Charles Firth charles@firthconsulting.com. Managing Macs in a Windows World

Similar documents
Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper April 2009

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper September 2007

Other documents in this series are available at: servernotes.wazmac.com

The question becomes, How does the competent Windows IT professional open up their print server to their Mac clients?

Creating Home Directories for Windows and Macintosh Computers

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Active Directory Compatibility with ExtremeZ-IP

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Configuring Sponsor Authentication

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Configuration Guide BES12. Version 12.3

Configuration Guide BES12. Version 12.2

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

DeployStudio Server Quick Install

Instructions for Adding a MacOS 10.4.x Client to ASURITE

Configuration Guide BES12. Version 12.1

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Wazza s QuickStart 13. Leopard Server - Windows Domain

Mac OS X Directory Services

Windows Clients and GoPrint Print Queues

How To Set Up A Macintosh With A Cds And Cds On A Pc Or Macbook With A Domain Name On A Macbook (For A Pc) For A Domain Account (For An Ipad) For Free

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Configuring Active Directory Binding for OS X (10.4.x) within Miami Dade Schools

6) Click the lock in the lower left corner of the Directory Utility Window and authenticate with the local administrator account s credentials.

Wazza s QuickStart 1. Leopard Server - Install & Configure DNS

Configuration Guide. BES12 Cloud

Administering Jive Mobile Apps

OneLogin Integration User Guide

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Getting Started Guide

Administering Jive for Outlook

Clientless SSL VPN Users

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

NotifyMDM Device Application User Guide Installation and Configuration for Windows Mobile 6 Devices

Active Directory integration with CloudByte ElastiStor

Wazza s QuickStart 17. Leopard Server - Blogs & Wikis

How To Use The Macintosh Pcounter On Pc Or Macintosh (For Pc) With A Pc Or Pc (For Mac) With An External Hard Drive With A Printer On Itunes) With The Powerpoint (For Windows) On A Pc

Mac OS X and Directory Services Integration

Other documents in this series are available at: servernotes.wazmac.com

McAfee One Time Password

Security Provider Integration Kerberos Authentication

Using Centrify s DirectControl with Mac OS X

1 Introduction. Windows Server & Client and Active Directory.

Apple Technical White Paper. Best Practices for Integrating OS X Lion with Active Directory

What we are going to cover...

Installing and Configuring Active Directory Agent

NetIQ Advanced Authentication Framework - MacOS Client

VMware Virtual Desktop Manager User Authentication Guide

Computer Science and Engineering MacOS Cisco VPN Client Installation and Setup Guide

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

How to install and use the File Sharing Outlook Plugin

INTRODUCING SAMBA 4 NOW, EVEN MORE AWESOMENESS

Windows Server Firewall Configuration

Cloud Server powered by Mac OS X. Getting Started Guide. Cloud Server. powered by Mac OS X. AKJZNAzsqknsxxkjnsjx Getting Started Guide Page 1

The Centrify Vision: Unified Access Management

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Aqua Connect Remote Desktop Services 3.7 User Manual

Wazza s QuickStart 10. Leopard Server - Managing Preferences

Getting Started with Clearlogin A Guide for Administrators V1.01

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

The safer, easier way to help you pass any IT exams. Exam : 9L OS X Server Essentials 10.8 Exam. Title : Version : Demo 1 / 6

Manage Your Mac with Active Directory Group Policies

Active Directory 2008 Implementation. Version 6.410

Setting Up Scan to SMB on TaskALFA series MFP s.

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features

Kaspersky Lab Mobile Device Management Deployment Guide

Setting Up Resources in VMware Identity Manager

Optimization in a Secure Windows Environment

Macintosh Clients and Windows Print Queues

1. Installation Overview

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

BlackBerry Enterprise Service 10. Version: Configuration Guide

Mod 2: User Management

Preparing for GO!Enterprise MDM On-Demand Service

How to configure Mac OS X Server

Single Sign-on (SSO) technologies for the Domino Web Server

SSSD Active Directory Improvements

Embedded Web Server Security

Technology Services Group Procedures. IH Anywhere guide. 0 P a g e

Active Directory 2008 Implementation Guide Version 6.3

Apple Client Management with JAMF. Andrew D Huston Client Infrastructure Group Informa8on Services Kent State University

Cloud Attached Storage 5.0

Active Directory Integration

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Websense Support Webinar: Questions and Answers

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Sentral servers provide a wide range of services to school networks.

Okta/Dropbox Active Directory Integration Guide

iphone in Business How-To Setup Guide for Users

Transcription:

Charles Firth charles@firthconsulting.com Managing Macs in a Windows World

Prerequisites Familiarity with Windows Active Directory networks Interest in Macintosh OSX integration and support Basic understanding of OSX interface and apps Desire to reduce OSX support tickets

Agenda Network Requirements Active Directory on OSX Single Sign-On for common applications and services Accessing Windows File Shares on OSX Apple Remote Desktop Desktop Management

Network Requirements DNS, DNS, DNS! Verify DNS domain lookup on the Mac: host <domain.com> What Time is it? Make sure Domain Controllers and Macs agree on the time Sync everyone to internet NTP server or sync Macs to DC A time differences of 5min can cause AD integration to fail Macs use the following to communicate with Windows: LDAP Kerberos SMB

Binding a Mac to Active Directory System Preferences Directory Utility /System/Library/CoreServices/Directory Utilty.app Shows Advanced options Command Line dsconfigad command Even more options Scriptable, can be automated as part of an imaging system Can be pushed via Apple Remote Desktop (ARD)

Example dsconfigad commands Binding a computer to AD dsconfigad add example.com computer ComputerName -username domainadmin" ou "CN=Computers,OU=Macs,DC=example,DC=com -password adminpass to pass Domain Admin password (otherwise prompted) -mobile enable to create mobile account on login -groups DOMAIN\Domain Admins,DOMAIN\macadmins to grant AD groups local administrative rights -useuncpath enable to use the Home Directory listed in AD for the User -protocol smb to set the home directory mounting protocol (SMB or AFP) Unbinding a computer from AD dsconfigad remove force username administrator Show current AD plugin Status dsconfigad -show

Things to know about AD Accounts on OSX Windows GPOs do not apply to OSX Password policies are enforced Expiration warnings on login will occur Mac users are terrible about logging off at end of day Keychain issues occur when password is changed server-side or on a PC. OSX 10.9+ has Local Items keychain issues also Consider ADPassMon2: http://macmule.com/2014/04/01/announcing-adpassmon-v2-fork/ Mobile accounts are cached credentials. Enabled by default in Windows, this is disabled by default in OSX. Explicitly assign current user to local admin group: dseditgroup -o edit -n. -u current_local_admin -p -a $USER admin

OSX Keychains OSX stores saved passwords, certificates, and other authentication tokens in Keychains. If the keychain is unlocked the user has automatic access to the saved passwords Main keychains login the user s default keychain, created with the same password as the user s account password. On login the user s account password is applied to the login keychain in an attempt to unlock it system the computer s default keychain. Anything saved here works for all users on the machine. For example: AD machine credentials, wifi passwords, installed Certificates. Local Items new with 10.9+, used by icloud Keychain Syncing View keychains in Keychain Viewer (/Applications/Utilities)

Single Sign On (SSO) OSX relies on Kerberos for SSO with Active Directory Reduce the number of saved passwords in Keychain Supported by Outlook 2011, Lync, others Print server, File server authentication OSX receives a kerberos ticket from AD at login Manage tickets in Ticket Viewer /System/Library/CoreServices/Ticket Viewer.app Kerberos via command line klist to view any current tickets kinit to pull, revoke, or modify tickets

SSO with Exchange & Outlook 2011 Exchange needs to have Kerberos configured Create Alternate Service Account (ASA) account Deploy ASA to CAS members/role Convert OAB to an web application (no longer required with Exchange 2013) Assign SPNs (setspn.exe) Outlook 2011 account setup Change Authentication method to Kerberos for the Account Depending on Exchange config, may require AutoDiscovery be disabled: http://www.officeformachelp.com/outlook/exchange/autodiscover/

SSO with Lync Lync Server needs to be configured for Kerberos http://technet.microsoft.com/en-us/library/ gg398976.aspx Lync for Mac configuration checkbox for Kerberos under Advanced Troubleshooting You may need to install and trust Lync server root certificate http://www.lynced.com.au/2014/06/install-root-certificate-onmac-osx-for.html Use klist and kinit to view or recreate kerberos ticket

SSO with print queues Printers on Windows server that require authentication Setup in OSX via System Preferences normally May require additional steps: CUPS web interface Run Terminal command cupsctl WebInterface=yes Browse to http://localhost:631 For each printer, under Administration; Set Default Options, Policies Operation Policy: kerberos Save settings, disable web interface (cupstl WebInterface=no) Command line lpstat a (Show list of all printers) lpadmin p <printer name> -o auth-info-required=negotiate Other Printing Options LPD queues (UNIX printing enabled on Windows server) Direct to IP printing (last resort)

Windows File Shares Macs support SMB Leveraged Samba in 10.2-10.6, supported SMBv1 SMB stack custom-built by Apple in 10.7, supporting SMBv2 SMB replaced AFP as the default protocol in 10.9 SMB3 support in Yosemite (OSX 10.10) DFS shares supported in 10.7+ OSX mounts shares directly, cannot mount a nested folder OSX 10.9+ may take a long time to display SMB folder contents Workaround: force SMB1 connection via CIFS:// rather then SMB:// Permanent fix: Update file server registry to increase SMB credits HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ Smb2CreditsMin REG_DWORD = 768 (decimal) Smb2CreditsMax REG_DWORD = 16384 (decimal)

Apple Remote Desktop Paid-For App in App Store requires OSX 599,00kr ($80USD) Manage unlimited client machines Client software built into OSX Push out installs, patches, scripts. Any.pkg or.mpkg installer Remote view/control Pull software and hardware reports Task Server to schedule tasks

ARD under the hood ARD Networking Uses VNC (port 5900) Can use multicast for install/copy jobs Can encrypt all network traffic (reduces performance) Client enabled in System Preferences Sharing Remote Management Configure via command line: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart http://support.apple.com/kb/ht2370

Desktop Management Profiles via MDM server OSX 10.7 or later Adjust settings, system configuration Local security settings Applied to user or computer groups Same as deploying profiles to ios Managed Preferences (MCX) Legacy system, requires OSX Server and Workgroup Manager Common in Education for desktop security Push out custom preference files for third-party apps (plist)

Charles Firth Thanks for Attending! Feel free to contact me: charles@firthconsulting.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information