TOM KEMP'S CENTRIFY BLOG
Locking down the Mac
Monday, May 14, 2007
Just recently we announced the shipment of an updated version of our Centrify DirectControl for Mac OS X solution. I wanted to use this blog post to provide some color commentary on what actually is in this new release, discuss what Computerworld had to say about it, and give a concrete real-world example of how one our customers is using our product to lock down their Macs.
In this new release of DirectControl for Mac OS X we added dozens of new Group Policy objects to DirectControl's current suite of configuration and security management capabilities so that IT administrators can ensure that Macs adhere to the same best practices established for their Windows systems. With this new version we also released our initial smart card support for the Mac that we announced back at the RSA show.
As you may recall, Centrify DirectControl for Mac OS X is the first and only solution that integrates Macintoshes into Active Directory and supports Microsoft Group Policy. The Group Policies in Centrify DirectControl for Mac OS X provide IT management broad, flexible control over security settings and configuration options that Mac users have habitually managed on their own. Examples of new Group Policies added include the ability to block someone from plugging in a removable media device (e.g. a USB device) and copying files to it, not allowing a certain application (e.g. iTunes) from running, and centrally controlling the Dashboard, Dock, and Spotlight utilities.
Computerworld did an in-depth review of our updated Mac support and drew the following conclusions:
"DirectControl offers the simplest and most full-featured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's Group Policy architecture, it functions more seamlessly for managing access ... particularly for systems administrators who are unfamiliar with Mac OS X."
And
"Having worked with various methods of supporting Macs in a Windows Server environment for years and having worked with Mac OS X Server's preferences management features, I had very high expectations for Direct Control for Mac. The product either met or exceeded my expectations, and I would highly recommend it to any company that's running Active Directory.”
The reviewer also had the opportunity to spend time looking at the new Group Policies we added in this most recent release, and here is his analysis:
"Having had the opportunity to work with both the existing set of group policies and to see a preview version of the upcoming expanded set, I was amazed at Centrify's success. The experience of managing Macs was exactly the same as managing Windows computers using group policies. Any experienced Active Directory administrators, even those who have no Mac support experience, will feel completely at home. Any experienced Mac administrator will also notice that Centrify has managed to mirror the preference management component of Mac OS X Server's Workgroup Manager.”
That last sentence in my mind is important — no more having to set up a separate product to do configuration management of your Macs. The bottom line is that DirectControl delivers not only Active Directory-based authentication and access control, but comprehensive configuration management as well, so IT staff can use a single tool to manage and secure a mixed Windows and Mac desktop environment.
So how are customers using this capability in a real-world environment? One customer of ours is using our Group Policy to show they are in compliance with the Center for Internet Security (CIS) Mac OS X Tiger Level Security Benchmark. This benchmark provides detailed recommendations on security settings for the Mac OS X platform. In this benchmark, specific rules are documented that should be addressed, such as
2.4 Group: Configure locking screen saver
2.4.1 Rule: Require a password to unlock the screen saver
2.4.2 Rule: Set the screen saver to appear after a period of inactivity etc.
The problem is that on the Mac many of the remediation steps to address these rules involve user-configurable preferences. In other words, by default an individual end-user can disable the screen saver, etc. But our solution via Group Policy delivers flexible control over security settings and configuration options that Mac users have habitually managed on their own, meaning that end-users cannot override the centrally mandated security settings. With that capability, the customer is now going back to the auditor and showing that they can enforce the security benchmark that the auditor wants them to meet.
No wonder both press and customers are saying we have the industry's most comprehensive desktop lockdown solution for the Mac environment!
< Previous Article: Robotics
> Next Article: Bringing IBM DB2 under the Active Directory Umbrella
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- SAP Certifies DirectControl for SAP on UNIX and Linux
- New Survey Details Top Mac/Windows Integration Needs
- Mac Shipments to Hit 3 Million This Quarter? And an Upcoming Webinar on "Managing Macs in a Windows Environment"
- Another Award: Best in Identity Management
- Centrify to Host Three-Part Webinar Series on Identity Management Featuring Gartner Group
- What Another Great Year!
Categories
- Centrify (48)
- Customers and Press (35)
- DirectControl for Databases (22)
- DirectControl for Systems (42)
- DirectControl for Web Apps (20)
- Group Policy (34)
- Partners (9)
- Regulatory Compliance (29)
- Mac OS X (17)
- DirectAudit (11)
- Open Source Tools (7)
- All (65)
Other Blogs
Subscribe
RSS Feed
