphones and ipads in a Windows environment. Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac 2011 ENTERPRISE DEVICE

More information

Centralized Mac Home Directories with ExtremeZ-IP

Centralized Mac Home Directories with ExtremeZ-IP APPLICATION NOTE Centralized Mac Home Directories with ExtremeZ-IP Published: July 2009 Abstract Organizations wanting to integrate Mac OS X systems into their Windows-based enterprise network will most

More information

Managing UNIX Generic and Service Accounts with Active Directory

Managing UNIX Generic and Service Accounts with Active Directory APPLICATION NOTE Managing UNIX Generic and Service Accounts with Active Directory Published: June 2007 Abstract Generic accounts are commonly used to enable UNIX administrative staff to log on to a computer

More information

Manage Your Mac with Active Directory Group Policies

Manage Your Mac with Active Directory Group Policies Manage Your Mac with Active Directory Group Policies How to secure Mac OS X systems with your Active Directory infrastructure WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies Contents

More information

Windows Security and Directory Services for UNIX using Centrify DirectControl

Windows Security and Directory Services for UNIX using Centrify DirectControl SOLUTION GUIDE CENTRIFY CORP. SEPTEMBER 2005 Windows Security and Directory Services for UNIX using Centrify DirectControl With Centrify, you can now fully leverage your investment in Active Directory

More information

Active Directory and DirectControl

Active Directory and DirectControl WHITE PAPER CENTRIFY CORP. Active Directory and DirectControl APRIL 2005 The Right Choice for Enterprise Identity Management and Infrastructure Consolidation ABSTRACT Microsoft s Active Directory is now

More information

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite WHITE PAPER CENTRIFY CORP. MARCH 2009 Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite Securing and auditing administrative access to the Virtual Infrastructure

More information

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper April 2009

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper April 2009 Best Practices: Integrating Mac OS X Technical White Paper April 2009 2 Contents Page 3 Page 5 Page 9 Page 10 Page 11 Page 12 Apple s Built-In Solution How to Integrate Mac OS X Getting Started dsconfigad

More information

Centrify-Enabled Samba

Centrify-Enabled Samba CENTRIFY CORP. Centrify-Enabled Samba DECEMBER 2009 The easy-to-manage enterprise solution for Active Directory-enabled Samba file sharing ABSTRACT Samba is one of the most popular open source technologies

More information

Centralizing Mac Home. Live Webinar David McNeely Centrify Geordie Korper Group Logic

Centralizing Mac Home. Live Webinar David McNeely Centrify Geordie Korper Group Logic Centralizing Mac Home Directories on Windows Servers Live Webinar David McNeely Centrify Geordie Korper Group Logic Agenda EDA Overview Centrify DirectControl Group Logic ExtremeZ-IP Centralizing Home

More information

An Overview of Samsung KNOX Active Directory and Group Policy Features

An Overview of Samsung KNOX Active Directory and Group Policy Features C E N T R I F Y W H I T E P A P E R. N O V E M B E R 2013 An Overview of Samsung KNOX Active Directory and Group Policy Features Abstract Samsung KNOX is a set of business-focused enhancements to the Android

More information

Windows Least Privilege Management and Beyond

Windows Least Privilege Management and Beyond CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has

More information

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Open Directory. Apple s standards-based directory and network authentication services architecture. Features Open Directory Apple s standards-based directory and network authentication services architecture. Features Scalable LDAP directory server OpenLDAP for providing standards-based access to centralized data

More information

Using Apple Remote Desktop to Deploy Centrify DirectControl

Using Apple Remote Desktop to Deploy Centrify DirectControl APPLICATION NOTE Using Apple Remote Desktop to Deploy Centrify DirectControl Published: June 2007 Abstract Apple Remote Desktop is commonly used by administrators to perform various administrative management

More information

What s New in Centrify Server Suite 2014

What s New in Centrify Server Suite 2014 CENTRIFY SERVER SUITE 2014 WHAT S NEW What s New in Centrify Server Suite 2014 The new Centrify Server Suite 2014 introduces major new features that simplify risk management and make regulatory compliance

More information

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper September 2007

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper September 2007 Best Practices: with Active Directory Technical White Paper September 2007 Contents Page 3 Page 4 Page 8 Page 10 Page 11 Page 13 Apple s Built-In Solution How to Integrate Mac OS X with Active Directory

More information

The Centrify Vision: Unified Access Management

The Centrify Vision: Unified Access Management The Centrify Vision: Unified Access Management Control, Secure and Audit Access To Your On-Premise and Cloud-based Infrastructure On-premise Centrify the Enterprise Cloud Personal Devices Mobile Devices

More information

Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper

Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper About this Document The purpose of this technical paper is to discuss how ExtremeZ-IP supports Microsoft Active Directory.

More information

Macintosh Printer Management using Centrify DirectControl Group Policies

Macintosh Printer Management using Centrify DirectControl Group Policies WHITE PAPER CENTRIFY CORP. MARCH 2010 Macintosh Printer Management using Centrify DirectControl Group Policies ABSTRACT This white paper examines various approaches to managing printer configuration files

More information

File Services. File Services at a Glance

File Services. File Services at a Glance File Services High-performance workgroup and Internet file sharing for Mac, Windows, and Linux clients. Features Native file services for Mac, Windows, and Linux clients Comprehensive file services using

More information

Using DirectControl with Network Appliance Filers

Using DirectControl with Network Appliance Filers Application Note Using DirectControl with Network Appliance Filers Published: June 2006 Abstract This Application Note describes the integration between Network Appliance servers and Centrify DirectControl

More information

CENTRIFY TRAINING CLASS Centrify Suite Standard Edition - Mac OS X Training Course Details. Format: 100% lecture including demonstrations.

CENTRIFY TRAINING CLASS Centrify Suite Standard Edition - Mac OS X Training Course Details. Format: 100% lecture including demonstrations. Centrify Suite Standard Edition - Mac OS X Training Course Details Synopsis This course introduces the customer to the Centrify Mac OS X specific features of the Centrify Suite Standard Edition. What You

More information

Active Directory Compatibility with ExtremeZ-IP

Active Directory Compatibility with ExtremeZ-IP Active Directory Compatibility with ExtremeZ-IP A Technical Best Practices White Paper Group Logic White Paper October 2010 About This Document The purpose of this technical paper is to discuss how ExtremeZ-IP

More information

Centrify Identity and Access Management for Cloudera

Centrify Identity and Access Management for Cloudera Centrify Identity and Access Management for Cloudera Integration Guide Abstract Centrify Server Suite is an enterprise-class solution that secures Cloudera Enterprise Data Hub leveraging an organization

More information

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper Active Directory Compatibility with ExtremeZ-IP A Technical Best Practices Whitepaper About this Document The purpose of this technical paper is to discuss how ExtremeZ-IP supports Microsoft Active Directory.

More information

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory W H I T E P A P E R C E N T R I F Y C O R P. M A Y 2008 Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory The Active Directory-Based Single Sign-On Solution

More information

Likewise Security Benefits

Likewise Security Benefits Likewise Enterprise Likewise Security Benefits AUTHOR: Manny Vellon Chief Technology Officer Likewise Software Abstract This document describes how Likewise improves the security of Linux and UNIX computers

More information

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory Best Practices for Integrating OS X with Active Directory OS X Mavericks v10.9 Contents Introduction... 4 How to Integrate OS X with Active Directory... 5 Enterprise Integration Challenges... 8 Deployment

More information

Centrify Suite 2012 Express

Centrify Suite 2012 Express Centrify Suite 2012 Express Administrator s Guide November 2011 Centrify Corporation Legal notice This document and the software described in this document are furnished under and are subject to the terms

More information

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory Best Practices for Integrating OS X with Active Directory OS X Mountain Lion v10.8 Contents Introduction... 3 How to Integrate OS X with Active Directory... 4 Enterprise Integration Challenges... 7 Deployment

More information

Direct Control for Mobile & Supporting Mac OS X in Windows Environments

Direct Control for Mobile & Supporting Mac OS X in Windows Environments Direct Control for Mobile & Supporting Mac OS X in Windows Environments Leveraging Existing IT Staff Knowledge, Processes and Infrastructure to Support Mac OS X Systems and Their Users Ed Frola Senior

More information

Windows BitLocker Drive Encryption Step-by-Step Guide

Windows BitLocker Drive Encryption Step-by-Step Guide Windows BitLocker Drive Encryption Step-by-Step Guide Microsoft Corporation Published: September 2006 Abstract Microsoft Windows BitLocker Drive Encryption is a new hardware-enhanced feature in the Microsoft

More information

University of Oregon Information Services. Likewise Enterprise 5.3 Administrator s Guide

University of Oregon Information Services. Likewise Enterprise 5.3 Administrator s Guide University of Oregon Information Services Likewise Enterprise 5.3 Administrator s Guide Last Updated: March 2011 V7.1 Contents 1 - Preface... 4 2 - Definitions... 5 opt/likewise... 5 AD... 5 Domain...

More information

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

CONFIGURING ACTIVE DIRECTORY IN LIFELINE White Paper CONFIGURING ACTIVE DIRECTORY IN LIFELINE CONTENTS Introduction 1 Audience 1 Terminology 1 Test Environment 2 Joining a Lenovo network storage device to an AD domain 3 Importing Domain Users

More information

Mac OS X Security Checklist:

Mac OS X Security Checklist: Mac OS X Security Checklist: Implementing the Center for Internet Security Benchmark for OS X Recommendations for securing Mac OS X The Center for Internet Security (CIS) benchmark for OS X is widely regarded

More information

Mac OS X and Directory Services Integration

Mac OS X and Directory Services Integration Mac OS X and Directory Services Integration Neha Setia 1 and Tarun Dalal 2 1 M.Tech Scholor, CBS Group of Institutions, CSE Department, MDU Rohtak, India setia_neha@yahoo.co.in 2 Assistant Professor, CBS

More information

Mac OS X Directory Services

Mac OS X Directory Services Mac OS X Directory Services Agenda Open Directory Mac OS X client access Directory services in Mac OS X Server Redundancy and replication Mac OS X access to other directory services Active Directory support

More information

Automating Cloud Security with Centrify Express and RightScale

Automating Cloud Security with Centrify Express and RightScale QUICK START GUIDE. MAY 2011 Automating Cloud Security with Centrify Express and RightScale How to secure cloud systems by joining them to your Active Directory infrastructure Abstract This Quick Start

More information

QuickStart Guide for Client Management. Version 8.7

QuickStart Guide for Client Management. Version 8.7 QuickStart Guide for Client Management Version 8.7 JAMF Software, LLC 2013 JAMF Software, LLC. All rights reserved. JAMF Software has made all efforts to ensure that this guide is accurate. JAMF Software

More information

Active Directory and Linux Identity Management

Active Directory and Linux Identity Management Active Directory and Linux Identity Management Published by the Open Source Software Lab at Microsoft. December 2007. Special thanks to Chris Travers, Contributing Author to the Open Source Software Lab.

More information

DriveLock and Windows 7

DriveLock and Windows 7 Why alone is not enough CenterTools Software GmbH 2011 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise

More information

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Step By Step Guide: Demonstrate DirectAccess in a Test Lab Step By Step Guide: Demonstrate DirectAccess in a Test Lab Microsoft Corporation Published: May 2009 Updated: October 2009 Abstract DirectAccess is a new feature in the Windows 7 and Windows Server 2008

More information

Windows Server Update Services 3.0 SP2 Step By Step Guide

Windows Server Update Services 3.0 SP2 Step By Step Guide Windows Server Update Services 3.0 SP2 Step By Step Guide Microsoft Corporation Author: Anita Taylor Editor: Theresa Haynie Abstract This guide provides detailed instructions for installing Windows Server

More information

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names,

More information

Google Apps Deployment Guide

Google Apps Deployment Guide CENTRIFY DEPLOYMENT GUIDE Google Apps Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate

More information

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities Identity and Access Management Integration with PowerBroker Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 4 BeyondTrust

More information

Module 1: Introduction to Active Directory Infrastructure

Module 1: Introduction to Active Directory Infrastructure Module 1: Introduction to Active Directory Infrastructure Contents Overview 1 Lesson: The Architecture of Active Directory 2 Lesson: How Active Directory Works 10 Lesson: Examining Active Directory 19

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

Charles Firth charles@firthconsulting.com. Managing Macs in a Windows World

Charles Firth charles@firthconsulting.com. Managing Macs in a Windows World Charles Firth charles@firthconsulting.com Managing Macs in a Windows World Prerequisites Familiarity with Windows Active Directory networks Interest in Macintosh OSX integration and support Basic understanding

More information

For Active Directory Installation Guide

For Active Directory Installation Guide For Active Directory Installation Guide Version 2.5.2 April 2010 Copyright 2010 Legal Notices makes no representations or warranties with respect to the contents or use of this documentation, and specifically

More information

Centrify Server Suite 2014

Centrify Server Suite 2014 Centrify Server Suite 2014 Administrator s Guide for Linux and UNIX June 2014 Centrify Corporation Legal notice This document and the software described in this document are furnished under and are subject

More information

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7 Sophos SafeGuard Native Device Encryption for Mac Administrator help Product version: 7 Document date: December 2014 Contents 1 About SafeGuard Native Device Encryption for Mac...3 1.1 About this document...3

More information

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V Connection Broker Managing User Connections to Workstations, Blades, VDI, and More Quick Start with Microsoft Hyper-V Version 8.1 October 21, 2015 Contacting Leostream Leostream Corporation http://www.leostream.com

More information

An Overview of Samsung KNOX Active Directory-based Single Sign-On

An Overview of Samsung KNOX Active Directory-based Single Sign-On C E N T R I F Y W H I T E P A P E R. S E P T E M B E R 2013 An Overview of Samsung KNOX Active Directory-based Single Sign-On Abstract Samsung KNOX is a set of business-focused enhancements to the Android

More information

Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions

Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions Technical Brief written by Darren Mar-Elia Chief Technology Officer Windows Management Quest Software, Inc. Copyright Quest

More information

WINDOWS 2000 Training Division, NIC

WINDOWS 2000 Training Division, NIC WINDOWS 2000 Active TE Directory Services WINDOWS 2000 Training Division, NIC Active Directory Stores information about objects on the network and makes this information easy for administrators and users

More information

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure Technical White Paper DESKTOP www.novell.com Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure * Using SUSE Linux Enterprise Desktop with Microsoft Active Directory Infrastructure

More information

AD RMS Step-by-Step Guide

AD RMS Step-by-Step Guide AD RMS Step-by-Step Guide Microsoft Corporation Published: March 2008 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step guide provides instructions for setting up a test environment to

More information

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010 Integrating Mac OS X 10.6 with Active Directory 1 April 2010 Introduction Apple Macintosh Computers running Mac OS X 10.6 can be integrated with the Boston University Active Directory to allow use of Active

More information

Centralized Management for UNIX, Linux, Mac and Java with Active Directory and DirectControl

Centralized Management for UNIX, Linux, Mac and Java with Active Directory and DirectControl WHITE PAPER CENTRIFY CORP. APRIL 2006 Centralized Management for UNIX, Linux, Mac and Java with Active Directory and DirectControl Centrify DirectControl delivers secure access control and centralized

More information

ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains

ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains Microsoft Corporation Published: July 2008 Authors: Moon Majumdar, Brad Mahugh Editors: Jim Becker, Fran Tooke Abstract This guide

More information

Module 8: Implementing Group Policy

Module 8: Implementing Group Policy Module 8: Implementing Group Policy Contents Overview 1 Lesson: Implementing Group Policy Objects 2 Lesson: Implementing GPOs in a Domain 12 Lesson: Managing the Deployment of Group Policy 21 Lab: Implementing

More information

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Chapter 10 Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Implement and troubleshoot Group Policy. Create a Group Policy object (GPO). Link an existing GPO. Delegate administrative

More information

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory

More information

Test Case 3 Active Directory Integration

Test Case 3 Active Directory Integration April 12, 2010 Author: Audience: Joe Lowry and SWAT Team Evaluator Test Case 3 Active Directory Integration The following steps will guide you through the process of directory integration. The goal of

More information

RES ONE Automation 2015 Task Overview

RES ONE Automation 2015 Task Overview RES ONE Automation 2015 Task Overview Task Overview RES ONE Automation 2015 Configuration Tasks The library Configuration contains Tasks that relate to the configuration of a computer, such as applying

More information

Centralized Identity and Access Management of Cross-Platform Systems and Applications with Active Directory and the Centrify Suite

Centralized Identity and Access Management of Cross-Platform Systems and Applications with Active Directory and the Centrify Suite WHITE PAPER CENTRIFY CORP. OCTOBER 2008 Centralized Identity and Access Management of Cross-Platform Systems and Applications with Active Directory and the Centrify Suite The Centrify Suite is an integrated

More information

FileMaker Server 15. Getting Started Guide

FileMaker Server 15. Getting Started Guide FileMaker Server 15 Getting Started Guide 2007 2016 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and FileMaker Go are trademarks

More information

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide c623242f-20f0-40fe-b5c1-8412a094fdc7 Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide Microsoft Corporation Published: June 2009 Updated: April 2010 Abstract

More information

Module 6: Deploying and Managing Software by Using Group Policy

Module 6: Deploying and Managing Software by Using Group Policy Module 6: Deploying and Managing Software by Using Group Policy Contents Overview 1 Lesson: to Managing Software Deployment 2 Lesson: Deploying Software 6 Lesson: Configuring Software Deployment 18 Lesson:

More information

Advanced Configuration Steps

Advanced Configuration Steps Advanced Configuration Steps After you have downloaded a trial, you can perform the following from the Setup menu in the MaaS360 portal: Configure additional services Configure device enrollment settings

More information

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide Sharp Remote Device Manager (SRDM) Server Software Setup Guide This Guide explains how to install the software which is required in order to use Sharp Remote Device Manager (SRDM). SRDM is a web-based

More information

1-bay NAS User Guide

1-bay NAS User Guide 1-bay NAS User Guide INDEX Index... 1 Log in... 2 Basic - Quick Setup... 3 Wizard... 3 Add User... 6 Add Group... 7 Add Share... 9 Control Panel... 11 Control Panel - User and groups... 12 Group Management...

More information

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features Windows Services Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features File and print services Integrated Samba 3 for native SMB/CIFS protocol support

More information

Windows Server 2008/2012 Server Hardening

Windows Server 2008/2012 Server Hardening Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible

More information

Large Scale Mac OS X Client Management Using Windows Servers

Large Scale Mac OS X Client Management Using Windows Servers Making it easy to deploy, integrate and manage Macs, iphones and ipads in a Windows environment. Large Scale Mac OS X Client Management Using Windows Servers By: Charles Edge Originally published in 2011

More information

Websense Support Webinar: Questions and Answers

Websense Support Webinar: Questions and Answers Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user

More information

You're reading an excerpt. Click here to read official APPLE REMOTE DESKTOP 1.2 user guide http://yourpdfguides.com/dref/1168427

You're reading an excerpt. Click here to read official APPLE REMOTE DESKTOP 1.2 user guide http://yourpdfguides.com/dref/1168427 You can read the recommendations in the user guide, the technical guide or the installation guide for APPLE REMOTE DESKTOP 1.2. You'll find the answers to all your questions on the APPLE REMOTE DESKTOP

More information

Quick Start Guide for VMware and Windows 7

Quick Start Guide for VMware and Windows 7 PROPALMS VDI Version 2.1 Quick Start Guide for VMware and Windows 7 Rev. 1.1 Published: JULY-2011 1999-2011 Propalms Ltd. All rights reserved. The information contained in this document represents the

More information

File and Printer Sharing with Microsoft Windows

File and Printer Sharing with Microsoft Windows Operating System File and Printer Sharing with Microsoft Windows Microsoft Corporation Published: November 2003 Abstract File and printer sharing in Microsoft Windows allows you to share the contents of

More information

Guest PC. for Mac OS X. User Guide. Version 1.6. Copyright 1996-2005 Lismore Software Systems, Ltd. All rights reserved.

Guest PC. for Mac OS X. User Guide. Version 1.6. Copyright 1996-2005 Lismore Software Systems, Ltd. All rights reserved. Guest PC for Mac OS X Version 1.6 User Guide Copyright 1996-2005 Lismore Software Systems, Ltd. All rights reserved. Table of Contents About Guest PC... 1 About your Virtual Computer... 1 Creating a Virtual

More information

What s New in Centrify Server Suite 2013 Update 2

What s New in Centrify Server Suite 2013 Update 2 CENTRIFY SERVER SUITE 2013.2 DATA SHEET What s New in Centrify Server Suite 2013 Update 2 The new Centrify Server Suite 2013 Update 2 (2013.2) builds on the core enhancements Centrify introduced in Server

More information

Installation Guide. Novell Storage Manager 3.1.1 for Active Directory. Novell Storage Manager 3.1.1 for Active Directory Installation Guide

Installation Guide. Novell Storage Manager 3.1.1 for Active Directory. Novell Storage Manager 3.1.1 for Active Directory Installation Guide Novell Storage Manager 3.1.1 for Active Directory Installation Guide www.novell.com/documentation Installation Guide Novell Storage Manager 3.1.1 for Active Directory October 17, 2013 Legal Notices Condrey

More information

Best Practices for Adding Macs to Microsoft Networks

Best Practices for Adding Macs to Microsoft Networks WHITE PAPER Best Practices for Adding Macs to Microsoft Networks WWW.CENTRIFY.COM Best Practices for Adding Macs to Microsoft Networks Contents Abstract 3 Introduction 4 Requirements for Solving the Challenge

More information

DeployStudio Server Quick Install

DeployStudio Server Quick Install DeployStudio Server Quick Install v1.7.0 The DeployStudio Team info@deploystudio.com Requirements OS X 10.7.5 to 10.11.1 DeployStudioServer_v1.7.x.pkg and later NetBoot based deployment 100 Mb/s switched

More information

Centrify Identity Service and Mac - Online Training

Centrify Identity Service and Mac - Online Training C E N T R I F Y D A T A S H E E T M A R C H 2015 Centrify Identity Service and Mac - Online Training Overview This course is designed for administrators of the Centrify User Suite and mobile devices. At

More information

LifeSize Control Installation Guide

LifeSize Control Installation Guide LifeSize Control Installation Guide April 2005 Part Number 132-00001-001, Version 1.0 Copyright Notice Copyright 2005 LifeSize Communications. All rights reserved. LifeSize Communications has made every

More information

Mobile Device Management Version 8. Last updated: 17-10-14

Mobile Device Management Version 8. Last updated: 17-10-14 Mobile Device Management Version 8 Last updated: 17-10-14 Copyright 2013, 2X Ltd. http://www.2x.com E mail: info@2x.com Information in this document is subject to change without notice. Companies names

More information

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory Best Practices for Integrating OS X with Active Directory OS X Yosemite v10.10 December 2014 Contents Introduction to directory services support in OS X... 3 OS X and Active Directory... 4 Impact of mobility...

More information

Mac OS X Server. Deploying Mac OS X Computers for K 12 Education For Version 10.4 or Later

Mac OS X Server. Deploying Mac OS X Computers for K 12 Education For Version 10.4 or Later Mac OS X Server Deploying Mac OS X Computers for K 12 Education For Version 10.4 or Later apple Apple Computer, Inc. 2005 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid

More information

WhatsUp Gold v16.3 Installation and Configuration Guide

WhatsUp Gold v16.3 Installation and Configuration Guide WhatsUp Gold v16.3 Installation and Configuration Guide Contents Installing and Configuring WhatsUp Gold using WhatsUp Setup Installation Overview... 1 Overview... 1 Security considerations... 2 Standard

More information

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley Likewise Enterprise Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley IMPROVE SOX COMPLIANCE WITH CENTRALIZED ACCESS CONTROL AND AUTHENTICATION With Likewise Enterprise, you get one user,

More information

Virtualization Case Study

Virtualization Case Study INDUSTRY Finance COMPANY PROFILE Major Financial Institution. BUSINESS SITUATION Internal security audits found that VMware ESX, Red Hat Linux, and Solaris systems lacked an efficient way to control access

More information

Monitor Print Popup for Mac. Product Manual. www.monitorbm.com

Monitor Print Popup for Mac. Product Manual. www.monitorbm.com Monitor Print Popup for Mac Product Manual www.monitorbm.com Monitor Print Popup for Mac Product Manual Copyright 2013 Monitor Business Machines Ltd The software contains proprietary information of Monitor

More information

QuickStart Guide for Managing Computers. Version 9.2

QuickStart Guide for Managing Computers. Version 9.2 QuickStart Guide for Managing Computers Version 9.2 JAMF Software, LLC 2013 JAMF Software, LLC. All rights reserved. JAMF Software has made all efforts to ensure that this guide is accurate. JAMF Software

More information

DriveLock Quick Start Guide

DriveLock Quick Start Guide Be secure in less than 4 hours CenterTools Software GmbH 2012 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise

More information

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Copyright 2012 Trend Micro Incorporated. All rights reserved. Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,

More information

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15 Product Manual MDM On Premise Installation Version 8.1 Last Updated: 06/07/15 Parallels IP Holdings GmbH Vordergasse 59 8200 Schaffhausen Switzerland Tel: + 41 52 632 0411 Fax: + 41 52 672 2010 www.parallels.com

More information

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version 1.0.1. ForeScout Mobile

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version 1.0.1. ForeScout Mobile CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module Version 1.0.1 ForeScout Mobile Table of Contents About the Integration... 3 ForeScout MDM... 3 Additional Documentation...

More information