The Centrify Vision: Unified Access Management Control, Secure and Audit Access To Your On-Premise and Cloud-based Infrastructure On-premise Centrify the Enterprise Cloud Personal Devices Mobile Devices Servers Centrify Mgmt Platform Hosted Systems Apps SaaS (Mid 2012) Leverage infrastructure you already own Active Directory to Control Secure Audit Who can access what User access and privileges What the users did 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 1
Support & Management Challenges for Mac Mac population is growing due to employee demand Darn VP s and their shiny toys! Macs are a non-standard platform in most enterprise environments (excluding publishing/creative firms) IT support staff simply don t know how to manage Mac systems Typically Macs are managed individually or by the department expert Self-managed systems usually have one local admin account, the end-user Departmental support is focused on usability, not security policies IT struggles to enforce security policies consistently across the enterprise on all platforms Access control policies, password management policies and security configuration policies must be consistently enforced across the enterprise 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 2
The Solution: AD-based Management of OS X Centrify empowers the Windows-centric enterprise to manage and support OS X using existing expertise, tools and processes ADUC for user account, password and group management GPMC/GPOE for system and user configuration management MacBooks imacs Active Directory 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 3
Centrify DirectControl for Mac OS X Provides alternative to Apple AD bind utility Robust AD agent runs on OS X and 300+ Unix/Linux platforms Complete support for AD Sites, Offline Access, Group Policy Site Awareness means finding the closest domain controller Diagnostic tools to resolve issues Bind information, logging, diagnostic utility adinfo Local host name: tom-macbpro Joined to domain: centrify.com Joined as: tom-macbpro.centrify.com Pre-win2K name: tommacbpro Current DC: centrify-dc08.centrify.com Preferred site: SunnyvaleOffice Zone: Auto Zone CentrifyDC mode: connected Licensed Features: Enabled 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 4
Unified Administration With Active Directory Common account and authentication with Active Directory Manage Mac user accounts, their login and authorization rights Enables offline login to OS X laptops same experience as Windows Administrators granted local admin privileges Group Policy configuration of Apple Remote Desktop (for VNC) Active Directory group of administrators are granted local privileges Pre-validation for administrators enables offline login And no changes to Active Directory, no new servers, no change in process 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 5
User Access Options Auto-Zone All AD users can log in to the machine Similar to Apple AD plugin for access Executive Zone Department Administrator Zone Restrict User Access Department Zone Access restricted to department members only Executive Zone Each computer only accessible by designated executive and IT Admin support. Sales Zone Fred Joan Active Directory Active Directory Administrators 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 6
Macs Integrate into Existing Windows Services Provides Single Sign On for: Home directory auto-mounts to Windows file shares Authenticated printing to Windows print queues Services such as Exchange, SQL, and IIS servers Extensive home directory support On Mac OS X servers via AFP On Windows servers via SMB DFS shares in 10.7 or with Group Logic s Extreme Z-IP Server Portable Home Directory with auto-sync to network home directory 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 7
Certificate Auto Enrollment Supports Certificate Auto Enrollment through Windows Group Policy Machine certificate automatically downloaded at AD join time Automatic renewal of machine certificate at expiration Complete certificate lifecycle management 802.1X configuration for Wireless and Ethernet 10.6.8 Centrify Group Policy 10.7 Apple Profile Manager VPN support for strong authentication 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 8
Smart card support Smart card-based strong authentication Secure login to Active Directory CAC CAC NG Oberthur 128 PIV.NET smart cards Safenet Tokens Certified by the Joint Interoperability Test Command (JITC) FIPS 140-2 certification 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 9
Enforce Security Policies Using AD Group Policy Automated security policy configuration for consistency Group Policy is automatically enforced at system join to Active Directory Group Policy routinely checks the system for policy compliance, updating as required User Group Policy is enforced at user login System Group Policies control system configuration Centrify agent configuration policy Firewall & services policies control machine access Screen saver policy controls access to existing user sessions SSH policies for remote access security 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 10
Desktop Lockdown Using AD Group Policy Group Policy enforcement of Managed User settings Controls to lock down: Finder & Preferences settings Desktop & Dock settings User Group Policies control: Screen saver Allowed applications Login/logout scripts Media access settings Mac App Store access 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 11
Centrify Mobile
Mobile Devices as Objects Managed in Active Directory 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 13
Centrify ADUC and GPOE Extensions DirectControl for Mobile supports familiar Active Directory management tools, ADUC (left) and Group Policy Object Editor (right), so administrators can see which devices are assigned to a user, the properties of each device and manage policies across all devices. 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 14
DirectControl for Mobile Group Policy Settings Passcode Settings - require passcode on device - allow simple value - require alphanumeric value - minimum passcode length - minimum number of complex characters - maximum passcode age (days) - auto-lock (minutes) - passcode history - grace period for device lock - maximum number of failed attempts Exchange ActiveSync Settings (support for one or more Exchange Mailboxes) Each Mailbox supports: - Profile Name - Exchange ActiveSync host - Use SSL - Use User Principal Name (UPN) if no email address - Past days of mail to sync (drop down box) - Provide client certificate (serves both to trigger PKI cert auto-issuance as well as to configure the system to use PKI for Exchange authentication) Restrictions - allow installing apps - allow use of camera - allow screen capture - allow automatic sync while roaming - allow voice dialing - allow in-app purchase - allow multi-player gaming - allow adding Game Center friends - force encrypted backups - allow use of YouTube - allow use of itunes Music Store - allow use of Safari - allow explicit music and Podcasts - ratings region - allowed movies content rating - allowed TV shows content ratings - allowed apps content rating * Some settings are device OS specific 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 15
DirectControl for Mobile Group Policy Settings (cont.) VPN - PPTP Settings (support for one or more VPN-PPTP configurations) General settings - Connection name - Server - User authentication (Password or RSA SecurID) - Encryption level (None, Automatic, Maximum (128bit)) - Send all traffic Proxy settings for each connection - None, Manual, Automatic WiFi Settings (support for one or more WiFi settings) General settings - SSID - auto-join - hidden network - security type - password Protocols settings Authentication settings Proxy settings * Some settings are device OS specific 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 16
Centrify Mobile Components Self-service enrollment using a web-based form or mobile app and automated configuration of profiles make the setup and enforcement of device and security settings easy for administrators and users. 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 17
Centrify Mobile and Cloud Architecture 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 18
Centrify Cloud Management Platform Centrify s Hosted Management Platform Integrates with existing on-premise Active Directory Enables rapid adoption of cloud services, simplifying installation and configuration Scales as required to support the largest deployments Highly available Report & Monitor on Mobile Devices Maintain current device status including AD integration and Policy Enforcement status as well as last update date Inventory of all enrolled devices Inventory of installed software Centralized Management of Enrolled Devices Full and Selective Wipe (removing profiles) of the device Lock and unlock the device Force a Policy Update to the device Ping and Call Home operations ensure connectivity and management of the device 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 19
Centrify Cloud Proxy Server Centrify Cloud Proxy Server installs in a few minutes and is non-intrusive, no firewall configuration changes or additional infrastructure in DMZ are required. 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 20
Why Customers Choose DirectControl for OS X IT can leverage existing directory, processes and skill sets to manage Macs Centralized authentication and password policies are enforced Smart card login to AD supports SSO and requirement for two-factor authentication Automated security policies enforcement with Group Policy Fine grained desktop lockdown security policies are centrally enforced Separation of administrative duties simplifies deployment in complex environments DirectControl offers the simplest and most fullfeatured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's Group Policy architecture, it functions more seamlessly for managing access... particularly for systems administrators who are unfamiliar with Mac OS X. Ryan Fass ComputerWorld 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 21
Why Centrify Mobile? Easiest product to deploy Leverages existing Active Directory infrastructure and skill sets Cloud Service eliminates need to deploy & manage on-premise infrastructure Does not require firewall configuration changes, appliances or stuff to be deployed in DMZ Not just a point solution for mobile devices Centrify also supports Mac and Linux devices Free offering makes getting started easy Supports unlimited number of devices Online/community support Provides immediate solution while you consider your mobile strategy 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED SLIDE 22