Centrify Resource Center

Home  |  Centrify Resource Center  |  Blogs  |  Tom Kemp's Centrify Blog
Tom Kemp's Centrify Blog

Comparing DirectControl to the Apple Active Directory ("AD") Plug-In

Wednesday, July 1, 2009

I recently saw an article on options for integrating Macs in a Windows environment. The article noted that "Apple has offered an Active Directory plug-in ever since Mac OS X 10.3" but pointed out a key area that the Apple AD plug-in doesn't provide, namely Group Policy. I want to use this blog post to talk about the differences between our solutions and why some customers choose Centrify DirectControl over "what comes in the box."

First some background: I recently saw that Jonathan Hassell, a contributing author at SearchWindowsServer, wrote an article entitled "Using Active Directory to manage Macs in a Windows environment." He spells out the capabilities that Apple provides, for free, in terms of integrating with Active Directory, and then asks:

"So what can't the plug-in do? Namely, Group Policy. More specifically, the Mac OS X client can't natively consume Group Policy Objects (GPOs), meaning much of the power of AD outside of the directory service is lost on Macs without the use of third-party solutions. You still need a package that can manage your Macs, even if they can authenticate to the Windows directory service."

[One should point out that Apple provides their customers with a solution for managing the various configuration settings and user preferences based on their MCX policy enforcement subsystem. And since their target customer profile is one in which you find a majority of Mac administrators, the tool used to manage these policies is, as expected, a Mac application called Workgroup Manager.]

Jonathon goes on to describe commercial third-party products that go beyond what Apple's AD plug-in provides and concludes (much to my delight!):

"DirectControl does a better job of integrating the Mac experience with Windows than any other solution. It installs as a plug-in on the client and adds a collection of GPOs to the server that can then talk to that Mac client plug-in. It does this by copying a registry file, interpreting and reformatting that file into Apple's MCX architecture and format, and importing that to the workstation.

As a result, native Windows administrators can use the tools and functionality familiar to them to manage both Macs and Windows from a single pane of glass. If your organization uses smart cards for authentication, DirectControl can handle that on the Mac as well."

For those that are not familiar with Centrify's cross-platform Group Policy support, our AD-centric customers use it to enforce centralized configuration and lock down desktops on Mac systems. Our customers usually have administrators who are familiar with Windows-based administration tools and prefer to minimize any retraining and reuse the tools that they already know to centrally manage configuration preferences and policy settings. Since the majority of Windows centric enterprises with any decent population of workstation are already using Group Policy to manage the configuration and to lock down their Windows systems, they find that DirectControl enables them to simply use the same tool to manage the Mac systems in the same way as Windows systems.

Certainly the question remains, if you have Mac administrators on staff, how do you choose between the management that Apple provides and the Centrify Group Policy-based solution? One thing to consider is that the Apple Workgroup Manager solution will not only require Mac administrators, but also requires either (a) an extensive schema modification in order for it to be used with Active Directory or (b) a parallel Open Directory infrastructure in both cases to store and distribute the centrally defined configuration settings. The Apple provided solution works well for those environments where it fits the Mac-centric administration model, but for those environments where you need to empower your Windows/AD admins to be able to take on management of Mac systems, we believe Group Policy management via DirectControl is the better choice. For more information on our Mac Group Policy support, click here.

Besides group policy, there a few other keys reasons that Apple Mac OS X customers are looking to pay $ for Centrify DirectControl vs. using the free Apple AD plug-in. But before I go into that, let me be clear that my goal in this post is to not criticize Apple. In fact Apple provides the best Active Directory authentication integration compared to what you get in the box with Ubuntu, SUSE, Red Hat, Solaris, etc. This is based on our observations that prospective Apple customers of ours consider the Apple AD plug-in as a valid alternative to Centrify in proportionally more instances then say prospective Linux customers of ours who are comparing our technology to what comes with Linux systems or with open source solutions.

So before I delve into additional feature differences, stepping back I think the fundamental difference between what Centrify offers and what any OS vendor (e.g. Apple) offers for AD integration is that as a company we are dedicated and focused on one key thing: providing the best Active Directory interoperability in the industry. We haven't found any other OS vendor to have that in their top 20 as mission statements. And to us "integration" is not just about doing authentication in a simple AD environment but includes working in complex AD environments (one-way trusts, multiple domains and forests, etc.), group policy, Zone-based access control, authorization, privilege management, auditing, smart card login support, etc. — i.e. the full Active Directory experience that one gets on a Windows systems, not just a portion of it. With the right management tools in place, it is certainly possible for an Active Directory-centric enterprise to offer end users a choice as to which platform they prefer for their workstation and still get the same quality of service they've come to expect from IT.

In other words, to an OS vendor having AD authentication is a checkbox (and many non-Microsoft OS vendors don't even have that, and Apple to its credit does). To Centrify, AD integration is our business, and the reality is that Centrify has many times the resources working on AD integration then any OS vendor, and we see AD integration as being much more then just providing a way for a non-Microsoft system to "join" an AD domain from a LDAP and Kerberos perspective. This focus is why we have more than 1000 customers - more than any other ISV who does AD interoperability.

Alright, now that I got that clear :-) let me spell out some additional advantages of the Centrify solution:

  • Centrify supports 190+ flavors of UNIX, Linux and Mac, as well as other applications such as Apache, WebLogic, WebSphere, SAP and DB2. So Centrify provides consistency across platforms, vs. using one tool on the Mac environment, another on Red Hat, another on HP-UX, etc.
  • As any other OS vendor, the main focus is on improving the features and usability from the previous release and providing significant new value for their customers. This means that in order to get a new feature or in many cases a significant fix, you need to upgrade to the latest OS version. This is common in the software industry for any solution. However, the DirectControl Agent is designed to work consistently on several versions of Mac OS X including 10.3, 10.4 and 10.5 (Yes, we are working on Snow Leopard, 10.6, now anticipating the demand when it is released later this year). And yes Apple is continually enhancing and improving its AD plug-in (which per above is focused on authentication vs. other aspects of AD integration) but those changes and enhancements typically are not back-ported to 10.4, 10.5, etc. which is especially important if you have a mix of versions in your environment. For example, we have been told by customers that DirectControl consistently enforces password policies across all systems in a much better way (e.g. enforce periodic password changes, permit changes on all systems, require passwords to unlock system screensavers, etc.). Undoubtedly some of these specific issues the OS vendor will eventually in theory fix (then again, maybe not), but if they are fixed those fixes will only be in the newer versions of the OS.
  • Centrify provides an extremely flexible way of managing UIDs and GIDs within Active Directory. DirectControl provides true central management over UIDs and GIDs, which is critical to ensuring seamless access to shared network resources such as NFS-based network attached storage systems (NAS). Apple does provide the ability to leverage a centrally defined UID or GID, however these settings are managed locally on each computer.
  • DirectControl's unique patented Zone technology enables granular access control and delegated administration that is simply not available in any other solution. You can create collections of Mac systems that can each have their own set of authorized users and administrators. Universities find this feature particularly helpful in setting up security boundaries around Macintosh labs while not exposing Macs in administrative offices to unauthorized access, but any organization with Macs that are "owned" by different departments will find they can centrally manage them without compromising security or flexibility and without stripping current system admins of their privileges.
  • DirectControl enables integration with Active Directory and Group Policy without requiring schema extensions or any additional changes to your existing network infrastructure.
  • Centrify also offers comprehensive Active Directory-based smart card login support (e.g. CAC, PIV and .Net) for the Mac OS X environment providing the user with full Single Sign-on from smart card login to Active Directory through to other AD integrated applications such as Windows file servers or Exchange via Entourage 2008.

So am I saying that an existing Apple customer should not consider using the Apple AD plug-in? Nope. Again it works better then comparable plug-ins from other OS vendors. And its free. But my caveat would be it is probably best used in environments where you don't have a complex AD environment and have Mac administrators who are more comfortable with the "golden triangle" of Apple Workgroup Manager and OpenDirectory to manage your Macs vs. using Group Policies. Otherwise if you want to empower your Windows administrators to manage your Mac population, you probably want to consider Centrify, and as independent authors such as Jonathon Hassell noted, it is the best third-party solution out there.

For more information, check out this joint webinar on Mac/Windows integration we did with Apple.

Categories: Centrify, DirectControl for Databases, DirectControl for Systems, DirectControl for Web Apps, Group Policy, Mac OS X, All
Submit Feedback
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows Live

< Previous Article: Auditing VMware ESX with DirectAudit and Hardening the VMware Infrastructure with the Centrify Suite
> Next Article: Gartner's 2009 Version of Its Hype Cycle for Identity and Access Management


Subscribe to RSS Feed
About Tom Tom Kemp is CEO of Centrify. You can follow him on his Centrify blog or his Secure Thinking blog on Forbes.com. Full Biography Follow Tom on Twitter
Recent PostsOptions for Auditing Your Servers (and why Log File Monitoring is not enough)The Business Case for Auditing Your Servers2011: A Year in Review for CentrifyA Few Virtualization Predictions for 2012A Few Mobile Predictions for 2012Centrify Express 2012 Ships and Hits 100k in 1 Year Milestone
CategoriesAll (181)Centrify (159)Centrify Express (13)Centrify Insight (3)Centrify Suite (66)Centrify Zones (2)Cloud (10)Customers and Press (64)DirectAudit (38)DirectAuthorize (33)DirectControl for Databases (54)DirectControl for Systems (93)DirectControl for Web Apps (50)DirectManage (8)DirectSecure (11)Group Policy (54)Mac OS X (36)Mobile Security (1)Open Source Tools (12)Partners (21)Regulatory Compliance (65)Ubuntu (4)
Articles by Year2012 (2)2011 (32)2010 (30)2009 (45)2008 (44)2007 (28)