Welcome to Centrify DirectControl Agent for Mac, Centrify Endpoint Services

ReleaseNotesforCentrifyDirectControlAgentforMac,CentrifyEndpointServicesMacOSX10.13“HighSierra”EdiEon

CentrifyDirectControlAgentforMac,Active Directory-based authentication, single sign-on and group policy support for the Macintosh platform.

CentrifyDirectControlAgentforMacisapartofCentrify software and is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391.

NoEceofDisconEnuaEonofSupportforMacOS10.10.x:CentrifywilldisconEnuesupportforMacOS10.10.xinafuturereleaseofCentrifyDirectControlAgentforMac.

What's included in this release (in alphabetical order) • CentrifyDC-5.4.2-mac1010.dmg– A Mac disk image for Mac OS 10.10.x, 10.11 , 10.12

and 10.13 containing the following: o AD Check.app – Graphical application to perform environment checks before

installing Centrify on Mac OS 10.10.x, 10.11 , 10.12 and 10.13 o CentrifyDC-5.4.2-x86_64.pkg – Graphical installer for Intel Macs for Mac OS X

Mac OS 10.10.x, 10.11 , 10.12 and 10.13

Page !1

Supported platforms and system requirements The Centrify DirectControl Agent for Mac in the applicable package can be installed on the following versions of the Mac OS X operating system:

Mac OS X 10.10.x on Intel Macs Mac OS X Server version 10.10x on Intel Macs Mac OS X 10.11.x on Intel Macs Mac OS X Server version 10.11x on Intel Macs Mac OS X 10.12.x on Intel Macs Mac OS X Server version 10.12x on Intel Macs Mac OS X 10.13.x on Intel Macs Mac OS X Server version 10.13x on Intel Macs

Page !2

Installing on macOS 10.13 “High Sierra”

If you are running the current release of Centrify, you MUST UPGRADE Centrify BEFORE upgrading your Mac to macOS 10.13 High Sierra. Upgrading to High Sierra prior to upgrading to the 5.4.2 or later version of the Centrify Direct Control agent will result in login failures for both network and local admin accounts. This means that if a Mac is upgraded to High Sierra with a previous version of the Centrify agent, all authentication will be blocked, and you will need to boot into recovery mode to restore login.

If you are experiencing this issue, please refer to this Pubic Knowledge Base Article to guide through the steps needed to restore authentication: Centrify Customer Knowledge Base Article KB-9048: Login fails after installing macOS High Sierra with Centrify DirectControl Agent for Mac.

We strongly recommend blocking updates to macOS High Sierra until systems have been updated. We recommend using our group policies to block the installation of the High Sierra upgrade. If you have used our Group Policy to block the execution of the High Sierra install, please note that this method only takes effect after the end-user has logged out and logged back in. We have updated our Knowledge Base article on this topic with new instructions that will enable the policy to take effect without the need for the user to logout. For more information, please refer to KB-5765: How to block OS X updates via Group Policy

Upgrading to macOS High Sierra from 10.8 or 10.9

If you upgrade to macOS 10.13 High Sierra from a 10.8.x or a 10.9.x version, there is a known Apple bug (22735194) that prevents the Centrify daemon from running upon first boot after the update. To resolve this you will need to login as a local administrator and execute the following command:

sudo /usr/local/share/centrifydc/bin/centrifydc restart

Alternatively, you can upgrade from 10.8.x or 10.9.x to 10.10 and then safely proceed with the update to Sierra.

Page !3

Installing on Macintosh OS 10.12 “Sierra” If you are running the current release of Centrify, you MUST UPGRADE Centrify BEFORE upgrading your Mac to OS 10.12 Sierra.

If you upgrade to OS X 10.12 Sierra from a 10.8.x or a 10.9.x version, there is a known Apple bug (22735194) that prevents the Centrify daemon from running upon first boot after the update. To resolve this you will need to login as a local administrator and execute the following command:

sudo /usr/local/share/centrifydc/bin/centrifydc restart

Alternatively, you can upgrade from 10.8.x or 10.9.x to 10.10 and then safely proceed with the update to Sierra.

Follow these steps:

1) Download the Centrify package for Mac OS

2) Upgrade Centrify using this package.

3) Upgrade to Mac OS 10.12.

If you have already upgraded to 10.12 with a previous version of Centrify and can't log in as an Active Directory User, follow these steps:

1) Log into the Mac with your Mac's local administrator account

2) Download the Centrify package for Mac OS

3) Upgrade Centrify to this package.

You should now be able to log in with Active Directory credentials

Note:

When upgrading this version of the Centrify Mac agent from a previous version, for example, upgrading from version 5.2.3-429 to 5.2.4-464, using Deployment Manager, and at the same time change the license mode, e.g. from Express Edition to Standard Edition, you may get an error result in the Action “Add Software / Join Zone” in Deployment Manager console during the upgrade. The workaround is to provide an Active Directory domain account credential, which is capable to run adleave, in the Manage Software step. (CS-38453).

Page !4

Installing on Macintosh OS 10.11 “El Capitan” If you are running the current release of Centrify, you MUST UPGRADE Centrify BEFORE upgrading your Mac to OS 10.11 El Capitan.

If you upgrade to OS X 10.11 El Capitan from a 10.8.x or a 10.9.x version, there is a known Apple bug (22735194) that prevents the Centrify daemon from running upon first boot after the update. To resolve this you will need to login as a local administrator and execute the following command:

sudo /usr/local/share/centrifydc/bin/centrifydc restart

Alternatively, you can upgrade from 10.8.x or 10.9.x to 10.10 and then safely proceed with the update to El Capitan.

Follow these steps:

1) Download the Centrify package for Mac OS

2) Upgrade Centrify using this package.

3) Upgrade to Mac OS 10.11.

If you have already upgraded to 10.11 with a previous version of Centrify and can't log in as an Active Directory User, follow these steps:

1) Log into the Mac with your Mac's local administrator account

2) Download the Centrify package for Mac OS

3) Upgrade Centrify to this package.

You should now be able to log in with Active Directory credentials

Note:

When upgrading this version of the Centrify Mac agent from a previous version, for example, upgrading from version 5.2.3-429 to 5.2.4-464, using Deployment Manager, and at the same time change the license mode, e.g. from Express Edition to Standard Edition, you may get an error result in the Action “Add Software / Join Zone” in Deployment Manager console during the upgrade. The workaround is to provide an Active Directory domain account credential, which is capable to run adleave, in the Manage Software step. (CS-38453).

Page !5

Installing on Macintosh OS 10.10 “Yosemite” If you are running the current release of Centrify, you MUST UPGRADE Centrify BEFORE upgrading your Mac to OS 10.10 Yosemite.

Follow these steps:

1) Download the Centrify package for Mac OS

2) Upgrade Centrify using this package.

3) Upgrade to Mac OS 10.10.

If you have already upgraded to 10.10 with a previous version of Centrify and can't log in as an Active Directory User, follow these steps:

1) Log into the Mac with your Mac's local administrator account

2) Download the Centrify package for Mac OS

3) Upgrade Centrify to this package.

You should now be able to log in with Active Directory credentials

Note: If you are using Centrify Group Policies for Mac OS 10.10 you will need to update the Centrify Windows Administration Console to receive the newest Group Policy Templates.

Page !6

Installing Mac Group Policies Using The New Streamlined Centrify Windows Administrator Group Policy Extension Package For Mac Admins using Auto-Zones a new streamlined GPOE installation package is now available

1) Mac admin downloads our client CDC package for Mac. 2) Mac admin installs the CDC software and joins to his domain via auto-zone (for

traditional zone management the Admin will need to install the full Centrify Access Manager on Windows)

3) Mac admin uses this new, streamlined installer to install only the GPOE extensions to manage these machines via Windows Group Policy System

4) Once installed, Mac admins can now control their Macs via the Windows Group Policy System

Example: The installer is under the below path. The screen below shows ISO is mounted as the K drive. Administrators can run the installer directly

!

Administrators can also run the Centrify suite installer and select the individual components to be installed. For example, only the GPOE extension is selected in the screen below

!

Page !7

Restoring the FileVault user list after adflush:

After you upgrade to release Suite 2015.1 or later, perform the following steps to ensure that cross-forest mobile users are added to the FileVault 2 user list permanently:

1. In your Server Suite 2015.1 or later environment, execute the following command: adflush -f

Executing this command removes the 2015-format, temporary GUID from cross- forest mobile users.

2. Execute the following command for each cross-forest mobile user that you want to add permanently to the FileVault 2 user list: adquery user -guid <cross-forest-mobile-user-name>

Executing this command assigns a new, permanent GUID to each user that you specify.

3. Execute the following command for each cross-forest mobile user that you want to add to the FileVault 2 user list: fdesetup add -usertoadd <cross-forest-mobile-user-name>

Executing this command adds the specified user to the FileVault 2 user list.

4. Execute the following command to verify that the users are added to the FileVault 2 user list: fdesetup list

Bug ID: (78566)

Page !8

Feature Changes and Notable Fixes in this release:

• Fixed issues with the GP "Enable protected keychain," GP "Lock protected keychain after number of minutes of inactivity," and "Lock smart card protected keychain when sleeping." (CC-46979).

• Fixed a bug in the Kerberos library specific to encryption types RC4 and DES, which are the default encryption types used in Windows Server 2003 Domain Functional Level. The symptom is a failure in fetching certificates from a CA, resulting in a warning message saying “… certificate request failed on CA … - Attempt to access past end of buffer”. (CC-49037).

• Fixed an issue which could prevent support of special characters in payloadIdentifier for ethernet and wifi profiles which affected Centrify user wifi, machine ethernet and user ethernet group policies. (CC-48058).

• Fixed an issue with open file descriptors when the machine was repeatedly disconnected from and reconnected to the network which could result in a "Too many open files" error. (CC-47865).

• Made security enhancements to LRPC by adding signatures to the LRPC messages. (CC-47636).

• Added support for Cross-forest authentication with preferred login domains. (CC-47447).

Note: For configuration details of new features, please refer to the Mac admin guide.

Page !9

Feature Changes and Notable Fixes in Centrify DirectControl Agent for Mac Suite 2017.1

• Fixed a bug that caused the System Preferences to quit when uninstalling the Centrify Application on macOS 10.12. (Ref: CC-43841)

• With this release, a one-way trusted user's password expiration will come from Kerberos ticket on user first login, and if the Kerberos ticket is not available, it is computed using joined domain password expiration policy. (Ref: CC-45036)

• Fixed an issue where an AD user was incorrectly prevented logging in while in disconnected mode even after lockout duration had passed if the user was previously locked out in connected mode due to maximum password attempts being reached. (Ref: CC-43535)

• Added the following Protected Keychain Group Policies configuration parameters to /etc/centrifydc/centrifydc.conf. (Ref: CC-42847) - mac.protected.keychain.enable: true/false - mac.protected.keychain.user.default: true/false - mac.protected.keychain.delete: true/false - mac.protected.keychain.lock.when.sleeping: true/false - mac.protected.keychain.lock.inactivity: 0

• Added two Group Policies to Public Key Policies of both Computer and User configurations: (Ref: CC-45443) - Allow all applications to access private key - Allow specific applications to access private key When "Allow all applications to access private key" is configured, the private key of an auto-enrollment certificate will be configured to be accessible by all applications when importing to the Keychain. When "Allow specific applications to access private key" is configured, the private key of an auto-enrollment certificate will be configured to be accessible by the specified applications when importing to the Keychain. When both of the above Group Policies are enabled, "Allow specific applications to access private key" will be ignored. The access control of existing private keys imported to the Keychain will not be affected. These two GPs are also applied when the GP "store private key and public key in keychain only" is enabled.

• Fixed an issue that could cause Smart Card name mapping to malfunction due to CN and Serial Numbers values being merged in the certificate subject name. (Ref: CC-45633)

• Added Group Policies is to add access control to keychain private keys allowing either all applications or specific applications to access keychain private keys that are imported during adjoin auto-enrollment. (Ref: CC-45602)

To Configure this GP:

Page !10

Computer Configuration -> Policies -> Centrify Settings -> Mac OS X Settings -> Security and Privacy -> Public Key Policies -> Allow All Applications to use private key OR -> Allow specific applications to access private key and turn on (Allow all will override anything in allow specific) User Configuration -> Policies -> Centrify Settings -> Mac OS X Settings -> Security and Privacy -> Public Key Policies -> Allow All Applications to use private key OR -> Allow specific applications to access private key and turn on (Allow all will override anything in allow specific) The Computer Group Policy is dependent on the GPs: Computer Configuration -> Policies -> Centrify Settings -> Mac OS X Settings -> Security and Privacy -> Public Key Policies -> Store private and public key in keychain only while the User Group Policy configuration is not dependent on any other GP.

Note: For configuration details of new features, please refer to the Mac admin guide.

Page !11

Known Mac OS Problems General Installation Issues

• When upgrading this version of the Centrify Mac agent from a previous version, for example, upgrading from version 5.2.3-429 to 5.2.4-464, using Deployment Manager, and at the same time change the license mode, e.g. from Express Edition to Standard Edition, you may get an error result in the Action “Add Software / Join Zone” in Deployment Manager console during the upgrade. The workaround is to provide an Active Directory domain account credential, which is capable to run adleave, in the Manage Software step. (CS-38453).

• Cannot have two system volumes joined to the same domain: for the purpose of migrating from an earlier release of Mac OS to Mac OS 10.7, it can be helpful to have both versions installed on different volumes of one machine. If Centrify is installed on the same machine on two different system volumes, the following restriction applies. It is not possible to have both system volumes joined to the same domain at the same time. If Centrify on volume A is joined to the domain, booting into volume B will hang the machine, and vice-versa. Therefore, you should leave the domain prior to switching the boot volume. Once the machine is booted into volume B, you can re-join the domain.

• In order to meet the requirements of the Apple OS X Software Installation Gatekeeper, Centrify DirectControl Mac package is now code-signed. A User will no longer able to extract, alter, repack the package and expect the installation to work. (77255).

• The GUI installer "Install/Upgrade" button may unexpectedly read "Install" rather than "Upgrade" even though a previous version of Centrify is already installed on the system. In this case, clicking the "Install" button will start an upgrade with no undesired effects (27884).

• A .local entry is automatically added into the DNS search domain after adjoin by Centrify for Mac to deal with issues related to Bonjour, which can cause issues in some environments. A workaround to this is to manually set the DNS search order and to limit the .local search timeout. (Ref: CS-36229)

• If a Mac device has already been encrypted by FileVault, when enabling the Manage Local Admin Account policy, the local account created by Centrify Privilege Service may not immediately have admin rights. The workaround is to restart the mac, sometimes multiple times, until the correct admin rights are present. (Ref: CC-46221)

Page !12

Known macOS 10.13 “High Sierra” Problems

• The Centrify Group Policy "Enable login items" will fail to launch network mounted shares on 10.13. Applications added to the login items Group Policy will still work as before. This issue has been reported to Apple and logged as Apple bugs #33770694 and #34077760. (CC-49305,CC-50155).

• The Apple legacy feature to use Filevault to encrypt home folders will no longer be supported for mobile accounts on Mac OS 10.13 and future releases. (CC-49090).

• The Centrify Group Policy, "Enable FTP access" will no longer be supported due to Apple dropping support for ftp packages on Mac OS 10.13 and future Mac OS releases. (CC-48797).

• When using the Centrify Group Policy "User Configuration" > "Centrify Settings" > "Mac OS X Settings" > "Mobility Settings" > "macOS 10.12 or above Settings" > "Configure mobile account creation" to select and configure "TouchID" to be enabled after Mobile account creation and logging in as a mobile user, the "TouchID" setting is either not visible in the Mac OS System Preferences or when configured will not function properly. TouchID setting is available and functions properly with a local user. (CC-48440).

• On macOS 10.13, the Centrify Group Policy "Enable FileVault 2" will not function even though the admin/user has correctly configured it. This issue has been reported to Apple and logged as Apple bug #34733534. (CC-51565).

• On macOS 10.13, network users with a Mobile Account are unable to change their password or login to their account when their password has expired. This issue has been reported to Apple and logged as Apple bug #33973501. (CC-49942).

Known Mac OS X 10.12 “Sierra” Problems

• The Centrify group policy setting, “Computer Configuration -> Centrify Settings -> "Mac OS X Settings -> Security & Privacy -> Log out after number of minutes of inactivity” behaves inconsistently. For example, if set to log out after 5 minutes, log out may not occur until 10 minutes later. However, setting the timeout to 6 minutes behaves as expected. Status: Under investigation. (CC-39736).

• Due to Apple dropping support for portable home directories in Mac OS 10.12, the Centrify Group Policy "User Configuration > Centrify Settings > Mac OS X Settings > Mobility Settings" will not include synchronization options for Mac OS 10.12 and above. Release Note from Apple: "Mobile home directories, which have networks accounts that are cached locally, can still be created. However, their home folder will no longer sync with their network home directory." (CC-39802).

Known Mac OS X 10.11 “El Capitan” Problems

Page !13

• When upgrading this version of the Centrify Mac agent from a previous version, for example, upgrading from version 5.2.3-429 to 5.2.4-464, using Deployment Manager, and at the same time change the license mode, e.g. from Express Edition to Standard Edition, you may get an error result in the Action “Add Software / Join Zone” in Deployment Manager console during the upgrade. The workaround is to provide an Active Directory domain account credential, which is capable to run adleave, in the Manage Software step. (CS-38453).

• If you upgrade to OS X 10.11 El Capitan from a 10.8.x or a 10.9.x version, there is a known Apple bug (22735194) that prevents the Centrify daemon from running upon first boot after the update. See “Installing on Macintosh OS 10.11 “El Capitan”, page 3, for more information about this issue.

Known Mac OS X 10.10 “Yosemite” Problems

• A “Home sync error” dialog shows up at Mobile user login and logout during home synchronization, which can cause logout time to be abnormally long. However, there is no problem with home content synchronization itself once completed, and files can be synchronized successfully. This issue was determined to be an Apple problem, has been reported to Apple and logged as Apple Bug #17999579. (69707.)

• When trying to unlock the screen from screensaver or sleep, if an incorrect password is initially entered, the Mac’s password entry dialog will not allow the user to input their password again. The workaround is to reboot the Mac and enter the password correctly the first time. This issue was determined to be an Apple problem, has been reported to Apple and logged as Apple Bug #18239041. (70120.)

• A user will not automatically be directed to the System Preferences change password pane after being warned that their password is about to expire. The workaround is for the user to manually open the Mac System Preferences and change their password. This issue has been reported to Apple and logged into their bug tracking system as bug #18333542. (70124.)

• If “Enable smart card support” Group Policy is enabled, a user is at the login window and the screensaver is active, after a user fast-switches, the screensaver will not dismiss and the user will be locked out. The workaround is for the user to avoid fast-switching in this scenario. This issue was determined to be an Apple problem, has been reported to Apple and logged as Apple Bug #18334799. (70543.)

• On OS X 10.10, mobile user accounts may fail to login if they were created after the Mac was already joined to the Active Directory domain using Centrify DirectControl. This issue was determined to be Apple problem, has been reported to Apple and logged as Apple Bug #18392074. (71181.)

• When logging in without a network connection (disconnected mode), network shares will not be automatically mounted even when a network connection is established. (CC-36349).

• The DoD-supplied tool, "Encryption Wizard," versions "Public-3.4.4" or below, does not properly decrypt the encrypted file on OS X 10.10 because it uses Java Runtime Environment version 7, while Mac OS X 10.10 uses Java Runtime Environment version 8. (70647.)

Page !14

Known Mac OS Problems (sorted by OS, then Category): This section describes the unique characteristics or known limitations that are specific to using Centrify on a computer with the Apple Macintosh OS X operating environment. Where available, suggested workarounds are provided.

ApplicableMacOSVersion

Category Descrip8on

AllMac CLI

Thecommand'/usr/bin/passwd'doesnotworktochangeauser'spassword.Othermethodstochangeauser’spassword,suchasthe/usr/bin/dsclcommandwith-passwdopBonandtheMacGUIpasswordmethodsdowork.(12574).

AllMac CLIThecommandlinecommanddscl/CentrifyDC-list/UserswillnotfuncBonproperlyindisconnectedmode(14922).

AllMac CLI

PriortousingtheWishshell,preloadCentrifyKerberoslibrariestoloadtheCentrifylibadeditlibrary,forexample:$DYLD_INSERT_LIBRARIES=/usr/share/centrifydc/kerberos/lib/libk5crypto.dylib:/usr/share/centrifydc/kerberos/lib/libkrb5.dylibwish(26993).

AllMac CLIAdinfowillincorrectlyreportthataMacisnotjoinedtoadomainaaerasuccessfulremoteinstallandjoin.(31988).

AllMac ConfiguraBonThecentrifydc.confconfiguraBonparameter,"adclient.cache.expires”doesnothaveanyeffectontheactualcacheexpiraBonBme(28793).

Page !15

AllMac ConfiguraBon

Currently,whenusingtheCentrifyMacOSXSystemPreferencePane,manuallyadding2domaincontrollerswiththesamenametothepreferreddomaincontrollersfieldandadding2ormorerecordsofthesamedomaintotheCentrifygrouppolicy"CentrifySeings"->"DirectControlSeings"->"NetworkandCacheSeings"->"SpecifyDNSDChostnames"willbepreventedwiththewarningprompt:"Thisvaluealreadyexists,pleaseenteranothervalue."Theworkaroundistoaddingdns.dcrecordsinthecorrectformatwithuniquedomaincontrollernames.(36700).

AllMac ConfiguraBon

UsingtheCentrifyAccountMigraBontooltomapamobileornetworkusertoalocalhomedirectorywilldisablethenetworkhomedirectorymounBngforthoseusers.(36096).

AllMac General

AttheWindowsAcBveDirectoryUsersandComputersconsole,whenspecifyingtheuser'shomedirectoryforausewhosehomedirectoryresidesonthelocalsystem,ifthe/User/parentdirectorydoesnotalreadyexist,ADuserhomedirectorywillnotbeauto-createdduringlogin.(11000).

AllMac General

DuetoApplebug6638310,itispossibletohangtheDirectoryServicebyrepeatedlychangingasearchforusersinAppleWorkgroupManagerbeforetheprevioussearchhascompleted.Itisrecommendedthatyoualloweachsearchtocomplete,orminimizethenumberofsearchinterrupBonsyoumake.(14603).

AllMac General Alocaluserwithadminrightscannotlockthescreensaver(23225).

AllMac GP

InMacOSSystemPreferences->Users&Groups,if"Showfastuserswitchingmenuas"hasbeenmanuallyuncheckedbytheADuser,thenthegrouppolicyseingforfastuserswitchingwillnotappliedforthenextuserlogin.(CC-39626).

AllMac GPThegrouppolicyDisableautomaBcloginrequiresmanuallyrunningadgpupdateonceandthenrebooBngthemachineorrebooBngtwicetotakeeffect(12872).

Page !16

AllMac GP

TheGroupPolicy'UserConfiguraBon->CentrifySeings->MacOSXSeings->DockSeings->PlaceDocumentsandFoldersinDock''willnotfuncBonproperlyiftheentrystartswithSPACE(21700).

AllMac GP

GroupPolicyseing'ComputerConfiguraBon'>'CentrifySeings'>'MacOSXSeings'>'Firewall'>'Enablestealthmode''to'disabled'doesnotdisablestealthmodeiftheuserhasenabledstealthmodeinMacSystemPreferences(23581).

AllMac GP

TheGroupPolicy'UserConfiguraBon'>'CentrifySeings'>'MacOSXSeings'>'DockSeings'>'AdjusttheDock'smagnifiediconsize'doesnotmatchtheexplanatorytextwhendisabled.(24030).

AllMac GP

TheGroupPolicy"UserconfiguraBon->CentrifySeings->MacOSXSeings->AutomountSeings->Automountuser'sWindowshome"'doesn'tworkproperlywhenuserfastswitchingisenabled(24395).

AllMac GP

TheMac'spreferrednetworkandkeychainpasswordcreatedbythe802.1xgrouppolicyseingsarenotautomaBcallyremovedwhenleavingthedomain(25835).

AllMac GP

WhenanAFPsharehasbeenmountedusingtheGroupPolicy"UserconfiguraBon->CentrifySeings->MacOSXSeings->AutomountSeings->Automountnetworkshares"andthenetworkcableisthendisconnected,alogoutmaytakeupto10minutestocomplete(26537).

AllMac GPTheGroupPolicy"MacOSSeings->PrinBngSeings->Specifyprinterlist"with"Onlyshowmanagedprinters"doesn'tfuncBon.(27403).

AllMac GP

TheGroupPolicy""UserConfiguraBon"->"MobilitySeing"->"MacOSX10.7Seings"->"SynchronizaBonRules"->"HomeSync"->"Skipitemsthatendwith"doesnotfuncBonasexpected(28505).

Page !17

AllMac GP

SomegrouppolicieswillnotbeenforcedonanyversionofMacOSX,howeverineachcasethebehaviorisconsistentwithMacWorkgroupManager.Thepoliciesaffectedare:•UserConfiguraBon>CentrifySeings>MacOSXSeings>MediaAccessSeings>Permit/prohibitaccess:InternalDisks •"ApplicaBonstobeAllowedorDisabled"Thiswillnotworkwithuser-enteredapplicaBonsthatdonothaveavalidCFBundleidenBfierID.SeetheExplaintaboftheMacSeingsXMLtemplateformoreinformaBon. •CannotremovepermissiontoaccesstheprintersetupuBlityorprintcenter•Cannotremovepermissiontoaccessthehelpviewer•CannotremovepermissionforapprovedapplicaBonstolaunchnon-approvedapplicaBonsInsomecasesgrouppolicieswillnotbeenforced,areenforcedonlyaaeralogoutandre-login,orwillexhibitdifferentbehaviorformachineswithMacOSXinstalled.IneachcasethebehaviorisconsistentwithMacWorkgroupManager(7904).

AllMac GP

GroupPolicyUserConfiguraBon>Permit/Prohibitaccess:InternalDisksfrom"Deny"to"Allow"requiresreboottofuncBonproperly.ThesameproblemexistsusingtheAppleNaBveWorkgroupManagerconfiguraBon.(7939).

AllMac GP TheCentrifyGroupPolicy"EnableStealthMode"requiresarebootofthemachinetotakeeffect.(30251).

AllMac GP

IftheCentrifyGroupPolicy,"EnableAutoZoneuserhomedirectory"isnotenabledandthemachineisjoinedtoAutoZone,alluserswillbetreatedaslocalhomedirectoryusersregardlessiftheyhavenetworkhomedirectory.(38879).

AllMac GP

TheGroupPolicy"Seingusermapping"willfailtosuccessfullymapalocalusertoanADuserwhosepasswordhasexpired.TheworkaroundisfortheADadmintounblocktheADuser.(32061).

Page !18

AllMac GP

WhenusingmulBpleprofileswiththesameSSIDintheGroupPolicy"ComputerConfiguraBon->CentrifySeings->MacOSXseings->802.1xseings->EnableWifiProfile"morethan1profilemaynotbedownloadedtotheMac.TheworkaroundistouseauniqueSSIDforeachprofile.(46563).

AllMac GP

WhenusingtwodomainswiththesameTemplateNameintheGroupPolicy"ComputerConfiguraBon"->"CentrifySeings"->"MacOSXseings"->"802.1xseings"->"EnableWifiProfile",newcerBficateswillnotbeautomaBcallydownloaded.TheworkaroundistoensureeachdomainhasauniqueTemplateName.(46710).

AllMac GP

Ifusermanuallydeletesthe802.1xnetworkprofiles,oncedeleted,theCentrifysoawarewillnotautomaBcallyrestorethoseprofiles.AdministratorsshouldinstructuserstorefrainfromdeleBngprofileswithoutunderstandingtheconsequences.AnAdministratorcanforceCentrifytore-installalltheprofilesbydeleBngthefiles:“/var/centrifydc/profiles/com.centrify.cdc.ethernet”for802.1xEthernetprofilesand“/var/centrifydc/profiles/com.centrify.cdc.wifi”for802.1xwifiprofiles.(54101).

AllMac GP

UserCerBficateswillnotbeimportedtotheMac'skeychainatthefirstloginofuserwithgrouppoliciesthatshouldresultinimporBngusercerBficatestotheMacKeychain,suchastheGroupPolicy"UserConfiguraBon"->"CentrifySeings"->"MacOSXseings"->"802.1xseings"->"EnableWi-FiProfile".Theworkaroundisfortheusertologoutandloginagain.(56471.)

AllMac GP

IfusermodifieshisMac'sprinterbrandandmodelmanuallyusingtheMacOSX"Print&Fax"SystemPreferencePaneaaerthetheCentrifygrouppolicy'UserConfiguraBon'>'CentrifySeings'>MacOSXSeings'>'PrinBngSeings'>'Specifyprinterlist'hasbeenconfiguredandthegrouppolicyenabled,thegrouppolicywillnotreflectthenewmanuallyconfiguredprinterchoiceevenaaerthegrouppolicyupdates.Theworkaroundistodisablethegrouppolicyandthenmanuallydeletetheprinterpreviouslyusedinthegrouppolicy,andthenselectthenewprinterintheCentrifygrouppolicy.(57048).

Page !19

AllMac GP

TheGroupPolicy"UserconfiguraBon->CentrifySeings->MacOSXSeings->AutomountSeings->Automountnetworkshares"doesnotfuncBonwhentheuserpasswordcontainsthe"@"symbol.(48893).

AllMac GP

DuetoacurrentApplebuginUser-BasedWifiprofiles,theCentrifyGroupPolicy""ComputerConfigure"->"CentrifySeings"->"MacOSXSeings"->"802.1XSeings"->"EnableUserWi-FiSeings"doesnotfuncBonproperly.CentrifyisworkingcloselywithAppletocorrectthisproblem.(58632).

AllMac GPTheCentrifyAuto-enrollmentGroupPolicywillnotsupporthomedirectorynamesorcerBficatetemplatenamescontainingspaces.(47983).

AllMac GP

WiththeCentrifyGroupPolicy"ComputerConfiguraBon"->"CentrifySeings"->"MacOSXseings"->"802.1xseings"->"EnableMachineWi-FiProfile,"ausermustmanuallyselectanidenBtycert-keypairforuseinauthenBcaBon.

MacOSXpresentstheuserwithanidenBtyselecBondialog,whichlistseachidenBty'scommonname.Aconsequenceofthisbehavioristhat:

(1)If802.1X(Ethernet/WiFi)UserGPshavebeenenabled,and

(2)IftherearemulBpleusercerBficatetemplatesconfiguredforauto-enrollment,thenalloftheauto-enrolledcerBficateswillshowupintheidenBtyselecBondialogwiththesamecommonname.

Page !20

AllMac GP

IfuserupgradestoCentrifyAgent,CentrifyIdenBtyService,MacEdiBon5.2.xfromapreviousversion,802.1xPEAPauthenBcaBonmaynotfuncBonproperly.Toworkaroundtheproblem,aUsercanruntheCLIcommand"sudoadkeytab-C-m"toupdatethepassworditemintheMackeychain,properlyenabling802.1xPEAPauthenBcaBon.(67139).

AllMac GP/ParitywithWGM

TheGroupPolicy'UserConfiguraBon>CentrifySeings>MacOSXSeings>MediaAccessSeings>Permit/prohibitaccess:InternalDisks'isnotfuncBonal.ThesameproblemexistsusingtheAppleNaBveWorkgroupManagerconfiguraBon.(11955).

AllMac InstallaBon

Ifanetworkuser'shomedirectoryisgoingtoresideonaSMBshare,hishomedirectoryneedstoexistbeforecreaBnganewnetworkhomeuserfromaMacwithCentrifyinstalled.(35026).

AllMac InstallaBon

UnpredictablebehaviorwhenaMacisjoinedusingtheCentrifyAcBveDirectoryPluginwhilealreadyjoinedwithApple'sAcBveDirectoryPlugin.Theworkaroundistoleave/unjointheAppleDirectoryPluginbeforeavempBngtojoinusingCentrify.(36591).

AllMac InstallaBon

CloudEnrollmentperformedpost-joinrequiresthelocalhostnametomatchthehostnamewhenthemachinewasfirstjoined.Otherwise,enrollmentmayfailandreportanerrorwarningaboutincorrectsamaccountname.(65684.)

AllMac InstallaBon/Upgrade

WheninFastuserswitchingmode,andswitchingfromalocalusertoaSmartCarduser,andthesmartcardtheninsertedtheloginpromptmayaskforpasswordratherthanPIN.ItisrecommendedtoavoidusingFastUserSwitchingModewithSmartCardenabledMacs.(24425).

AllMac InstallaBon/Upgrade

IfthenetworkisdisconnectedsoonaaeraDirectControlinstallaBonandADjoin,anADusermayfailtologinindisconnectedmode.ThesoluBonistoreconnectthenetwork,wait10minutesandtrytologinagain.(24534).

Page !21

AllMac InstallaBon/Upgrade

WhenusingtheCentrifyJoinAssistantGUI,ifinvalidinformaBonisenteredintothe"Computer"fieldwhilethe"ComputerAliasName"ischecked,Joinwillfailonthecurrentandsubsequentavempts(28366).

AllMac Login/AuthenBcaBon

ChangedthedefaultbehaviortodisablelogginginwiththeADaccountdisplaynameand/orcommonnameforsecuritypurposes.Thischangewasmadeinthecentrifydc.conffile.(J5585).

Changed:

adclient.user.lookup.cn:trueadclient.user.lookup.display:true

to:

adclient.user.lookup.cn:falseadclient.user.lookup.display:false

AllMac Login/AuthenBcaBon

LogginginusingtheSAMaccountname:remotelyloggingintoaMacwithDirectControlinstalled,usingtheformofdomain\usernamewithabackslash'\'characterasaseparatorbetweenthedomainandusernamewillfail.Usingtheformdomain/usernamewithasingleforwardslash"/"doeswork. Example:swim/stest1PASS swim//stest1FAIL swim\stest1FAIL swim\\stest1FAIL (9413).

AllMac Login/AuthenBcaBon

FTPloginrestricBons:seinganADuser'sproperBesinADUCtodisallowlogintoothermachineswillnotpreventthatADuserfromloggingin,viaFTP,intoMacintoshcomputerswithDirectControlinstalled.TheloginrestricBonsareenforcedproperlywithtelnet,ssh,rloginandrsh.(10116).

AllMac LoginandAuthenBcaBon

InAutoZonemode,iftheusernamecontainsaspace,andisconfiguredtobeanetworkhomedirectoryuser,thenetworkhomedirectorywillnotmount,prevenBngtheuserfromloggingin(22788).

Page !22

AllMac LoginandAuthenBcaBon

NetworkHomeDirectoryUsersavempBngtologinviaanonGUILoginWindowwillbeabletologinbuttheirhomedirectorywillnotbemountedandwill getanerrormessage:"Failedtocreatehomedirectory"TheworkaroundistologinviaGUILoginWindowfirst.(29603).

AllMac LoginandAuthenBcaBon

LoginwillnotworkwhentheUIDvalueissettoavaluelargerthan2,147,483,647.(39239).

AllMac LoginandAuthenBcaBon

AuserwillnotautomaBcallybedirectedtotheSystemPreferenceschangepasswordpaneaaerbeingwarnedthattheirpasswordisabouttoexpire.TheworkaroundisfortheusertomanuallyopentheMacSystemPreferencesandchangetheirpassword.(70124.)

AllMac LoginandAuthenBcaBon

OnMacOSX10.10,if“Enablesmartcardsupport”GroupPolicyisenabled,auserisattheloginwindowandthescreensaverisacBve,aaerauserfast-switches,thescreensaverwillnotdismissandtheuserwillbelockedout.Theworkaroundisfortheusertoavoidfast-switchinginthisscenario.ThisissuewasdeterminedtobeAppleproblem,hasbeenreportedtoAppleandloggedasAppleBug#18334799.(70543.)

AllMac LoginandAuthenBcaBon

WhenusingacomputerconfiguredwiththeGroupPolicy"ComputerConfiguraBon"->"CentrifySeings"->"MacOSXseings"->"802.1xseings"->"EnableWiFiProfile,”arootuseravempBngtologinmayfailwiththeconnectstatushungwiththemessage“AuthenBcaBng.”Theworkaroundistousethe“AutoJoin”seinginWiFiconfiguraBon,ortologinasauserotherthanroot.(53787).

AllMac Misc

Thesecure.logofaDirectControl-enabledMac,aaermounBnganAFPsharecreatedbyExtremeZ-IPAFPwillindicatethatthemountercomplainsofUIDsnotmatching.Thiswillnotresultinanyproblems.(7959).

AllMac SmartCard

Ifauserhas2ADIdenBBes,eachwithcerBficatesforbothCACandPIVonasingleCACNGSmartCard,theAppleLoginWindowwillalwayschoosethePIVidenBtytologin.InordertologinwithCACidenBty,thePIVidenBtywouldneedtobedeletedfromAD.(27870).

Page !23

AllMac SmartCardForproperoperaBonofSmartCardfuncBonalityimmediatelyaaerinstallaBonofDirectControl,arebootisrequired.(28651).

AllMac SmartCard

WhenusingSmartCard,andtheADuserhasbeensetto"Usermustchangepasswordatnextlogon"andtheGP"ProhibitExpiredPassword"isnotset,thescreensavercannotbeunlocked(28794).

AllMac SmartCard

WhenusingDirectControlwithSmartCardauthenBcaBon,andanexpiredcerBficateaswellasavalidcerBficateexistsintheADstore,theDirectControlmaydownloadtheexpiredcerBficatetotheMac'sKeychaininsteadofthevalidone.TheworkaroundistomanuallycopythevalidcerBficateintotheMac'skeychain. InaddiBon,inthissituaBon,evenwhenthevalidcerBficatehasbeencopiedtotheMac'skeychain"sctool-D"willsBllreporttheerror:"couldnotgetissuercerBficate."(29885).

AllMac SmartCard

WhenusingDirectControlwithSmartCardauthenBcaBon,andanexpiredcerBficateaswellasavalidcerBficateexistsintheADstore,theDirectControlmaydownloadtheexpiredcerBficatetotheMac'sKeychaininsteadofthevalidone.TheworkaroundistomanuallycopythevalidcerBficateintotheMac'skeychain. InaddiBon,inthissituaBon,evenwhenthevalidcerBficatehasbeencopiedtotheMac'skeychain"sctool-D"willsBllreporttheerror:"couldnotgetissuercerBficate."(29887).

AllMac SmartCardThecommand,"sctool-e"doesnotenabletheGroupPolicy"LockSmartCardscreen".TheworkaroundistouseGroupPolicytoEnabletheSmartCard.(32066).

AllMac SmartCard

IfaSmartCardisinsertedandleaintheSmartCardreaderduringarestart,whentheMacOSXloginscreenappears,theSmartCardmaynotberecognizedandtheLoginScreenmaynotshowtheSmartCardPinpromptasexpected.TheworkaroundistoremoveandreinserttheSmartcard.(36540).

Page !24

AllMac SmartCard

WhenloggedinasaSmartCarduserandrunningaCDCupgradewiththeCentrifyGroupPolicies"MacOSXSeing->SecuritySeings->LockSmartCardscreen"and"MacOSXSeing->SecuritySeings->Requirepasswordtowakethiscomputerfromsleeporscreensaver"enabled,iftheMacScreenSaveracBvates,anormalscreensaverunlockpasswordentryfieldwillappearinsteadoftheexpectedSmartCardPinentryfield.EnteringtheSmartCardPinwillnotunlockthescreensaver.TheworkaroundtoenablethecorrectSmartCardpinpromptattheScreenSaverunlockscreenistoforce-restarttheMacbyholdingthepowerkeyforseveralseconds.AaertheMacrestartstheSmartCardLoginandscreensaverunlockwillworknormally.(39601).

AllMac SmartCard

ScreensavershowspasswordnotPINprompt:MostsmartcardusersareallowedtologonwithasmartcardandPINonlyandcannotauthenBcatewithausernameandpassword.However,itispossibletoconfigureusersforbothsmartcard/PINandusername/passwordauthenBcaBon.Generally,thissetupworksseamlessly:theusereitherentersausernameandpasswordatthelogonprompt,orinsertsasmartcardandentersaPINattheprompt.However,formulB-usercards,itcanbeproblemaBcwhenthescreenlocksandthecardisinthereader.Whenauseravemptstounlockthescreen,thesystempromptsforapassword,notforaPIN,althoughthePINisrequiredbecausethecardisinthereader.IftheuserisnotawarethatthecardissBllinthereaderandentershispasswordmulBpleBmes,thecardwilllockoncethelimitforincorrectentriesisreached.(47966).

AllMac SmartCard

WhenusingaSmartCardwithaPINislongerthan8digits,loginwillnotfuncBonproperly.TheworkaroundistoonlyuseSmartCardswithaPINof8orlessdigits.(45075).

AllMac SmartCardWhenusingaNameMappingUser,MicrosoaOutlookwillpromptforaPINwhensendingencryptedmail.(45658).

AllMac SmartCard

CreaBngaMobileAccountSmartcardUserwithFilevault1encrypBonacBvatedviaCentrifyGroupPoliciesmayfailwiththeprompt:"Unabletocreatemobileaccount."TheworkaroundistouseFileVault2ifpossible.(39711).

Page !25

AllMac SSO

UsingSSHtologinwithsingle-signon(SSO)fromusingaUnixSSHclienttoaMacwithOSX10.4and10.5willonlyfuncBonproperlywithinspecificscenariosandSSHcommandsyntax.Thefollowing3scenariosshouldwork:1.SSHSSOfromUnixclienttoMacwithsameUnixandsAMnameor2.SSHSSOfromUnixclienttoMacwithdifferentUnixandsAMnamewillonlyworkifthezoneuserhasloggedintotheMacpreviouslyor3.If#2istrue,usetheprinciplenameintheSSHcommandi.e.:“sAMName@domainname(13721).

AllMac SSO

AMacmobileuseratfirstlogin,cannotsyncorperformanyoperaBonsrequiringSingleSign-Onifhomedirectoryiscreatedusingalocalhomedirectorytemplate.Theproblemisresolvedaaeralogoutandlogin.(21945).

MacOS/X10.10

NetworkandPortableHome

Directory

A“Homesyncerror”dialogshowsupatMobileuserloginandlogoutduringhomesynchronizaBon,whichcancauselogoutBmetobeabnormallylong.However,thereisnoproblemwithhomecontentsynchronizaBonitselfoncecompleted,andfilescanbesynchronizedsuccessfully.ThisissuewasdeterminedtobeanAppleproblem,hasbeenreportedtoAppleandloggedasAppleBug#17999579.(69707.)

MacOS/X10.10

Login/AuthenBcaBon

Whentryingtounlockthescreenfromscreensaverorsleep,ifanincorrectpasswordisiniBallyentered,theMac’spasswordentrydialogwillnotallowtheusertoinputtheirpasswordagain.TheworkaroundistoreboottheMacandenterthepasswordcorrectlythefirstBme.ThisissuewasdeterminedtobeanAppleproblem,hasbeenreportedtoAppleandloggedasAppleBug#18239041.(70120.)

MacOS/X10.10 Misc

TheDoD-suppliedtool,"EncrypBonWizard,"versions"Public-3.4.4"orbelow,doesnotproperlydecrypttheencryptedfileonOSX10.10becauseitusesJavaRunBmeEnvironmentversion7,whileMacOSX10.10usesJavaRunBmeEnvironmentversion8.(70647.)

Page !26

OtherNotesUsing the Software Update group policy: for reliable operation of the Software Update group policy, Software Update Settings>Software Update server to use, you should enter the hostname of the software update server rather than an IP address. In addition, if DNS has not made the association of the hostname of the server with its IP address, you should associate the IP address and hostname by adding a line to the local Mac's etc/hosts file.

Example: For "Software Update server to use:" enter http://SERVER.local:8088/ instead of http://192.168.2.79:8088/

Where SERVER.local is the hostname of the Software Update Server. In the case of DNS failing to associate the hostname of the software update server with an IP address, adding a line like this to /etc/hosts will create the proper association: 192.168.2.79 SERVER.local

Additional information and support

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

www.centrify.com/resources

Copyright (C) 2004-2017 Centrify Corporation. All rights reserved.

Page !27