Charles Firth charles@firthconsulting.com Managing Macs in a Windows World
Prerequisites Familiarity with Windows Active Directory networks Interest in Macintosh OSX integration and support Basic understanding of OSX interface and apps Desire to reduce OSX support tickets
Agenda Network Requirements Active Directory on OSX Single Sign-On for common applications and services Accessing Windows File Shares on OSX Apple Remote Desktop Desktop Management
Network Requirements DNS, DNS, DNS! Verify DNS domain lookup on the Mac: host <domain.com> What Time is it? Make sure Domain Controllers and Macs agree on the time Sync everyone to internet NTP server or sync Macs to DC A time differences of 5min can cause AD integration to fail Macs use the following to communicate with Windows: LDAP Kerberos SMB
Binding a Mac to Active Directory System Preferences Directory Utility /System/Library/CoreServices/Directory Utilty.app Shows Advanced options Command Line dsconfigad command Even more options Scriptable, can be automated as part of an imaging system Can be pushed via Apple Remote Desktop (ARD)
Example dsconfigad commands Binding a computer to AD dsconfigad add example.com computer ComputerName -username domainadmin" ou "CN=Computers,OU=Macs,DC=example,DC=com -password adminpass to pass Domain Admin password (otherwise prompted) -mobile enable to create mobile account on login -groups DOMAIN\Domain Admins,DOMAIN\macadmins to grant AD groups local administrative rights -useuncpath enable to use the Home Directory listed in AD for the User -protocol smb to set the home directory mounting protocol (SMB or AFP) Unbinding a computer from AD dsconfigad remove force username administrator Show current AD plugin Status dsconfigad -show
Things to know about AD Accounts on OSX Windows GPOs do not apply to OSX Password policies are enforced Expiration warnings on login will occur Mac users are terrible about logging off at end of day Keychain issues occur when password is changed server-side or on a PC. OSX 10.9+ has Local Items keychain issues also Consider ADPassMon2: http://macmule.com/2014/04/01/announcing-adpassmon-v2-fork/ Mobile accounts are cached credentials. Enabled by default in Windows, this is disabled by default in OSX. Explicitly assign current user to local admin group: dseditgroup -o edit -n. -u current_local_admin -p -a $USER admin
OSX Keychains OSX stores saved passwords, certificates, and other authentication tokens in Keychains. If the keychain is unlocked the user has automatic access to the saved passwords Main keychains login the user s default keychain, created with the same password as the user s account password. On login the user s account password is applied to the login keychain in an attempt to unlock it system the computer s default keychain. Anything saved here works for all users on the machine. For example: AD machine credentials, wifi passwords, installed Certificates. Local Items new with 10.9+, used by icloud Keychain Syncing View keychains in Keychain Viewer (/Applications/Utilities)
Single Sign On (SSO) OSX relies on Kerberos for SSO with Active Directory Reduce the number of saved passwords in Keychain Supported by Outlook 2011, Lync, others Print server, File server authentication OSX receives a kerberos ticket from AD at login Manage tickets in Ticket Viewer /System/Library/CoreServices/Ticket Viewer.app Kerberos via command line klist to view any current tickets kinit to pull, revoke, or modify tickets
SSO with Exchange & Outlook 2011 Exchange needs to have Kerberos configured Create Alternate Service Account (ASA) account Deploy ASA to CAS members/role Convert OAB to an web application (no longer required with Exchange 2013) Assign SPNs (setspn.exe) Outlook 2011 account setup Change Authentication method to Kerberos for the Account Depending on Exchange config, may require AutoDiscovery be disabled: http://www.officeformachelp.com/outlook/exchange/autodiscover/
SSO with Lync Lync Server needs to be configured for Kerberos http://technet.microsoft.com/en-us/library/ gg398976.aspx Lync for Mac configuration checkbox for Kerberos under Advanced Troubleshooting You may need to install and trust Lync server root certificate http://www.lynced.com.au/2014/06/install-root-certificate-onmac-osx-for.html Use klist and kinit to view or recreate kerberos ticket
SSO with print queues Printers on Windows server that require authentication Setup in OSX via System Preferences normally May require additional steps: CUPS web interface Run Terminal command cupsctl WebInterface=yes Browse to http://localhost:631 For each printer, under Administration; Set Default Options, Policies Operation Policy: kerberos Save settings, disable web interface (cupstl WebInterface=no) Command line lpstat a (Show list of all printers) lpadmin p <printer name> -o auth-info-required=negotiate Other Printing Options LPD queues (UNIX printing enabled on Windows server) Direct to IP printing (last resort)
Windows File Shares Macs support SMB Leveraged Samba in 10.2-10.6, supported SMBv1 SMB stack custom-built by Apple in 10.7, supporting SMBv2 SMB replaced AFP as the default protocol in 10.9 SMB3 support in Yosemite (OSX 10.10) DFS shares supported in 10.7+ OSX mounts shares directly, cannot mount a nested folder OSX 10.9+ may take a long time to display SMB folder contents Workaround: force SMB1 connection via CIFS:// rather then SMB:// Permanent fix: Update file server registry to increase SMB credits HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ Smb2CreditsMin REG_DWORD = 768 (decimal) Smb2CreditsMax REG_DWORD = 16384 (decimal)
Apple Remote Desktop Paid-For App in App Store requires OSX 599,00kr ($80USD) Manage unlimited client machines Client software built into OSX Push out installs, patches, scripts. Any.pkg or.mpkg installer Remote view/control Pull software and hardware reports Task Server to schedule tasks
ARD under the hood ARD Networking Uses VNC (port 5900) Can use multicast for install/copy jobs Can encrypt all network traffic (reduces performance) Client enabled in System Preferences Sharing Remote Management Configure via command line: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart http://support.apple.com/kb/ht2370
Desktop Management Profiles via MDM server OSX 10.7 or later Adjust settings, system configuration Local security settings Applied to user or computer groups Same as deploying profiles to ios Managed Preferences (MCX) Legacy system, requires OSX Server and Workgroup Manager Common in Education for desktop security Push out custom preference files for third-party apps (plist)
Charles Firth Thanks for Attending! Feel free to contact me: charles@firthconsulting.com