Home Products DirectControl DirectControl for Systems DirectControl for Macintosh OS X

Centrify DirectControl for Mac OS

"DirectControl offers the simplest and most full-featured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's Group Policy architecture, it functions more seamlessly for managing access ... particularly for systems administrators who are unfamiliar with Mac OS X."

Ryan Faas, ComputerWorld

Centrify has joined forces with Atempo, Group Logic, LANrev and Parallels to define a suite of solutions that help enterprises integrate Macs seamlessly along with their Windows systems.

Free On-Demand Webinar

In Centrify's "Deploying Macs in the Enterprise" webinar, Apple's Joel Rennich and Centrify's David McNeely explain what IT managers need to know in order to deploy Macs securely and manage them efficiently within an Active Directory environment.

Centrify DirectControl enables Active Directory-based authentication and access control for both PowerPC- and Intel-based Mac systems and is the first and most robust solution that enables IT managers to centrally secure and configure Mac systems through Active Directory Group Policy. IT managers can streamline operations and strengthen security by establishing a single point of administration — Active Directory. And end-users gain single sign-on to their Macs through their Active Directory account. To learn more, click one of the following topics:

Features and Benefits for IT Managers

Strengthen Security

"With Centrify, we’ll know who logs in and be able to protect resources accordingly. Secondly, we wanted something that integrated easily into the Active Directory structure. And thirdly, we wanted something that was easy to deploy. I would say we’re achieving all three of those with Centrify."

Jim Thie, CIO, Habitat for Humanity
Quoted in "Managing Active Directory Users Getting Easier" by Kevin Ferguson, SearchWinIT.com

DirectControl enables you to strengthen security and enhance IT efficiency in the following ways.

  • Extend centralized, Active Directory-based single sign-on (SSO) to Mac users — no more manual provisioning of local accounts that may live on even after an employee leaves the company.
  • Use DirectControl's unique Zone technology to enable users to log on only to the Mac sytems they really need to access. (See Zone-Based Access Control for more details.)
  • Delegate administration of Mac systems to individuals without giving them privileges on any other systems.
  • Use DirectControl's built-in reporting to verify for auditors who has access to which systems.
  • Globally enforce Active Directory-defined password policies, regardless of where users log in.
  • Enable offline login to Mac laptops with cached credentials (similar to Windows XP) without creating an account on the local computer.

Enhance IT Efficiency

    How It Works

    Centrify's David McNeely describes our industry-leading Active Directory integration for Mac OS, including its unique Group Policy support.

  • Use Windows Group Policy to bulk configure Mac systems centrally from Active Directory: control DirectControl configuration and sudo settings; lock down System Preferences; enforce screensaver locking, and more. See Bulk Configuration of Macs through Group Policy for more details.
  • Perform large-scale remote installation through Apple Remote Desktop. See our application note, Using Apple Remote Desktop to Deploy Centrify DirectControl, for details.
  • Centrally control configuration features that previously had to be managed (if it was possible at all) at each local computer: transparent SSO to Windows files shares; home directory automounts to Windows file shares; and assignment of UIDs and the groups and theirs GIDs that are used to assign and control access for file permissions consistency.

Group Policy for Mac OS

"Having had the opportunity to work with both the existing set of Group Policies and to see a preview version of the ... expanded set, I was amazed at Centrify's success. The experience of managing Macs was exactly the same as managing Windows computers using Group Policies. "

Ryan Faas, ComputerWorld

CTO Paul Moore explains how DirectControl enables you to secure and manage non-Windows systems using Microsoft Active Directory Group Policy.

Centrify DirectControl is the first and most robust solution that enables IT manager to centrally secure and configure Mac systems through Active Directory Group Policy. Because Mac systems are used primarily as workstations, Centrify has enriched its existing DirectControl for Mac OS solution with a set of policies that have been tailored to the needs of IT managers who are responsible for the security and configuration of these systems. Using the same Active Directory tools they use today for Windows systems, IT managers can set security and configuration policies for Mac systems without needing deep platform-specific knowledge.

With DirectControl you can deploy Group Policies to remote Mac systems using the native Active Directory Group Policy tools. DirectControl already comes with more out-of-the-box policies than any other solution, and DirectControl for Mac OS enriches the base set with additional workstation-related security and configuration policies.

Group Policy support is built into the core DirectControl for Mac OS product; there is no additional software to license, install or configure. See Group Policy for UNIX, Linux and Mac for a general overview of how Group Policies work on non-Windows systems.

Summary of Major Computer Policies

Category Example Policies
Security
  • Require password to unlock each secure system preference
  • Disable automatic login
  • Use Secure Virtual Memory
  • Logout after n number of minutes of inactivity
Sharing Services
  • Firewall Settings
  • Enable the firewall
  • Firewall settings (to turn on|off firewall for each service)
  • Block UDP traffic
  • Enable firewall logging
  • Enable stealth mode
  • Services settings (to turn on|off sharing for each service)
Internet Sharing
  • Disallow all Internet sharing
Accounts
  • Display Login Window settings
  • Show the Restart, Sleep and Shutdown buttons
  • Enable fast user switching
Energy Saver Settings
  • Put display to sleep if inactive
  • Put computer to sleep if inactive
  • Put the hard disk(s) to sleep when possible
  • Wake when the modem detects a ring
  • Wake for Ethernet network administrator access
  • Allow power button to sleep the computer
  • Restart automatically after a power failure

Summary of Major User Policies

Category Example Policies
Application Access
  • Control access to specific applications
  • Control access to UNIX tools and utilities
Desktop & Screen Saver
  • Enforce screen saver
  • Screen saver timeout
Dock Settings
  • Dock size, magnification and position on screen
  • Animation for application opening
  • Auto hide the Dock
  • Control applications displayed in the Dock
  • Lock the Dock
Media Access Controls
  • Control access to CDs, CD-ROMs and DVDs
  • Control access to recordable disks
  • Control access to external disks (including USB Flash disks and iPods)
Mobility Sync Settings
  • Control home directory synchronization
  • Control sync at login/logout as well as background
  • Control what items will be synced and skipped
Security
  • Require password to wake this computer from sleep or screen saver
Software Updates
  • Enable automatic software updates
  • Specify the Software Update Server for all updates
System Preference Settings
  • Limit which items will be shown in the System Preferences
  • Control display of each item in System Preferences

Smart Card Support

"We're thrilled that Centrify has taken advantage of the interoperability of Mac OS X to deliver a two-factor smart card authentication solution."

Ron Okamoto
Vice President of Worldwide Developer Relations, Apple Computer

Centrify has announced DirectControl for Mac OS X, SmartCard Login Option, which will enable a user to log in to any DirectControl-enabled system using a smart card that supports the Department of Defense Common Access Cards (CAC) standard. No special user configuration is required on the local system because all authentication and access control data is stored in Microsoft Active Directory. DirectControl supports both online and offline login with smart cards. This would enable an organization to, for example, require users logging on to a Macintosh on an airplane to authenticate using their smart card.

How DirectControl Differs from Other Solutions

Other solutions for integrating Macintoshes with Active Directory offer only limited integration. DirectControl is unique in its approach to providing enterprise-ready features for IT organizations responsible for managing large number of Mac systems.

  • DirectControl's unique Zone technology enables granular access control and delegated administration that is simply not available in any other solution. You can create collections of Mac systems that can each have their own set of authorized users and administrators. Universities find this feature particularly helpful in setting up security boundaries around Macintosh labs while not exposing Macs in administrative offices to unauthorized access, but any organization with Macs that are "owned" by different departments will find they can centrally manage them without compromising security or flexibility and without stripping current system admins of their privileges.
  • No other solution delivers the ease of use and robustness of DirectControl's Group Policy for the Mac. Other centralized management solutions require extensive Active Directory schema extensions or the deployment of additional server infrastructure. DirectControl leverages the native Active Directory interface and open scripting standards, giving IT managers a single tool for policy management. And DirectControl delivers a wide variety of policies tailored specifically for IT managers who need control over these workstations.
  • DirectControl for Mac is part of a comprehensive solution for integrating non-Microsoft systems with Active Directory. Instead of a point solution dedicated strictly to the Mac, you have a single solution for UNIX and Linux systems as well.
  • DirectControl consistently enforces password policies across all systems. Other solutions are limited in their ability to enforce periodic password changes, permit changes on all systems, or require passwords to unlock system screensavers.
  • DirectControl provides true central management over UIDs and GIDs, which is critical to ensuring seamless access to shared network resources. Other solutions require you to manage these settings locally on each computer.

Benefits for End-Users

End-users will be glad to know that DirectControl brings them the following benefits as well:

  • You have only one user ID and one password to remember.
  • You can log in to any computer (Macintosh or Windows) that belongs to the management Zones to which you have been assigned, regardless of whether you have ever logged into that system before.
  • There is no effect on the way you work; the DirectControl Agent that is installed on your computer seamlessly and transparently connects you to the greater Windows world without affecting any other system components.
  • If you are a lone Macintosh user or part of a small group within a Windows-based organization, you can easily install DirectControl yourself and work with your system administrator to integrate your system with Active Directory.

^ back to top