Active Directory-based authentication, access control and role-based privilege management for Windows, Linux & UNIX
Standard Edition + privileged user auditing
Enterprise Edition + encryption of data-in-motion and server isolation
Any Edition + single sign-on for SAP, Apache and J2EE/Java applications
Single sign-on for cloud apps + mobile device supportMac Edition
Active Directory-based authentication and Group Policy management for Macs + mobile device supportPremium Edition
SaaS and Mac Editions + mobile device supportCentrify for Samsung KNOX
Active Directory-based SSO, MCM and MDM for KNOX-enabled devices
Apple Remote Desktop is commonly used by administrators to perform various administrative management tasks on remote Mac systems, including remote controlling the system, gathering inventory, and installing software. Centrify DirectControl 3.0.3 and later is packaged to enable Apple Remote Desktop to deploy DirectControl to one or more remote Mac OS 10.4 systems through a few simple steps that are described in this application note.
Starting with the release of Centrify DirectControl 3.0.3 and later, customers have the ability to remotely deploy DirectControl to multiple Macintosh systems running Mac OS 10.4 throughout your network. Using Apple Remote Desktop 3 (commonly referred to as ARD), an administrator can install DirectControl automatically, without user intervention, to one or more remote computers. Apple Remote Desktop copies the package to the computers selected for installation, runs the installer with no visible window or user interaction required, and then erases the installer files on completion.
This application note guides you through installation of the Centrify DirectControl software package using Apple Remote Desktop.
This application note was written based upon testing the following environment:
Note. While Apple Remote Desktop may be able to deploy a DirectControl package to other older Mac systems, it has not been tested by Centrify.
Before getting started:
You also need to ensure that each destination Mac system has a local account that will enable you to both connect to the remote system as well as to perform an installation of a package that requires Administrative privileges. The remainder of this Application Note assumes that you have properly set up Apple Remote Desktop and established that you can connect to each destination system with the required Administrative privileges.
Centrify delivers DirectControl for Mac OS X in both a tgz package as well as a disk image (DMG) which contains a package (pkg) file that Apple Remote Desktop uses to install the software. To deploy the DirectControl package, you need to open the disk image to access the pkg file.
Configuring the Package to Automatically Join Active Directory During Installation
Apple Remote Desktop can be used to simply install the package, which will then require you to manually run the Directory Access utility in order to configure DirectControl to join the computer to your Active Directory domain. You can also modify the DirectControl package so that it joins the Active Directory domain during the installation process. The steps below describe how to modify the package so that it runs adjoin as part of the installation process to join the Active Directory domain.
/usr/sbin/adjoin --zone <zone_name>
--user <AD user with computer join rights>
--password <AD user's password> <AD Domain Name>
Now that we have a package file, either the original or the modified version that will auto-join, we can distribute the package to the remote systems.
Make sure the appropriate Mac DMG file from the Centrify DirectControl distribution has been launched and mounted as a Disk Image and the contents are located where it can be accessed by your Macintosh running the Apple Remote Desktop Admin utility. For example, make sure the file "CentrifyDC-3.0.3-333-mac10.4-i386.dmg" has been copied to your local administrative Macintosh and the CentrifyDC disk image is mounted.
On your administrative Macintosh, launch Apple Remote Desktop. Go to the Scanner control and verify that you are able to see a list of the Macs on which you wish to install DirectControl. Verify the Macintoshes have ARD Version 3 installed as indicated by the ARD Version column.
Multi-select (using Command-Click or Shift-Click) one or more Macintosh computers on which you want to install DirectControl.
Click the Install button on the top of the Remote Desktop window.
After you click the Install button, the Install Packages window appears.
Click the "+" button at the top left of the Install Packages window to locate the CentrifyDC disk image.
Locate the file CentrifyDC.pkg in the disk image.
Select this file and click Open to add it to the Install Packages List.
There are many options in the Install Packages window. The default settings work well if you are manually joining the computers to the Active Directory domain.
It isn't necessary to have the After Installation option set to restart the client Macintoshes after the .pkg installation; the Don't Restart option works fine. However, if you have configured the package to auto-join Active Directory during installation, you should restart the computer after installation.
The other parameters are optional, and selecting them shouldn't interfere with proper installation of Centrify DirectControl. For more information on Apple Remote Desktop installation parameters, refer to the Apple Remote Desktop manual, Chapter 8, "Administering Client Computers," section "Installing Software Using Apple Remote Desktop."
Click Install to perform a complete installation of Centrify DirectControl on the selected Macintoshes. Apple Remote Desktop shows a progress bar and task status of the installation for each of the Macintoshes selected for the installation.
After Centrify DirectControl has been installed on the client Macintoshes, you can configure Centrify DirectControl, either remotely via SSH or manually at the client Macintoshes if you did not configure the package to auto-join the Active Directory domain. To manually join the Active Directory domain, follow the Centrify DirectControl configuration instructions in the Centrify DirectControl Administrator's Guide.
You can verify that DirectControl has been installed and that the system has joined the Active Directory domain successfully by either checking Active Directory for the newly created computer account or by typing the following on the remote system to check the installation log:
cat /var/log/install.log | grep "successfully joined"
After the computer restarts, you should be able to log in with a properly enabled Active Directory account for the Centrify Zone that the computer joined.
Centrify adds mobile security to the unified management framework you already enjoy for UNIX, Linux and Mac.