Centrify DirectControl for Mac OS X

Centrify DirectControl enables Active Directory-based authentication and access control for both PowerPC- and Intel-based Mac systems and is the first and most robust solution that enables IT managers to centrally secure and configure Mac systems through Active Directory Group Policy. IT managers can streamline operations and strengthen security by establishing a single point of administration — Active Directory. And end-users gain single sign-on to their Macs through their Active Directory account. To learn more, click one of the following topics:

 

Features and Benefits for IT Managers

Strengthen Security

DirectControl enables you to strengthen security and enhance IT efficiency in the following ways.

• Extend centralized, Active Directory-based single sign-on (SSO) to Mac users — no more manual provisioning of local accounts that may live on even after an employee leaves the company.
• Use DirectControl's unique Zone technology to enable users to log on only to the Mac sytems they really need to access. (See Zone-Based Access Control for more details.)
• Delegate administration of Mac systems to individuals without giving them privileges on any other systems.
• Use DirectControl's built-in reporting to verify for auditors who has access to which systems.
• Globally enforce Active Directory-defined password policies, regardless of where users log in.
• Enable offline login to Mac laptops with cached credentials (similar to Windows XP) without creating an account on the local computer.

Enhance IT Efficiency

• Use Windows Group Policy to bulk configure Mac systems centrally from Active Directory: control DirectControl configuration and sudo settings; lock down System Preferences; enforce screensaver locking, and more. See Bulk Configuration of Macs through Group Policy for more details.
• Perform large-scale remote installation through Apple Remote Desktop. See our application note, Using Apple Remote Desktop to Deploy Centrify DirectControl, for details.
• Centrally control configuration features that previously had to be managed (if it was possible at all) at each local computer: transparent SSO to Windows files shares; home directory automounts to Windows file shares; and assignment of UIDs and the groups and theirs GIDs that are used to assign and control access for file permissions consistency.

Group Policy for Mac OS

Centrify DirectControl is the first and most robust solution that enables IT manager to centrally secure and configure Mac systems through Active Directory Group Policy. Because Mac systems are used primarily as workstations, Centrify has enriched its existing DirectControl for Mac OS solution with a set of policies that have been tailored to the needs of IT managers who are responsible for the security and configuration of these systems. Using the same Active Directory tools they use today for Windows systems, IT managers can set security and configuration policies for Mac systems without needing deep platform-specific knowledge.

With DirectControl you can deploy Group Policies to remote Mac systems using the native Active Directory Group Policy tools. DirectControl already comes with more out-of-the-box policies than any other solution, and DirectControl for Mac OS enriches the base set with additional workstation-related security and configuration policies.

Group Policy support is built into the core DirectControl for Mac OS product; there is no additional software to license, install or configure. See Group Policy for UNIX, Linux and Mac for a general overview of how Group Policies work on non-Windows systems.

Summary of Major Computer Policies

Category	Example Policies
Security	Require password to unlock each secure system preference Disable automatic login Use Secure Virtual Memory Log out after n number of minutes of inactivity Enable smart card login Require smart card login
Sharing Services	Firewall Settings Enable the firewall Firewall settings (to turn on|off firewall for each service) Block UDP traffic Enable firewall logging Enable stealth mode Services settings (to turn on|off sharing for each service)
Network	Adjust list of searched domains Adjust list of DNS servers Enable proxies (FTP, HTTP, HTTPS, etc.) Configure proxies
Firewall Settings	Enable the firewall Firewall settings (to turn on|off firewall for each service such as iChat, etc.) Block UDP traffic Enable network time Enable firewall logging Enable stealth mode
Internet Sharing	Disallow all Internet sharing
Accounts	Display Login Window settings Show the Restart, Sleep and Shutdown buttons Set the Display Banner Control the login Window to show either Name and Password or List of users Control password hint display Enable fast user switching Map Zone admin groups to local admin groups
Energy Saver Settings	Configure different energy saver settings listed below for both AC Power and Battery power Put display to sleep if inactive Put computer to sleep if inactive Put the hard disk(s) to sleep when possible Wake when the modem detects a ring Wake for Ethernet network administrator access Allow power button to sleep the computer Restart automatically after a power failure
Software Update Settings	Automatically download and install software updates Specify software update server

Summary of Major User Policies

Category	Example Policies
Application Access	Control access to specific applications Control access to UNIX tools and utilities
Desktop & Screen Saver	Enforce screen saver Screen saver timeout
Dock Settings	Dock size, magnification and position on screen Animation for application opening Auto hide the Dock Control applications displayed in the Dock Lock the Dock
Media Access Controls	Control access to CDs, CD-ROMs and DVDs Control access to recordable disks Control access to external disks (including USB Flash disks and iPods)
Mobility Sync Settings	Control home directory synchronization Control sync at login/logout as well as background Control what items will be synced and skipped
Security	Require password to wake this computer from sleep or screen saver
Software Updates	Enable automatic software updates Specify the Software Update Server for all updates
System Preference Settings	Limit which items will be shown in the System Preferences Control display of each item in System Preferences

Smart Card Support

DirectControl provides broad support for smart card login to Active Directory on Mac OS X supporting CAC, PIV and .NET smart cards. No special user configuration is required on the local system because all authentication and access control data is stored in Microsoft Active Directory. DirectControl supports both online and offline login with smart cards. This would enable an organization to, for example, require users logging on to a Macintosh on an airplane to authenticate using their smart card.

To streamline deployment of smart card-protected systems, DirectControl automates the configuration of the system to support smart card login as well as to ensure that the system trusts the root certificate authorities that are trusted by Active Directory when a Macintosh joins the domain. Active Directory enforces smart card access to Windows systems through the Account option "Smart card is required for interactive logon" policy. DirectControl enforces this policy on Mac OS X systems as well, giving you the ability to enforce smart card access consistently across your organization.

DirectControl also provides Group Policies to enable centralized management of smart card login. These Group Policies can be used to require a Macintosh system to go into screen lock or to force a logout when the smart card is removed from the reader during a session. This policy enforcement on Mac OS X systems enables organizations to easily enable the secured usage of Mac systems within their Windows environments leveraging the same tools, procedures and policies that they are already familiar with today.

Streamlined Deployment and Workstation Mode

The Centrify DirectControl for Mac OS X installation program, provided in universal binary format, makes it easy to deploy DirectControl on individual systems or across the enterprise. On individual systems, a graphic, interactive installation program walks users through the setup. System administrators can also extract the package file for use with Apple Remote Desktop; see Using Apple Remote Desktop to Deploy Centrify DirectControl on the Centrify web site for instructions. The installation package can also be distributed using third-party systems management solutions such LanREV.

In many organizations, Mac OS X workstations can be treated just like Windows workstations for access control purposes, permitting anyone with an Active Directory account to log in once the Mac has joined the domain. For those organizations, DirectControl's workstation mode streamlines installation using the same methodology to add a Mac workstation to an Active Directory domain as that used to add Windows workstations. The interactive installation program offers users the option to add the Mac in workstation mode. Remote installations can specify workstation mode through command-line parameters.

Macs operating in workstation mode have almost identical features to Macs operating in standard DirectControl mode. For example, end-users have transparent access to local or network home directories, and they enjoy the same single sign-on benefits to other Active Directory integrated services and applications. Administrators can also use Group Policy to remotely manage security and configuration settings on DirectControl-managed Macs in workstation mode.

A major advantage of workstation mode is that the installation process has been streamlined. You do not need to install the Centrify Administrator's Console first. You simply install DirectControl on a Mac and it is automatically joined to Active Directory and appears as a computer object in Active Directory Users and Computers. During workstation installation, Macs are not added to a DirectControl Zone, but if you want to use DirectControl's unique Zone-based access controls to limit access to Macs to a select set of users or groups, it it is easy enough to install the Centrify Administrator Console and add those Macs to a Zone. You can have a mixture of Macs in workstation mode and standard mode in Active Directory, giving you the flexibility to apply tighter access controls to select systems as needed.

How DirectControl Differs from Other Solutions

Other solutions for integrating Macintoshes with Active Directory offer only limited integration. DirectControl is unique in its approach to providing enterprise-ready features for IT organizations responsible for managing large number of Mac systems.

• DirectControl's unique Zone technology enables granular access control and delegated administration that is simply not available in any other solution. You can create collections of Mac systems that can each have their own set of authorized users and administrators. Universities find this feature particularly helpful in setting up security boundaries around Macintosh labs while not exposing Macs in administrative offices to unauthorized access, but any organization with Macs that are "owned" by different departments will find they can centrally manage them without compromising security or flexibility and without stripping current system admins of their privileges.
• No other solution delivers the ease of use and robustness of DirectControl's Group Policy for the Mac. Other centralized management solutions require extensive Active Directory schema extensions or the deployment of additional server infrastructure. DirectControl leverages the native Active Directory interface and open scripting standards, giving IT managers a single tool for policy management. And DirectControl delivers a wide variety of policies tailored specifically for IT managers who need control over these workstations.
• DirectControl for Mac is part of a comprehensive solution for integrating non-Microsoft systems with Active Directory. Instead of a point solution dedicated strictly to the Mac, you have a single solution for UNIX and Linux systems as well.
• DirectControl consistently enforces password policies across all systems. Other solutions are limited in their ability to enforce periodic password changes, permit changes on all systems, or require passwords to unlock system screensavers.
• DirectControl provides true central management over UIDs and GIDs, which is critical to ensuring seamless access to shared network resources. Other solutions require you to manage these settings locally on each computer.

Benefits for End-Users

End-users will be glad to know that DirectControl brings them the following benefits as well:

• You have only one user ID and one password to remember.
• You can log in to any computer (Macintosh or Windows) that belongs to the management Zones to which you have been assigned, regardless of whether you have ever logged into that system before.
• There is no effect on the way you work; the DirectControl Agent that is installed on your computer seamlessly and transparently connects you to the greater Windows world without affecting any other system components.
• If you are a lone Macintosh user or part of a small group within a Windows-based organization, you can easily install DirectControl yourself and work with your system administrator to integrate your system with Active Directory.

• back to top