CAC for Mac: Integrating DOD Common Access Cards (CAC) with Apple Macintosh
Monday, February 23, 2009
In November of 2008, I blogged about Strong Authentication for the Mac explaining the benefits of using a Smartcard to login to Active Directory and why customers should leverage a Smartcard for strong authentication on the Mac. I am pleased to announce we've just released DirectControl 4.2.0 for OS X that enhances our Mac smartcard support as well as the release of two new informative "Video Chalktalks" on our smartcard support: Introducing Active Directory Integration with Mac Smartcards and Architecture and Authentication Flow for Smartcard login to Active Directory. This new release and the 2 Video Chalktalks are definitely a must have and view for Federal customers looking secure integration of their Department of Defense (DOD) Common Access Cards (CAC) with their Apple Macintosh computers running OS X 10.5 and above.
Smartcards are really the most secure form of user authentication since it requires the user to both (a) have their smartcard with them (which is usually also configured to act as their photo ID badge ensuring that they keep it with them at all times) as well as (b) to know the unlocking PIN. This provides an ATM style experience for access to the computer being protected.
Providing users with a strong authentication solution such as this is increasingly important once all systems within an enterprise are integrated into a common Directory for user authentication and access management. In fact in all of the US Department of Defense (DOD) agencies as well as Federal agencies, a Common Access Card (aka CAC card) or Personal Identification and Verification card (aka PIV card) is required to be used for photo ID, building access and logical access purposes. With DirectControl 4.2 for OS X, Centrify provides one of the missing components for these high security organizations to embrace or adopt Mac workstations, Smartcard Login to Active Directory, technically you may hear this called pkinit which is the function of authenticating to Active Directory with a PKI Certificate. Call it "CAC with Mac" :-)
If you are interested in learning more, I'd encourage you to watch our Video Chalktalks on Smartcard Login for Mac. In the first video we talk about what smartcards are and how they can be used to login to Active Directory, explaining the components involved from the setup of a new environment to the smartcard login to AD that provides a Kerberos ticket. A smartcard environment supporting login to Active Directory can certainly seem complex at first, but once you understand the basic operation and see how administration can be simplified, you'll appreciate the simplicity of using DirectControl for OS X. We've worked to make sure that supporting Smartcard login to Active Directory is just as simple as on a Windows machine, just join it to Active Directory, set a Group Policy and it just works.
In the second video, Paul Moore, our CTO, explains what is going on behinds the scenes to make all this work and what Centrify provides integrating into the Apple Keychain and Smartcard functions. This will give you the nitty-gritty on setting up CAC access on your Mac. He also explains how security is verified through out the login process which ensures that only a smartcard which the user knows the PIN to and which is trusted, has not been tampered with, has not been revoked and is issued to the proper user will be allowed to login whether online or as with laptops in many cases, offline.
Thanks to David McNeely, our Director of Product Management for our Mac solutions, for helping me to explain this!
< Previous Article: "Andritz" Court Decision and Protecting Against Insider Threats
> Next Article: Privileged User Management (aka Superuser Privilege Management aka Privileged Account Management) Continues to Gain Mindshare
We're pleased that Centrify continues to extend the authentication, authorization and Group Policy management capabilities of Microsoft Active Directory. Enterprises can take full advantage of their secure, established Active Directory infrastructure and centrally administer and manage their heterogeneous systems.
Michael Stephenson
Director
Active Directory Product Management
Microsoft Corp.