Solutions
Centrify Your UsersSSO for SaaS & AppsSSO for Mobile AppsSSO for Mac & LinuxSmart Card Authentication
Centrify Your SecurityPrivileged User ManagementAccess ControlServer Isolation & EncryptionSecurity Policy EnforcementServer Auditing
SOXPCIFISMANERC
Centrify Your ITActive Directory BridgingNIS-to-Active-Directory MigrationMobile Security ManagementMac ManagementCross-Platform Group Policy
Federal Government
OverviewFISMA
Products
Centrify for ServersDirectControlDirectAuthorizeDirectAuthorize for WindowsDirectAuditDirectAudit for WindowsDirectSecureDirectManageCentrify Suite 2013Centrify Suite Editions
Centrify for Mac & MobileDirectControl for MacCentrify for MobileMobile Authentication Services
Centrify for SaaS & AppsCentrify for SaaSCentrify for Java & WebCentrify for SAPCentrify for Databases
5-Minute Demos
At-a-Glance Overviews
Want to Give It a Try?
Request a Trial or Ask for Question
Services
Services OverviewJumpStart PackagesOnsite TrainingOnline TrainingFree Online TrainingRequest More Info
Support
Customer Support PortalBenefits of Technical Support
Partners
Find a Centrify Reseller PartnerTechnology PartnersCentrify & MicrosoftCentrify & SamsungIndustry Alliances
How to Work with CentrifyPartner ProgramsPartner Application FormReferral ProgramReferral Registration FormOEM OpportunitiesPartner Network Login
Resources
Centrify Suite ResourcesRemote Access Tools for Linux & UNIXActive Directory Integration for Storage SystemsCentrify Suite Deployment & Migration ToolsCentrify Cloud ToolsCentrify Suite Integration with Provisioning SystemsCentrify Suite Reporting ToolsVideo Chalktalk LibraryCentrify WebinarsCustomer Success StoriesWhite Papers & Datasheets
Centrify BlogsCentrify BlogCentrify TechnovationsLeveraging MicrosoftThe Centrify Apple GuysCentrify Express CommunityCentrify RSS Feeds
About Us
Corporate OverviewExecutive ManagementInvestorsContact UsJobs at Centrify
News
News & Events OverviewPress ReleasesAwards & ReviewsCalendar of EventsWhat the Press SaysWhat the Analysts Say
Centrify for Mac OS X

Active Directory Integration for Mac OS X

Centrify for Mac OS X enables a Macintosh OS X computer to participate seamlessly in a Windows Active Directory domain, with advanced Windows Group Policy support for desktop lockdown

DirectControl does a better job of integrating the Mac experience with Windows than any other solution.

Jonathan Hassell, SearchWindowsServer.com

Centrify DirectControl enables Active Directory-based authentication and access control for the most recent versions of both PowerPC- and Intel-based Mac systems and is the first and most robust solution that enables IT managers to centrally secure and configure Mac systems through Windows Group Policy. IT managers can streamline operations and strengthen security by establishing a single point of administration — Active Directory. And end-users gain single sign-on to their Macs through their Active Directory account. To learn more, click one of the following topics:

Features and Benefits for IT Managers Group Policy for Mac OS Smart Card Support Streamlined Deployment and Workstation Mode How DirectControl Differs from Other Solutions
Benefits for End-Users Supported Platforms DirectControl for Mac OS X White Paper DirectControl for Mac OS X Datasheet (PDF) DirectControl for Mac OS X Smart Card Edition Datasheet (PDF) Request a Free Evaluation

Features and Benefits for IT Managers

Strengthen Security

DirectControl enables you to strengthen security and enhance IT efficiency in the following ways.

DirectControl offers the simplest and most full-featured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's Group Policy architecture, it functions more seamlessly for managing access ... particularly for systems administrators who are unfamiliar with Mac OS X.

Ryan Faas, ComputerWorld

  • Extend centralized, Active Directory-based single sign-on (SSO) to Mac users — no more manual provisioning of local accounts that may live on even after an employee leaves the company.
  • Use DirectControl's patented Zone technology to enable users to log on only to the Mac systems they really need to access.
  • Deploy a FIPS-certified solution that meets the highest levels of security requirements.
  • Delegate administration of Mac systems to individuals without giving them privileges on any other systems.
  • Use DirectControl's built-in reporting to verify for auditors who has access to which systems.
  • Globally enforce Active Directory-defined password policies, regardless of where users log in.
  • Enable offline login to Mac laptops with cached credentials (similar to Windows XP) without creating an account on the local computer.

Enhance IT Efficiency

  • Use Windows Group Policy to configure Mac systems centrally from Active Directory: control DirectControl configuration; lock down System Preferences; enforce screensaver locking, and more. See the discussion of configuring Macs using Windows Group Policy for more details.
  • Flexibly configure automounts using Group Policy. For example, you can specify which file servers are mounted at login time, and mount the user's home directory on the desktop.
  • Enable Mac OS X systems to transparently connect to network file shares hosted on Microsoft Distributed File System (DFS) volumes.
  • Using DirectControl's support for Apple's Filevault 2 Full Disk Encryption, enable authorized Active Directory user accounts to unlock and access encrypted disks.
  • Configure automated certificate enrollment to support services such such as 802.1x and VPN. When configured using Group Policy, Centrify-managed services can automatically detect if a service requires a machine certificate to be present. The Mac will automatically request, download and install a machine certificate into the Mac OS X keychain and make it available to that service. When certificates reach their expiration lifetime, the DirectControl agent on the Mac system will automatically request a new certificate and update the certificate in the keychain.
  • Using Centrify's patented Zones technology, configure Macs to allow only certain users or groups to log on. This can be used to define certain Macs as "Executive Access," where only a single employee can log on. It is also ideal for implementing departmental-level Mac solutions where only members of a given department can log in.

Smart Card Support

“We're thrilled that Centrify has taken advantage of the interoperability of Mac OS X to deliver a two-factor smart card authentication solution.”

Ron Okamoto
Vice President of Worldwide Developer Relations, Apple Computer

DirectControl for Mac OS X provides full smart card support on Mac OS X 10.6, 10.7, and 10.8 for all CAC, CACNG, and PIV smart cards. This includes the Oberthur ID One 128 v 5.5 Dual Smart Card. In addition, Centrify's support for the U.S. Department of Defense's Common Access Card (CAC) standard is certified by the Joint Interoperability Test Command (JITC), bringing Mac OS X systems into compliance with HSPD-12. No special user configuration is required on the local system because all authentication and access control data is stored in Microsoft Active Directory. DirectControl supports both online and offline login with smart cards. This would enable an organization to, for example, require users logging on to a Macintosh on an airplane to authenticate using their smart card.

To streamline deployment of smart card-protected systems, DirectControl automates the configuration of the system to support smart card login as well as to ensure that the system trusts the root certificate authorities that are trusted by Active Directory when a Macintosh joins the domain. Active Directory enforces smart card access to Windows systems through the Account option "Smart card is required for interactive logon" policy. DirectControl enforces this policy on Mac OS X systems as well, giving you the ability to enforce smart card access consistently across your organization.

DirectControl also provides Group Policies to enable centralized management of smart card login. These Group Policies can be used to require a Macintosh system to go into screen lock or to force a logout when the smart card is removed from the reader during a session. This policy enforcement on Mac OS X systems enables organizations to easily enable the secured usage of Mac systems within their Windows environments leveraging the same tools, procedures and policies that they are already familiar with today.

U.S. federal employees, or those who do business with federal organizations, can take advantage of Centrify's free solution for smart card authentication, Centrify Express for Smart Card.

Video Chalktalk: Introduction to Active Directory Integration Video Chalktalk: Architecture & Authentication Flow

Streamlined Deployment and Workstation Mode

Centrify DirectManage Deployment Manager can automatically detect Mac OS X systems within your environment and test them for readiness to join Active Directory, helping you identify and eliminate many common issues (such as DNS configuration problems) that slow down deployment of the Centrify DirectControl agent. Deployment Manager can then remotely install DirectControl on these Mac systems, automatically downloading the most current version for you from the Centrify website. You can also centrally update DirectControl on these systems as new releases become available.

The Centrify DirectControl for Mac OS X installation program is also provided in universal binary format, making it easy to deploy DirectControl on individual systems or across the enterprise. On individual systems, a graphic, interactive installation program walks users through the setup. System administrators can also extract the package file for use with Apple Remote Desktop; see Using Apple Remote Desktop to Deploy Centrify DirectControl on the Centrify website for instructions. The installation package can also be distributed using third-party systems management solutions such LanREV.

In many organizations, Mac OS X workstations can be treated just like Windows workstations for access control purposes, permitting anyone with an Active Directory account to log in once the Mac has joined the domain. For those organizations, DirectControl's workstation mode streamlines installation using the same methodology to add a Mac workstation to an Active Directory domain as that used to add Windows workstations. The interactive installation program offers users the option to add the Mac in workstation mode. Remote installations can specify workstation mode through command-line parameters.

Macs operating in workstation mode have almost identical features to Macs operating in standard DirectControl mode. For example, end-users have transparent access to local or network home directories, and they enjoy the same single sign-on benefits to other Active Directory integrated services and applications. Administrators can also use Group Policy to remotely manage security and configuration settings on DirectControl-managed Macs in workstation mode.

A major advantage of workstation mode is that the installation process has been streamlined. You do not need to install the Centrify Administrator's Console first. You simply install DirectControl on a Mac and it is automatically joined to Active Directory and appears as a computer object in Active Directory Users and Computers. During workstation installation, Macs are not added to a DirectControl Zone, but if you want to use patented Zone technology to limit access to Macs to a select set of users or groups, it is easy enough to install the Centrify Administrator Console and add those Macs to a Zone. You can have a mixture of Macs in workstation mode and standard mode in Active Directory, giving you the flexibility to apply tighter access controls to select systems as needed.

How DirectControl Differs from Other Solutions

Other solutions for integrating Macintoshes with Active Directory offer only limited integration. DirectControl is unique in its approach to providing enterprise-ready features for IT organizations responsible for managing large number of Mac systems.

  • DirectControl's unique Zone technology enables granular access control and delegated administration that is simply not available in any other solution. You can create collections of Mac systems that can each have their own set of authorized users and administrators. Universities find this feature particularly helpful in setting up security boundaries around Macintosh labs while not exposing Macs in administrative offices to unauthorized access, but any organization with Macs that are "owned" by different departments will find they can centrally manage them without compromising security or flexibility and without stripping current system admins of their privileges.
  • No other solution delivers the ease of use and robustness of DirectControl's Group Policy for the Mac. Other centralized management solutions require extensive Active Directory schema extensions or the deployment of additional server infrastructure. DirectControl leverages the native Active Directory interface and open scripting standards, giving IT managers a single tool for policy management. And DirectControl delivers a wide variety of policies tailored specifically for IT managers who need control over these workstations.
  • DirectControl for Mac is part of a comprehensive solution for integrating non-Microsoft systems with Active Directory. Instead of a point solution dedicated strictly to the Mac, you have a single solution for UNIX and Linux systems as well.
  • DirectControl consistently enforces password policies across all systems. Other solutions are limited in their ability to enforce periodic password changes, permit changes on all systems, or require passwords to unlock system screensavers.
  • DirectControl provides true central management over UIDs and GIDs, which is critical to ensuring seamless access to shared network resources. Other solutions require you to manage these settings locally on each computer.

Benefits for End-Users

End-users will be glad to know that DirectControl brings them the following benefits as well:

  • You have only one user ID and one password to remember.
  • You can log in to any computer (Macintosh or Windows) that belongs to the management Zones to which you have been assigned, regardless of whether you have ever logged into that system before.
  • There is no effect on the way you work; the DirectControl Agent that is installed on your computer seamlessly and transparently connects you to the greater Windows world without affecting any other system components.
  • If you are a lone Macintosh user or part of a small group within a Windows-based organization, you can easily install DirectControl yourself and work with your system administrator to integrate your system with Active Directory.

Supported Platforms

Centrify for Mac Supported Versions

Show More DetailSupported Supported   Recent Addition Recent Addition   Early Access Early Access   
Operating System Version 32-bit 64-bit
Apple Mac OS X
 10.4, 10.5 on PPC Supported
10.4, 10.5, 10.6, 10.7, 10.8 on Intel Supported Supported
Next Steps

Take It for a Spin

Request a free, fully functioning version of the Centrify for Mac OS.