DirectControl does a better job of integrating the Mac experience with Windows than any other solution.
Jonathan Hassell, SearchWindowsServer.com
Centrify DirectControl enables Active Directory-based authentication and access control for the most recent versions of both PowerPC- and Intel-based Mac systems and is the first and most robust solution that enables IT managers to centrally secure and configure Mac systems through Windows Group Policy. IT managers can streamline operations and strengthen security by establishing a single point of administration — Active Directory. And end-users gain single sign-on to their Macs through their Active Directory account. To learn more, click one of the following topics:
DirectControl enables you to strengthen security and enhance IT efficiency in the following ways.
DirectControl offers the simplest and most full-featured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's Group Policy architecture, it functions more seamlessly for managing access ... particularly for systems administrators who are unfamiliar with Mac OS X.
Ryan Faas, ComputerWorld
“We're thrilled that Centrify has taken advantage of the interoperability of Mac OS X to deliver a two-factor smart card authentication solution.”
Vice President of Worldwide Developer Relations, Apple Computer
DirectControl for Mac OS X provides full smart card support on Mac OS X 10.6, 10.7, and 10.8 for all CAC, CACNG, and PIV smart cards. This includes the Oberthur ID One 128 v 5.5 Dual Smart Card. In addition, Centrify's support for the U.S. Department of Defense's Common Access Card (CAC) standard is certified by the Joint Interoperability Test Command (JITC), bringing Mac OS X systems into compliance with HSPD-12. No special user configuration is required on the local system because all authentication and access control data is stored in Microsoft Active Directory. DirectControl supports both online and offline login with smart cards. This would enable an organization to, for example, require users logging on to a Macintosh on an airplane to authenticate using their smart card.
To streamline deployment of smart card-protected systems, DirectControl automates the configuration of the system to support smart card login as well as to ensure that the system trusts the root certificate authorities that are trusted by Active Directory when a Macintosh joins the domain. Active Directory enforces smart card access to Windows systems through the Account option "Smart card is required for interactive logon" policy. DirectControl enforces this policy on Mac OS X systems as well, giving you the ability to enforce smart card access consistently across your organization.
DirectControl also provides Group Policies to enable centralized management of smart card login. These Group Policies can be used to require a Macintosh system to go into screen lock or to force a logout when the smart card is removed from the reader during a session. This policy enforcement on Mac OS X systems enables organizations to easily enable the secured usage of Mac systems within their Windows environments leveraging the same tools, procedures and policies that they are already familiar with today.
U.S. federal employees, or those who do business with federal organizations, can take advantage of Centrify's free solution for smart card authentication, Centrify Express for Smart Card.Video Chalktalk: Introduction to Active Directory Integration Video Chalktalk: Architecture & Authentication Flow
Centrify DirectManage Deployment Manager can automatically detect Mac OS X systems within your environment and test them for readiness to join Active Directory, helping you identify and eliminate many common issues (such as DNS configuration problems) that slow down deployment of the Centrify DirectControl agent. Deployment Manager can then remotely install DirectControl on these Mac systems, automatically downloading the most current version for you from the Centrify website. You can also centrally update DirectControl on these systems as new releases become available.
The Centrify DirectControl for Mac OS X installation program is also provided in universal binary format, making it easy to deploy DirectControl on individual systems or across the enterprise. On individual systems, a graphic, interactive installation program walks users through the setup. System administrators can also extract the package file for use with Apple Remote Desktop; see Using Apple Remote Desktop to Deploy Centrify DirectControl on the Centrify website for instructions. The installation package can also be distributed using third-party systems management solutions such LanREV.
In many organizations, Mac OS X workstations can be treated just like Windows workstations for access control purposes, permitting anyone with an Active Directory account to log in once the Mac has joined the domain. For those organizations, DirectControl's workstation mode streamlines installation using the same methodology to add a Mac workstation to an Active Directory domain as that used to add Windows workstations. The interactive installation program offers users the option to add the Mac in workstation mode. Remote installations can specify workstation mode through command-line parameters.
Macs operating in workstation mode have almost identical features to Macs operating in standard DirectControl mode. For example, end-users have transparent access to local or network home directories, and they enjoy the same single sign-on benefits to other Active Directory integrated services and applications. Administrators can also use Group Policy to remotely manage security and configuration settings on DirectControl-managed Macs in workstation mode.
A major advantage of workstation mode is that the installation process has been streamlined. You do not need to install the Centrify Administrator's Console first. You simply install DirectControl on a Mac and it is automatically joined to Active Directory and appears as a computer object in Active Directory Users and Computers. During workstation installation, Macs are not added to a DirectControl Zone, but if you want to use patented Zone technology to limit access to Macs to a select set of users or groups, it is easy enough to install the Centrify Administrator Console and add those Macs to a Zone. You can have a mixture of Macs in workstation mode and standard mode in Active Directory, giving you the flexibility to apply tighter access controls to select systems as needed.
Other solutions for integrating Macintoshes with Active Directory offer only limited integration. DirectControl is unique in its approach to providing enterprise-ready features for IT organizations responsible for managing large number of Mac systems.
End-users will be glad to know that DirectControl brings them the following benefits as well:
Centrify for Mac Supported VersionsShow More Detail Supported Recent Addition Early Access
Apple Mac OS X
|10.4, 10.5 on PPC|
|10.4, 10.5, 10.6, 10.7, 10.8 on Intel|
Centrify for Mac Supported VersionsShow Less Detail Supported Recent Addition Early Access
Apple Mac OS X
|10.4.5+ PPC Server|
|10.4.5+ Intel Server|
|10.5.3+ PPC Server|
|10.5.3+ Intel Server|
|10.6.0 Intel Server|
|10.6.1 Intel Server|
|10.6.2 Intel Server|
|10.6.3 Intel Server|
|10.6.4 Intel Server|
|10.6.5 Intel Server|
|10.6.6 Intel Server|
|10.6.7 Intel Server|
|10.7.2 Intel Server|
|10.7.3 Intel Server|
|10.7.4 Intel Server|
|10.7.5 Intel Server|
|10.8.2 Intel Server|