Best Practices for Adding Macs to Microsoft Networks



Similar documents
An Overview of Samsung KNOX Active Directory and Group Policy Features

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Active Directory and DirectControl

Google Apps Deployment Guide

Windows Least Privilege Management and Beyond

Centrify OS X Basic Jump Start

What s New in Centrify Privilege Service Centrify Identity Platform 15.4

Centrify Server Suite Management Tools

Direct Control for Mobile & Supporting Mac OS X in Windows Environments

Managing UNIX Generic and Service Accounts with Active Directory

Centrify Identity and Access Management for Cloudera

Centrify Cloud Connector Deployment Guide

Improving Mobile Device Security and Management with Active Directory

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution

Centrify-Enabled Samba

Centrify DirectAudit Jump Start Service

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Manage Your Mac with Active Directory Group Policies

Centrify Identity Service and Mac - Online Training

The Centrify Vision: Unified Access Management

Centrify Mobile Authentication Services for Samsung KNOX

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

Speeding Office 365 Implementation Using Identity-as-a-Service

Overview of Microsoft Enterprise Mobility Suite (EMS) Cloud University

identity management in Linux and UNIX environments

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Using Apple Remote Desktop to Deploy Centrify DirectControl

Symantec Mobile Management 7.2

Google Identity Services for work

Virtualization Case Study

Centrify Mobile Authentication Services

How To Make Your Computer System More Secure And Secure

Symantec Mobile Management 7.1

Macintosh Printer Management using Centrify DirectControl Group Policies

Symantec Mobile Management 7.1

Centralized Mac Home Directories with ExtremeZ-IP

Symantec Mobile Management for Configuration Manager 7.2

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Active Directory Compatibility with ExtremeZ-IP

Automating Cloud Security with Centrify Express and RightScale

What s New in Centrify Server Suite 2015

How To Use Directcontrol With Netapp Filers And Directcontrol Together

Security Overview Enterprise-Class Secure Mobile File Sharing

Advanced Configuration Steps

Everything You Need to Know About Effective Mobile Device Management. mastering the mobile workplace

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

How To Manage A Privileged Account Management

Kaseya IT Automation Framework

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

How To Protect Your Mobile Devices From Security Threats

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

How to Secure a Groove Manager Web Site

When enterprise mobility strategies are discussed, security is usually one of the first topics

Athena Mobile Device Management from Symantec

What s New in Centrify Server Suite 2014

Apps. Devices. Users. Data. Deploying and managing applications across platforms is difficult.

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Copyright 2013, 3CX Ltd.

What s New in Centrify Server Suite 2013 Update 2

A Security Overview of the Centrify Cloud

Ensuring the security of your mobile business intelligence

Centrify Server Suite, Standard Edition Design Service

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Cloud Backup and Recovery for Endpoint Devices

Enforcing Enterprise-out Security for Cloud Servers

McAfee Enterprise Mobility Management

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

NCSU SSO. Case Study

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Likewise Security Benefits

Windows Security and Directory Services for UNIX using Centrify DirectControl

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

Mobile Device Management Version 8. Last updated:

Kony Mobile Application Management (MAM)

The Maximum Security Marriage:

Using Centrify s DirectControl with Mac OS X

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

CoSign by ARX for PIV Cards

What We Do: Simplify Enterprise Mobility

Symantec Mobile Management Suite

Transcription:

WHITE PAPER Best Practices for Adding Macs to Microsoft Networks WWW.CENTRIFY.COM

Best Practices for Adding Macs to Microsoft Networks Contents Abstract 3 Introduction 4 Requirements for Solving the Challenge 4 Two Approaches for Managing Macs 5 Mac-centric Solutions 5 Microsoft-centric Solutions 5 Centrify s Approach: Best of Both Worlds 6 Single Consolidated Identity 6 Group Policy Management 7 Enhanced Security 8 Cloud-based Identity Service 8 Integrated Mobile Security and Management 9 Smart Card Support 10 Summary 11 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2015 Centrify Corporation. All rights reserved. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Other brand names used in this document are the trademarks or registered trademarks of their respective companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

WHITE PAPER Abstract Adding Macs to a Microsoft-based corporate network can be a challenge. Are Microsoft tools, Apple tools or third party tools the best solution? Are Mac-oriented management tools the best option or is it best to incorporate the Macs within existing management and security infrastructure? This paper will help answer those questions and explore how Centrify can quickly and easily provide the necessary tools to allow Macs to be managed in the same way PCs are managed today. 3 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

Best Practices for Adding Macs to Microsoft Networks Introduction For years, PCs have been workhorses for corporate desktop computing. Many organizations standardized their PCs on the Microsoft Windows platform. Often, they also managed their desktop computers and secured both users and data with Microsoft s backend server technologies. This homogenous approach worked well and IT organizations were able to build a robust and predictable computing infrastructure using off-the-shelf commercial technology. But things are changing. With the Apple iphone/ipad revolution that began in 2007, more and more end users are choosing alternatives to Windows desktops and laptops. Although the Apple Mac is not a new platform, its primary base in the past consisted of students, media professionals, digital artists and high-end consumers. But today, workers from all verticals want to use Macs and this is creating new challenges for IT organizations that have historically supported a Windows-only computing environment. How can IT address this growing demand from users while also maintaining appropriate control over access to data and corporate resources in a non-disruptive way? Requirements for Solving the Challenge Before exploring this challenge and possible solutions, it is worth creating a checklist of requirements for the incorporation of any new solution into an organization s network: 1. Leverage existing tools, processes and policies. Ideally, any new solution should work well with what is currently installed and not introduce disruption to existing methods for managing and securing systems. 2. No compromise on security. In this era of constant attacks on corporate networks, there is no justification for relaxing the security of networks or devices just so new platforms can be deployed for end users. In fact, any new solution should substantially enhance security and provide IT management with better visibility into who is using each system, what resources they are accessing and how those resources are being used. 3. Minimize the requirement for training IT staff. Training IT staff requires time and money and takes staff away from their core duties. Any new software should require minimal training for existing staff and not require substantial new skills. 4. Easy for IT to deploy and manage. Before committing to a new software solution, it is essential that the software can be easily deployed and managed both on internal systems as well as systems used by workers. Ideally, the solution should work without touching Domain Controllers and other critical production systems. 5. Easy to use for workers. If the solution is hard to use, slows down systems or requires substantial training or new skills for end users, you will have pushback if not outright revolt from end users. Ideally, users should not see any negative impact but instead should have a more productive work experience. 4 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

WHITE PAPER 6. Supports mobile scenarios. The days of only working at an office desk are over. Workers need their devices to work equally well both inside and outside the corporate firewall. And IT needs to be able to manage devices both on-premises and when workers are traveling or working from home. 7. Cost effective. A new solution should not require large capital outlays, high recurring user fees or high costs for deployment. Any new solution should more than pay for itself in increased productivity and reduced IT management costs and should not require a major investment of time to setup and deploy the solution. Ultimately introducing Macs into predominantly Microsoft environments should not be disruptive, costly or involve compromises. The end goal should be to manage Macs with no more overhead than what is required today for managing Windows-based PCs. Two Approaches for Managing Macs There are at least two strategies to solving the challenge of adding Macs into a Microsoftoriented infrastructure. Mac-centric Solutions The first approach focuses on selecting a mature, full-featured Mac management solution that is proven in the enterprise. There are several products on the market that do a decent job of managing an Apple Mac or a Mac plus ios network of devices and users. The attraction of this approach is that the management solutions are tuned exactly to the capabilities of Mac OS X and ios. However, there are numerous potential pitfalls to this approach. The Apple-oriented solution may require substantial new IT skills or even new IT staff to deploy and manage the software. If the solution is not tied into existing Microsoft management software, then there will be duplicative actions required to ensure that policies, access rights, user roles and profiles are exactly matched with what exists in the Microsoft world. Ultimately this dual management console approach may lead to gaps in security and manageability and require extra investments to manage a separate infrastructure. In addition, some Apple-centric management solutions may fall short when it comes to managing other platforms such as Android or Linux. If a different management solution has to be installed for each new platform, the complexity, cost and unpredictability of management and security challenges have the potential to leave an organization exposed. Microsoft-centric Solutions The second approach leverages existing Microsoft infrastructure and adds software or plug-ins to allow Macs to join the Microsoft world and be managed in a way that is more consistent with current practices. The obvious benefits of this approach would be less disruption to existing management infrastructure and fewer requirements for new skills to deploy and manage the solution. 5 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

Best Practices for Adding Macs to Microsoft Networks But this approach can have pitfalls as well. Some solutions may not support all PC management concepts on the Mac resulting in gaps in security, policy enforcement or device management functionality. Some solutions may work well from the IT point of view but may be confusing to use for workers or cause degradation in performance if they are not optimized for the Mac platform. Some solutions may not be built for use both inside and outside the corporate firewall. Centrify s Approach: Best of Both Worlds Centrify has employed a blended approach when grappling with the challenge of managing non-microsoft platforms, such as Macs, Linux and UNIX, in a Microsoft-oriented infrastructure for over a decade. A blended approach means the solution seamlessly plugs into existing infrastructure with minimal disruption and has the same functionality as managed Windows clients. But the solution also needs to be exactly tuned to the capabilities of the non-windows platform so that the operating system performs well and feels natural to the user. In other words, a robust solution needs to be the best of both worlds. Centrify Identity Service, Mac Edition is the latest release of a solution that has been on the market for over eight years. With that service history across enterprises of all sizes and constant feedback from real customers, the software has evolved beyond just providing Active Directory-based authentication for Mac users and includes capabilities to address the current mixed Mac/PC environments and beyond. Let s review each of these key capability areas and see how they map to typical enterprise needs. Single Consolidated Identity One of the key features of Centrify s suite of offerings is based on the simple concept that a user should only have one corporate identity and one corporate password, regardless of which device he or she uses or where the device is used. With only one username and password, users are less likely to forget their passwords and will be more productive. With only one identity to manage, IT doesn t need to make multiple changes to staff records on different systems when users change roles, add devices or leave the company. Everything is managed from a single, central console. Figure 1 Macs joined to Active Directory, just like PCs Microsoft Active Directory (AD) does an excellent job of managing users and computers in a centralized way, but it was designed to work best with Microsoft client systems that is, Windows-based 6 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

WHITE PAPER PCs. Once a user logs in to an Active Directory-joined PC with his or her credentials, the user is granted access to resources such as file shares, printers and applications based on the user s role, which is centrally managed by IT. Users experience silent authentication to applications and do not need to re-enter their passwords each time they access resources across the corporate network. Users can even log in to other computers on the network with their AD credentials and have a consistent, personalized experience. With Centrify Identity Service, Mac Edition, the same experience and control are available to Macs, which can also join an Active Directory domain. Macs operate in the exact same way as PCs. Users log in with their Active Directory credentials and gain access to the same resources with silent authentication to corporate applications. It is important to note that Centrify goes beyond just basic AD authentication support. With Centrify, Macs work well in large multiforest scenarios with cross-domain trusts and users can even log in while disconnected from the corporate network. Macs become true peers to PCs on the corporate network with no compromises while users are able to work with their Macs in a totally familiar way. Group Policy Management While some solutions stop at support for logging in to a Mac using AD credentials, Centrify goes further with the additional full support of Group Policy on Macs. While AD authentication helps to certify who can use a device, Group Policy goes further by enforcing rules on how that device can be used. Do you want to ensure strong passwords are used? Use Group Policy. Do you want to set up a secure connection to an 802.1x network? Use Group Policy. Do you want to make sure the computer firewall is on and setup correctly? Use Group Policy. In fact, hundreds of device configuration and usage attributes can be centrally set and enforced by Group Policy. Policies can also be associated with individual users or groups of users. Do you want to only allow the finance group to access the corporate accounts file share but turn off access to everyone else? Enforce it with Group Policy. Figure 2 Centrify fully supports Group Policy on Macs As Windows IT administrators have found, Group Policy is indispensable for securing computers, networks, users, data and other resources in a corporate network. But again, Group Policy is designed for Windows networks and Windows PCs. Centrify overcomes that limitation by building Group Policy support into its Mac offering. Policies are enforced using a combination of Mac concepts including updating plist files and standard config files, enforcing MCX settings and creating profiles for local enforcement. Centrify also adds unique Mac policies such as the ability to enforce Apple s File Vault 2 full disk encryption for all Macs joined to the corporate network. With these tools, administrators can establish and enforce policies corporate-wide or for specific classes of users or for different types of devices or all of the above. And this can all be done from a single, central, familiar console for all devices and users. 7 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

Best Practices for Adding Macs to Microsoft Networks Enhanced Security Computer and network security has vaulted to the top of the immediate action required list for IT departments in every type of business and industry around the world. With constant attacks from hackers, data breaches and unauthorized access to corporate resources, security professionals have their hands full protecting not just computing assets, but corporate reputations and the ability for organizations to operate and do business. To help lock down networks and minimize exposure, many organizations have a strict policy on which types of devices can be used on the corporate network. Many companies have enforced a PC-only policy for corporate workstations so as to reduce the possibility of an unfamiliar rogue device introducing a security exposure to the company. And yet, many organizations want the flexibility to also use Macs side-by-side with PCs. Figure 3 PKI certificate management for Macs Again, Centrify includes enterprise-class security features in its Identity Service that not just makes Macs more secure, but they are secured in a way that is consistent with other approved devices on the network. For example, Centrify can manage PKI certificate auto-issuance and auto-renewal, VPN configuration, force the screen locking of idle machines and enforce restrictions against running applications on a Mac that are not approved. This is just a small sample of supported security features that are available to secure Macs in a predictable and consistent way. Cloud-based Identity Service While Active Directory and Group Policy work great inside the firewall, there is less control over users and devices that are mobile or in remote offices. For this reason Microsoft has created the cloud-based directory service, Azure Active Directory. Unfortunately, Azure AD requires complex software to sync with on-premises AD and it replicates sensitive AD data up into the cloud. With Azure AD, IT has to secure two repositories for user information and make sure both are in sync. Figure 4 Web-based management for Macs Centrify has created a different, more secure approach. Rather than replicate user data into an external directory, Centrify provides a gateway into the on-premises directory service but does so in a totally secure way. This leaves IT with only one directory to manage but allows users and devices WHP000057EN-02262015 8 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

WHITE PAPER to be integrated into AD both inside and outside the firewall. Centrify goes further by providing web-based management tools for both IT and users to automate tasks such as adding new devices, locating devices, doing device inventory management, changing passwords and enforcing a remote lock or remote wipe on a Mac that has been lost or stolen. In addition, Centrify provides a cloud-based directory service, separate from AD, for cases where IT wants to manage off-premises devices but doesn t want to integrate these devices into the AD infrastructure. With all these options, IT can choose the best way to manage devices both inside and outside the corporate firewall using a wide variety of techniques. Integrated Mobile Security and Management While this paper is focused on Macs, virtually every Mac user also owns an iphone and/or an ipad, or possibly an Android mobile device. Workers want to be able to use these devices while away from the office to access corporate email, work on documents, run corporate apps and access corporate files and other resources. Centrify is not alone is recognizing the opportunity to help organizations support mobile devices in a secure and predicable way. There is a whole industry of mobile device management (MDM) vendors with a wide variety of solutions for securing and managing mobile devices in the workplace. But even in this crowded MDM market, Centrify stands out in the way it tightly integrates mobile devices into existing IT infrastructures. Most vendors require special servers to be set up to manage mobile devices using software and services that are very different and incompatible with the services used to manage on-premises devices. In contrast to this approach, Centrify integrates mobile devices into Active Directory in the same way that it does for Macs. And again, Centrify provides a cloud-based service that is tightly coupled with onpremises AD systems so that AD-based identity management and policies can be enforced on ios and Android mobile devices in a way that is consistent with other managed devices. Centrify also goes further by leveraging its identity service to provide single sign-on to thousands of corporate apps as well as auto app deployment and configuration on authenticated devices. Mobile devices can also be setup for multi-factor authentication to add an extra layer of security when users access sensitive corporate resources, apps and data. Since most workers have more than one device, Centrify has adopted a licensing program where each user can install the Centrify solution on up to five Macs or mobile devices. Figure 5 Mobile devices can be managed and secured using Active Directory as well. Active Directory 9 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

Best Practices for Adding Macs to Microsoft Networks Smart Card Support Government, military, financial services and customers in other security-oriented industries often rely on smart card authentication as an extra form of security for gaining access to corporate networks. In some cases, Federal agencies and other organizations must meet Homeland Security Presidential Directive 12 (HSPD-12), NIST guidance and other security mandates for smart card authentication. Active Directory and Windows-based PCs have supported smart card authentication for years. But many organizations want to extend smart card use to other platforms such as Apple Mac and Linux. Figure 6 AD-based smart card authentication for Macs Centrify not only supports AD-based smart card authentication on Mac and Red Hat and CentOS Linux for the most commonly used CAC, CACNG, PIV and PIV-I smart cards, but it has also certified its solution with numerous agencies. For example, Centrify s support for the Department of Defense s Common Access Card (CAC) standard is certified by the Joint Interoperability Test Command (JITC) and has additionally earned the Certificate of Networthiness (CoN) from the U.S. Army Network Enterprise Technology Command (NETCOM). Centrify has further obtained FIPS 140-2 Level 1 validation for the Centrify Crypto Module providing the core cryptography and the entire solution is also Common Criteria certified at EAL 2. 10 2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM

WHITE PAPER Summary Integrating new platforms into existing infrastructure can be a complex, risky, disruptive and expensive undertaking. But the trend towards using modern mobile devices and computing technologies is undeniable and the push to use these modern platforms in workplace scenarios is only going to increase over time. And yet, organizations need to proceed cautiously before adopting these new platforms to maintain uncompromised security and control over sensitive applications and data used on corporate networks. Plus, managing devices is only half the challenge. IT needs to ensure that workers who use these devices are properly authenticated and are granted access to only the applications, data and resources they need to do their jobs. Finally, any new platform added to an organization should not result in the need to deploy a whole new management and security infrastructure to support the new platform. Using existing tools, processes, policies, staff and IT skills is the best path for ensuring long-term success for the adoption of new platforms. With its best-in-class Active Directory support for Mac and mobile platforms, its decade of experience supporting over 5,000 enterprise customers and its forward-thinking solution that leverages existing Microsoft-based infrastructures while also supporting mobile scenarios via cloud-based services, Centrify is in the best position to support any sized organization that wants to add Macs and mobile devices in the enterprise. For more information on Centrify s solutions for Apple Mac, visit: http://www.centrify.com/mac. Centrify provides unified identity management across data center, cloud and mobile environments that result in single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify s unified identity management software and cloud-based Identity-as-a-Service (IDaaS) solutions leverage an organization s existing identity infrastructure to enable single sign-on, multi-factor authentication, privileged identity management, auditing for compliance and enterprise mobility management. SANTA CLARA, CALIFORNIA +1 (669) 444-5200 EMEA +44 (0) 1344 317950 ASIA PACIFIC +61 1300 795 789 BRAZIL +55 11-3958 4876 LATIN AMERICA +1 305 900 5354 EMAIL sales@centrify.com WEB www.centrify.com WHP001531EN-03162015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. WWW.CENTRIFY.COM +1 (669) 444-5200

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information