Group Policy for UNIX, Linux and Mac

Enforce consistent security and configuration policies across heterogeneous systems

Centrify DirectControl delivers the industry's most comprehensive support for extending Group Policy to non-Windows systems. It is the only solution to provide both user and computer policies, Mac-specific desktop lockdown policies, and advanced features such as group filtering and loopback processing. Group Policy functionality is seamlessly integrated into the all-in-one DirectControl Agent; there's nothing else to buy, nothing else to install. DirectControl is the only solution that provides authentication, access control, and Group Policy for non-Microsoft systems as a single, seamlessly integrated agent.

Benefits of Using Group Policy for non-Windows Systems

With DirectControl you can use Active Directory Group Policy to centrally enforce security and configuration policies across your UNIX, Linux and Mac systems.

• Strengthen security with automated, consistent management of configuration files for individual computers or groups of computers. For example:
• Centrally configure the policies that the DirectControl Agent uses to enforce authentication and authorization to that system.
• Apply consistent updates to the sudoers file, defining privileged commands that specific users can execute.
• Efficiently control crontab files, firewall settings, screensaver password lock, and other properties.
• Reduce IT infrastructure costs and complexity by eliminating point products used to manage diverse UNIX, Linux and Mac platforms, and streamline operations by using your current Active Directory tools and processes for enterprisewide policy management.
• Enable security managers to define consistent global policies for diverse systems without requiring specific information on each specific operating system and system version.
• DirectControl provides more ready-to-use Group Policies for UNIX, Linux and Mac systems than any other solution, and you can create your own through standard administrative templates for policy definition and Perl scripts for client side processing.

Zone-Based Management

When combined with DirectControl's unique Zone technology, Group Policy gives you granular control over Zones of related UNIX, Linux and Mac computers. By adding a Zone to an Active Directory Computer Group, you can strengthen security by ensuring all computers in that Zone share a consistent configuration and that updates propagate securely to every computer in that Zone.

How It Works: DirectControl Group Policy Architecture

On Windows computers, Group Policy works by forcibly setting user and computer registry keys. Since almost all of a Windows system is configured through registry settings, this is a very natural and simple way to enforce almost any policy.

On UNIX, Linux and Macintosh computers, there is no equivalent to the Windows registry. The de-facto standard for configuration is through text-based configuration files. To enforce Active Directory's Group Policies on these non-Microsoft platforms, DirectControl creates a "virtual registry" to hold the Group Policy configuration settings that apply to that managed system and the users logging in to it. For each configurable application that a policy applies to, DirectControl provides a specific mapping program that translates these virtual registry settings and updates the appropriate configuration file for that application with the settings defined by the policy.

On each DirectControl-managed computer, the DirectControl Agent is responsible for contacting Active Directory to determine the relevant policies and coping them down to a set of virtual registry files. These policy files are refreshed in the same way they are on Windows systems: when a user logs in, on computer restart, and at periodic intervals defined by Group Policy. Administrators can also update Group Policy on demand.

Working with Policies

DirectControl's Group Policy feature has been designed so that it integrates seamlessly with existing Group Policy features in Active Directory. Your policies for UNIX, Linux and Macintosh computers and users will work just like Windows policies do in terms of how they are linked to targets (sites, domains, organizational units, groups and individual users or computers), how these settings are inherited, and so on within Active Directory. The Windows default administrative template even has some settings, particularly those that specify refresh intervals for policy updates, that DirectControl will apply to the UNIX, Linux and Mac systems it manages for a consistent global policy.

Just like Windows policies, DirectControl policies are used in two ways:

• Computer configuration policies apply to the computer regardless of the user account that logs on to it.
• User configuration policies apply to the user account regardless of the computer he or she logs in to. These policies ensure users can move from computer to computer with a consistent profile.

DirectControl delivers a streamlined Group Policy Object Editor interface that makes it easy to create and edit Group Policies within the standard GPO Editor. It provides a rich editing environment for many policies where multiple lines of text need to be entered or edited after initial entry, such as the sudo or firewall policies. In addition to the new user interface, DirectControl 4 also provides several new and improved Group Policies, including ones to control SSH settings, set sudo rights, and copy files.

Free-form editing, a syntax checker, and the ability to insert all standard commands and Active Directory object names make it easy to manage Sudo Group Policies for fine-grained privilege management.