WHITE PAPER CENTRIFY CORP. OCTOBER 2008 Using Centrify’s DirectControl with Mac OS X Centralized, Active Directory-based authentication, access control and policy enforcement for Mac OS X systems in Windows environments ABSTRACT Macintosh computers have found widespread usage within several industries such as education, marketing and advertising, and have been adopted by government agencies for a broad range of uses. Many of these Macs have been managed either individually or as a group using tools provided by Apple. As the Mac continues to gain in popularity – particularly within large organizations where Windows computers and administration tools are predominant, or within government agencies where security concerns are heightened – there is a growing need to manage and secure Macs using a common set of Windows- based administration tools. Centrify DirectControl for Mac OS X enables IT administrators to add Macintosh computers to their Windows Active Directory infrastructure to centrally manage the authentication, authorization and configuration of Mac OS X systems as well as to lock down the user’s desktop environment. This lets IT administrators manage and secure Mac OS X systems using the same tools and processes already in place to manage Windows systems. This white paper provides an overview of the features and benefits of using Centrify DirectControl, and describes how an organization can realize substantial benefits by using DirectControl to integrate and centrally manage Mac OS X systems with Active Directory.
Transcript
W H I T E P A P E R
C E N T R I F Y C O R P .
O C T O B E R 2 0 0 8
Using Centrify’s DirectControl with Mac OS X
Centralized, Active Directory-based authentication, access control and policy
enforcement for Mac OS X systems in Windows environments
A B S T R A C T
Macintosh computers have found widespread usage within several industries
such as education, marketing and advertising, and have been adopted by
government agencies for a broad range of uses. Many of these Macs have been
managed either individually or as a group using tools provided by Apple. As the
Mac continues to gain in popularity – particularly within large organizations
where Windows computers and administration tools are predominant, or within
government agencies where security concerns are heightened – there is a
growing need to manage and secure Macs using a common set of Windows-
based administration tools.
Centrify DirectControl for Mac OS X enables IT administrators to add Macintosh
computers to their Windows Active Directory infrastructure to centrally manage
the authentication, authorization and configuration of Mac OS X systems as well
as to lock down the user’s desktop environment. This lets IT administrators
manage and secure Mac OS X systems using the same tools and processes
already in place to manage Windows systems.
This white paper provides an overview of the features and benefits of using
Centrify DirectControl, and describes how an organization can realize
substantial benefits by using DirectControl to integrate and centrally manage
Mac OS X systems with Active Directory.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
[WP009-2008-10-21]
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
1 Introduction ................................................................................................ 1 1.1 IT Support Challenges for Mac OS X in the Enterprise ................................... 1 1.2 DirectControl Provides the Tools Required for IT to Support Mac OS X ............ 2 1.3 Centrify and the Enterprise Desktop Alliance................................................ 3
2 Active Directory Authentication and Access Control for Mac OS X ............... 3 2.1 Active Directory User Authentication with DirectControl................................. 5 2.2 User Account and Administration Considerations with DirectControl ................ 8 2.3 Key Differences between DirectControl and Apple’s Active Directory Plug-in .. 10
3 Centralized Configuration and Policy Management for Mac OS X ............... 11 3.1 DirectControl Group Policy Enforcement on Mac OS X ................................. 11 3.2 Common UNIX Group Policies for Mac OS X ............................................... 12 3.3 Computer Group Policies for Mac OS X ...................................................... 13 3.4 User Group Policies for Mac OS X ............................................................. 16
4 Streamlined Deployment: Workstation Mode and Automated Installation. 21
5 Strong Authentication and Single Sign-on through Smart Card Login to
Active Directory......................................................................................... 23
6 Customer Benefits of the Centrify DirectControl Solution .......................... 26
Most organizations have standardized on Windows computers. However, Macintosh computers are becoming increasingly popular in a number of different areas. Where they were once relegated to educational organizations or specific departments within large organizations, they are now seen breaking out of the traditional roles of the creative marketing and advertising groups into the general computer population. However, many of these organizations have never truly seen these Macs as part of their global IT infrastructure. It is very common to see Mac OS X systems flying “under the radar” as standalone systems without any oversight from a central IT organization.
1.1 IT Support Challenges for Mac OS X in the Enterprise
In the past, Macintosh users have typically acquired their own systems and were expected to support themselves or even work together within their own departments to support each other. Apple has focused their Windows and Active Directory integration services on providing tools that enable the Macintosh owner or group administrator to plug into these Windows-centric networks themselves, enabling Active Directory-based authentication and providing seamless access to Windows services using Macintosh-centric administrative tools. However, the configuration of these integration tools is managed locally on the individual Macintosh system and does not lend itself to the type of mass deployment or centralized administration most enterprise IT departments expect. And although Mac OS X systems can be configured with Macintosh-centric tools and services such as Apple Workgroup Manager, this requires you to set up a Mac management infrastructure using Apple’s Open Directory Server that is independent and parallel to your Windows management infrastructure. This is a very typical configuration called the golden triangle, where authentication is performed by Active Directory and centralized configuration management is handled by Open Directory and Workgroup Manager.
While the golden triangle configuration will work to provide basic integration, it still leaves the Macintosh community within the enterprise to support themselves. The real problem is that the IT staff spends the majority of their time supporting the Windows network, and they simply do not have the time to learn a new set of tools, nor do they have proper tools to manage or support Macintosh systems within their Windows centric environment. Consequently, they have left these groups of Macintosh users to manage and support their own systems. This lack of support and integration into the enterprise results in several problems that face the typical Macintosh user:
IT staff do not have the tools or abilities to provide support and resolve problems on Macintosh systems.
Security policies are not enforced consistently on Macintosh systems.
Common services are simply not supported or provided to Macintosh users.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Several factors are driving the need within IT to centralize authentication, authorization and support services as well as configuration management. IT must address regulatory compliance requirements across the organization, improve service levels, and enhance efficiency for both itself and end-users. Given these drivers, IT needs tools that enable them to provide a consistent level of service to all users regardless of the type of computer they use, preferably administering with the same tools that they use today without having to learn a new tool set.
Although government and industry regulations are typically focused on systems where confidential customer or business data is stored, organizations in highly regulated industries or governmental agencies have an interest in ensuring best practices around secure and responsible use of personal workstations. Barriers to Macintosh adoption may be lowered in these organizations if IT security managers can be assured they have the tools at hand to lockdown the Mac desktop; for example, to require smart card-based log in, to prevent mounting of external storage devices, to disable the ability to create unsecured wireless networks, to limit access to applications, and to define the configuration of applications.
1.2 DirectControl Provides the Tools Required for IT to Support Mac OS X
DirectControl for Mac OS X enables IT to integrate Macintosh systems into Active Directory and provide the level of support that these users require. DirectControl provides Active Directory-based authentication services as well as Group Policy enforcement leveraging the same administrative tools that IT currently uses to manage Windows systems. DirectControl authentication services are designed to integrate the Macintosh computer into Active Directory to provide authentication and login policy enforcement exactly like a Windows computer that is joined to Active Directory. Group Policy enforcement is also provided for both a) computer policies on the system to enable centralized management of the System Preferences configuration and b) user policies to enable centralized desktop configuration lockdown and application access controls on the Macintosh systems. DirectControl also supports smart card-based login.
For large organizations, DirectControl provides the granular access controls and delegated administration features they need to manage logical groups of Mac systems separately. Using DirectControl’s unique Zone technology, IT administrators can create groups of Mac systems that have their own set of users, administrators, and policies.
Centrify also enables quick deployment of DirectControl through an automated installation program and a workstation mode that joins Macs to Active Directory immediately without the need for any additional setup sets.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
As Centrify worked with large organizations to define requirements for Mac integration within a Windows-centric IT environment, customers frequently also asked questions regarding additional services that would further ease deployment and management of Macs. As a result, Centrify decided to spearhead the creation of the Enterprise Desktop Alliance (EDA), a consortium of Macintosh vendors that are delivering enterprise-class software solutions for Mac integration and interoperability with Windows environments. Along with Centrify’s identity and access management solution for the Mac, the EDA partners also offer solutions for systems lifecycle management, enterprise data protection, file and print services, and virtualization. The EDA’s web site provides a wide range of white papers to help customers research solutions, and the organization is sponsoring a series of online webinars demonstrating how their solutions can be used in tandem to lower barriers to acceptance of Macs within the enterprise..
The following sections describe the services provided by DirectControl, explain how DirectControl differs from Apple’s management tools, and details the unique features and benefits of using DirectControl to manage populations of Macintosh computers, both large and small.
2 Active Directory Authentication and Access Control for Mac OS X
While every Mac OS X system that Apple ships comes with a built-in repository for user and group information stored in a local NetInfo database, any time there is more than one Mac OS X system in a network where the users will need to either access shared resources or log in to other systems, it is best to configure a directory service to centrally manage these accounts, making them available to all the systems in the network. Apple provides many different options for configuring a network-based directory service, from plug-ins that allow usage of existing LDAP directories to their own Open Directory server. Apple also delivers an Active Directory plug-in that provides the basic functions of establishing a trusted relationship between the computer and Active Directory, which enables Active Directory user accounts to be used for login to the Mac OS X system. However, this plug-in requires local configuration to define how the user’s UID and GID will be defined based on their Active Directory account; in most cases it is configured to automatically generate UIDs and GIDs for Active Directory users logging into the system. While this may be acceptable for smaller deployments where the configuration can be manually set for each system, it does not scale well for deployment in larger environments with larger numbers of Mac OS X systems.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
There are several key differences between DirectControl and the Active Directory plug-in that Apple provides with Mac OS X for authentication, such as centralized administrative control over the user’s underlying Unix UID and GID assignment as well as the granular access controls which are centrally managed within Active Directory. DirectControl is designed as a complete Active Directory client for non-Windows systems, including the Mac OS X platform, making it a direct replacement for the Apple Mac OS X Active Directory plug-in. All administration of user accounts, password policies and security policies are managed using Active Directory administrative tools, including Active Directory Users and Computers, the Group Policy Management Console, and the Group Policy Object Editor as well as the Centrify DirectControl Administrative Console.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
2.1 Active Directory User Authentication with DirectControl
DirectControl for Mac OS X consists of two main architectural components.
DirectControl for Systems
DirectControl for ApplicationsDirectControl for Systems
Windows Computer DirectControl for Systems
DirectControl
Management Tools
Administrator
Microsoft Active Directory
+ Centrify DirectControl
Figure 1. Components of the DirectControl Suite.
On the Macintosh platform, a DirectControl Agent is installed on each server or workstation. The DirectControl Agent is not just a directory service plug-in; rather, it is a central service that provides both authentication and authorization services as well as Group Policy enforcement. The Agent also determines which DirectControl-enabled users can log in to the system or network services using their Active Directory credentials.
On the Windows platform, the optional DirectControl Management Tools can be installed on one or more Windows computers in the domain. These tools include the Centrify Administrator Console, property extensions to Active Directory Users and Computers, and a web-based Administrator’s Console. If you are deploying DirectControl in workstation mode, it is not strictly required to install these tools. However, most organizations will want to use the management tools to implement
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Group Policy on their Mac systems and to run the administrative reports. The management tools are required if you decide to implement the advanced access controls and delegated administration features provided by DirectControl Zones..
The optional DirectControl Management Tools are the only Windows software you might need. You are not required to install software on your Windows domain controllers, and DirectControl installation never requires modifications to your Active Directory schema. If you choose to use Zone-based access controls, as Macintosh users and computers join your Active Directory domain, the Centrify DirectControl Agent unobtrusively stores its data in an Active Directory program data container using a standardized method. Centrify DirectControl also works seamlessly and unobtrusively with Active Directory if you have previously installed Microsoft Services for UNIX (SFU), which applies its own schema changes to Active Directory to store UNIX attributes for user accounts. DirectControl also works with Microsoft’s UNIX schema extensions that are included in Windows Server 2003 R2.
The DirectControl Agent in effect turns the Mac OS X system into an Active Directory client. The Agent enables the Mac client to consume and respond to Active Directory services in the same way a Windows client does.
DirectControl Daemon(adclient)
Centrify DirectControl Agent
CLI Admin Tools
Offline Credential
Cache
Directory Plugin Service
KerberosLibraries
Group Policy Module
Login Apps(login, ftp, ssh, etc.)
Kerberized Apps
(ssh, SMB etc.)
System Config Files
MicrosoftActive Directory
Windows Domain Controllers
Figure 2. Architecture of the DirectControl for Mac OS X Agent
The DirectControl Agent is responsible for the following functions in order to provide a secure authentication framework for integrating Mac OS X into Active Directory.
Enables the Macintosh computer to join an Active Directory domain. Once the Macintosh system has been joined to the Active Directory domain, it is visible as a standard computer object in the Active Directory Users and Computers console.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Locates the relevant domain controllers based on the Active Directory forest and site topology, also known as being site-aware.
Maintains time synchronization with Active Directory domain controllers if desired.
Maintains an MIT-based Kerberos environment so that existing Kerberos applications will work seamlessly with Active Directory to provide users with single sign-on access to network resources such as Windows file servers and print queues.
Ensures network security by resetting the password on its machine account at regular intervals according to Active Directory domain policies.
Enables logins using users’ Active Directory credentials. Logging on in this context means not only logging into the Mac OS X graphic interface, but also connecting to the Macintosh through a remote SSH or Apple Remote Desktop interface.
Enables authentication with smart cards, including PIV, CAC and .Net cards.
Updates a user’s last login time upon Active Directory login to ensure that password expiration policies are being enforced properly.
Stores user credentials and profiles so that users can log on when the computer is disconnected from the network, which is especially useful for laptop computers without requiring a locally defined mobile user.
Caches responses from Active Directory information queries to reduce the load on the domain controllers.
Validates that the user has appropriate permissions to log in to the Macintosh system based on account policies. For example, Active Directory provides a set of account-specific controls enabling the administrator to activate or disable a user’s Active Directory account as well as to control the time of day the user is allowed to log in.
When the Mac is a member of a DirectControl Zone, validates that the user has appropriate permissions to log in based on Zone memberships and allowed group membership.
Determines a user’s full UNIX-enabled Active Directory group membership (including nested groups) the first time the user logs on.
Supports users managing their Active Directory passwords from Macintosh systems both for the ad hoc password change as well as for expired password at login.
Validates privileged account logins centrally from Active Directory when needed without requiring previously defined local administrator accounts.
Dynamically creates home directories locally on the computer for users whose profile defines a local home directory path. DirectControl also supports seamlessly mounting network-based home directories from Windows servers or AFP servers as
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
well as providing the option to define a locally synchronized version of the network home directory for laptop users.
Enforces user Group Policies that control the user’s desktop experience such as application access control and dock settings as well as to control the user’s ability to execute privileged operations.
Provides authenticated single sign-on access to Windows print queues using the user’s Active Directory credentials to ensure proper access and accounting for user access to printers.
2.2 User Account and Administration Considerations with DirectControl
Many organizations will have more than one grouping of computer systems that are used for a specific purpose, and typically it is neither desirable nor practical to allow all users in an enterprise to log on to any system. To deal with this, Centrify has developed the concept of Zones to create a way of grouping systems in order to provide fine-grained access controls and delegated administration. In addition to using Zones for access control, organizations with a diverse environment of UNIX, Linux and Mac systems also have the option of using Zones to avoid collisions in user IDs and group IDs. Although Mac end-users rarely also need login privileges on UNIX or Linux systems, IT administrators will want to read this section for the complete picture of how Zones work within a large, mixed environment. Keep in mind in this section that Zones are not available for Macs that were added to Active Directory using DirectControl’s workstation mode.
Figure 3. Example of an Enterprise Organized into Departmental Zones
The DirectControl Zone technology, as shown in the illustration above, works like this:
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Each DirectControl-managed UNIX, Linux or Mac system can be placed into a DirectControl Zone, typically directly mapping to an existing logical security boundary or administrative grouping such an organizational department or lab.
A user (Joan Smith in Figure 3) is configured in Active Directory with her normal Windows information, such as name, password, group membership and so on. In addition, the “Centrify Profiles” that Centrify adds to her Active Directory account indicates which Zones she can access.
For each Zone, Joan’s UNIX/Mac profile in Active Directory stores account information specific to that Zone: UNIX user name, user ID, shell, and home directory for example. Thus, a single Active Directory account can be mapped to any number of UNIX/Mac identities.
Joan can log in to computers only in the Zones to which she has been granted access. Whereas Joan has access to several Zones, another user – for example, a student in a university setting – could be given rights to access only Macs in a Zone set up for a classroom lab, and not be given access to Macs or other systems in Zones set up for computers used in administrative or research departments.
As Figure 3 illustrates, Joan authenticates through Active Directory regardless of which system she logs in to. The Zones are part of the same Active Directory domain where Joan’s account exists.
Delegation and separation of duties is a critical component of any centralized administration solution where security is a concern. DirectControl Zones provide an environment with Active Directory that leverages native access control rules within Active Directory to delegate UNIX profile management as well as UNIX/Mac system access rights management to UNIX administrators without requiring domain administrator rights. With DirectControl, UNIX and Mac administrators do not need rights to modify or create user objects, which is typically a privileged operation within the enterprise.
Additionally, each Zone can have its own set of administrators, each with specific privileges within the Zone. In our university example, Joan may be an IT administrator who has the right to create and modify user accounts in Active Directory for students and employees, and the right to create Zones and add users to Zones. However, a graduate student who runs a Macintosh lab could be given rights only to add or remove existing user accounts to the Mac lab Zone. This added security feature means not only can users and computers be compartmentalized into logical secure groups, but the administrators who manage those systems can also be segregated. For many organizations, the ability to finely control the elevated privileges for administrators is essential for maintaining appropriate levels of confidentiality and for complying with regulatory controls.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
2.3 Key Differences between DirectControl and Apple’s Active Directory Plug-in
DirectControl is designed to provide what seems on the surface as an equivalent solution to the Active Directory plug-in that Apple provides with Mac OS X out of the box; however, there are several key differences between the solutions. Fundamentally, DirectControl is designed to provide the centralized administration staff with the tools required to centrally manage heterogeneous computing environments from existing Windows administrative tools. Here are some of the key differences:
DirectControl provides consistent Active Directory integration across multiple platforms. DirectControl provides a single integration solution not only for Mac OS X but for popular UNIX and Linux platforms as well.
DirectControl Zones can be used to further control user access as well as to segregate the Macintosh user population and administrative staff and keep their rights at a minimum within Active Directory.
Offline login is provided with locally cached account profiles for users with local home directories. However, if the user has a network home directory he will be prompted to create a mobile account to take advantage of the synchronization between the local and network-based home directories.
DirectControl enables common account administration of both Windows and Macintosh systems leveraging tools such as Active Directory Users and Computers.
UID and GID assignment is managed centrally within Active Directory as additional attribute information about these objects versus a local configuration within the Directory Services configuration interfaces.
There are many security-related benefits to using DirectControl for Active Directory integration. For example, the machine account password is periodically changed, all communications to Active Directory are Kerberized, and user access to Windows print queues is authenticated in a single sign-on fashion.
DirectControl provides a reporting facility to enable generation of several reports on Active Directory information such as computer access reports.
DirectControl provides delegated administration with separation of duties between Active Directory and Macintosh administrators as well as between groups of Macintosh administrators.
Additionally, the DirectControl Agent that provides user authentication and authorization services also provides Group Policy enforcement to enable centralized configuration management. Centralized configuration and Group Policy services are described in more detail in the next section.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
3 Centralized Configuration and Policy Management for Mac OS X
Configuration management and policy enforcement across an enterprise is extremely important to most organizations, especially if there is a need to ensure that security policies are properly enforced across all computers. Additionally there are several benefits to centralizing the configuration of workstations and servers, including:
Reducing the effort required to bring a new computer into the environment, configuring it properly and ensuring that it stays configured properly throughout its lifecycle, resulting in a much lower total cost of ownership.
Ensuring that security policies are properly enforced across the enterprise to ensure that no holes exist for potential attackers to exploit.
Automatically configuring the user environment so that all users have a consistent computing experience that provides them the services they need to accomplish their work.
Apple provides a tool to centrally manage the configuration and security policies of Mac OS X computers. However, this tool, Workgroup Manager, requires either a set of schema modifications to Active Directory in order to integrate or a separate Open Directory deployment in order to provide centralized management. However, in Windows environments, most administrators use Group Policy to centrally configure Windows workstations to enforce consistent security policies as well as to ensure a consistent end-user experience across all workstations deployed within the environment. DirectControl provides broad and robust support for Group Policy on the Mac. IT administrators thus have a single tool to configure and enforce consistent security policies to all non-Windows computers, including Mac OS X systems. DirectControl also enables IT administrators to configure and secure their Mac environment through Group Policy without having detailed knowledge of Mac desktop configuration. In environments where workstation security is particularly important, giving IT security administrators the ability to lockdown Mac workstations through Group Policy can help lower barriers to adoption..
3.1 DirectControl Group Policy Enforcement on Mac OS X
Windows Group Policy works by forcibly setting user and computer registry keys on Windows machines, and since almost all of a Windows system is configured through registry settings, this is a very natural and simple way to enforce almost any policy. However, in UNIX and Mac environments there is no equivalent to the Windows registry. The de-facto standard for configuration is ASCII text files. To deliver Active Directory’s Group Policy capabilities in UNIX and Mac environments, DirectControl creates a “virtual registry” of the policies that apply to either the computer itself or tp the users who log in to the system.
The enforcement of these virtual registry settings is handled by two different mechanisms depending on the service or configuration that needs to be controlled. For applications
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
that use a configuration file to manage their settings, DirectControl provides a specific mapper program that knows what needs to be set in the configuration file or, on Macintosh systems, in the plist file for the application associated with the particular virtual registry setting. Additionally, many of the System Preference settings and user environment controls are provided by the MCX subsystem within Mac OS X. Several of DirectControl’s the user Group Policies are enforced through the MCX subsystem.
The DirectControl Agent first must update the Group Policy settings into its virtual registry based on the computer account or the user who is logged in to the system. This load event is triggered by:
System startup. When the DirectControl daemon starts up (usually when the system boots up), it updates the computer’s registry.
User log on. When a user logs on, the DirectControl Agent creates or updates the user’s registry settings.
adgpupdate command. The DirectControl Agent can be forced to immediately update the user and computer registries through this command line.
Periodic refresh interval. The DirectControl Agent will also refresh the virtual registry on a periodic basis according to the Group Policy refresh interval setting in the domain policy.
The loading of policy is asynchronous, which is equivalent to the behavior in recent Windows versions. The loaded settings are stored on the local machine for disconnected operation. Once the virtual registry has been updated through one of the events described above, then either the appropriate mapper program is activated to update or create the configuration or plist file, or the appropriate MCX setting is defined for the application or System Preference being controlled.
3.2 Common UNIX Group Policies for Mac OS X
Centrify includes a set of Active Directory Group Policies that are common to UNIX, Linux and Mac OS X platforms that can be applied to users or systems, as appropriate. DirectControl includes more Group Policy objects than any other solution, including policies to manage all aspects of DirectControl: how users log on, password prompts, network and cache timeout settings, Kerberos settings, name lookup and user authentication overrides, password caching, LDAP settings, locally defined user/group maps, and more. There are also several other policies that can be generically applied to UNIX, Linux and Mac OS X systems, such as managing crontab settings, iptables-based firewall configuration for Linux systems, file system mount points as well as running commands or scripts at login and managing the sudo permissions file. DirectControl enforces both computer and user policies and additionally supports advanced Group Policy features such as filtering of policies as well as loop back processing for those environments that require this level of control.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
A good example of the value of enforced policy can be seen with the administration of the sudoers file, since this file defines who can run privileged programs on Mac OS X systems such as unlocking privileged System Preferences items. Using this common Group Policy, you can ensure that end-users are automatically configured with the rights they require at login. It is also possible to configure IT administrator accounts with the appropriate rights they need on all Mac OS X systems regardless of any locally defined configuration, even if they do not have a local account, since DirectControl will provide access based on centrally managed security policies. The sudo Group Policy can now be used as a direct replacement for the checkbox in the Accounts System Preference to “Allow user to administer this computer” since it will accomplish the same results, but is now centrally controlled via Group Policy. If the configuration of this file is not strictly controlled across every system in your organization, then security is not only compromised on an individual system but also potentially compromised across your organization. Centrify’s Group Policy enforcement ensures that your systems are secured in a consistent, enforced manner.
For added flexibility, you can also create your own custom administrative templates to describe any additional policy settings that you would like to enforce for your own application or other service which DirectControl does not provide already. In order to enforce these policies on the Mac OS X systems, you can use standard Perl scripting to create your own mapping programs that will update or create relevant configuration or plist files. Several example policies are provided to make creating your own policies much simpler.
3.3 Computer Group Policies for Mac OS X
DirectControl for Mac OS X extends beyond the common UNIX policies described above to provide additional Mac OS X-specific policies to enable the administrator to centrally control the security policies and services of the computer. These policies are delivered as part of the standard DirectControl for Mac OS X and only need to be enabled within the Group Policy Object Editor while editing a policy such as the Default Domain Policy.
The following table shows the categories of computer policies and what each controls as seen within the System Preferences.
Computer Policy Category
Individual Policies That Can Be Enforced
Security Require password to unlock each secure system preference
Disable automatic login
Use secure virtual memory
Log out after n number minutes of inactivity
Enable smart card support
Require smart card login
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
You can apply these policies to the domain or to an organizational unit (OU), and the policies will be applied to the Mac OS X system as soon as it has been joined to the Active Directory domain. This enables rapid bulk configuration of these security policies for all Mac OS X computers within the domain or OU without having to manually configure each system by hand, greatly reducing the total cost of ownership of these computers.
Most of these computer policies serve an important role in managing the computer’s more important settings, but let’s take a closer look at one of these policies to see how the computer settings are managed with Active Directory Group Policy Object Editor. The screen shot below shows the Group Policy interface for controlling the Login Window settings.
Figure 4. Using Group Policy to control Login Window settings for Mac OS X
Once the settings you want to enforce have been defined within this dialog, they are then retrieved and enforced on the Mac OS X system by the DirectControl Group Policy services. The result of the policy being enforced on the system can be seen in the Mac System Preferences panel after the Group Policy is refreshed on the system with the adgpupdate command or after the periodic update interval has lapsed.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Figure 5. The Mac OS X System Preferences panel shows the new setting distributed
through Group Policy
The enforcement of these computer policies can help to address regulatory compliance requirements since many of these policies are designed to provide centralized control over the defined requirements, such as enforcing machine security when the user is not present.
3.4 User Group Policies for Mac OS X
DirectControl also provides an extended set of Group Policies to control the user’s desktop environment, which would normally be controlled with Workgroup Manager. These policies enable the administrator to not only configure how the desktop environment appears, but also to control the applications that the user is allowed to run as well as whether or not the user is allowed to access external or recordable media to prevent data theft from the controlled environment. These policies are delivered as part of the standard DirectControl for Mac OS X and only need to be enabled within the Group Policy Object Editor while editing a policy such as the Default Domain Policy.
The following table shows the categories of user policies and what each controls as seen within the System Preferences.
User Policy Category
Individual Policies That Can Be Enforced
Application Access Control access to specific applications
Control access to UNIX tools and utilities
Control access to Apple Script
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
User policies such as these can be applied in many ways. The typical method is to apply the policy to an OU within Active Directory, which will apply the policy to all the users within that OU of the directory. Other methods of applying these user policies include group filtering, which allows the policy to be applied at a higher level within the Directory tree structure so that an Active Directory group can be used as the filter so that the policy would apply only to the members of that group. Another more complex method is to apply the policy to an OU of computers so that the specific user policies will be applied to the users when they login to these specific computers, which is called loop back processing.
Once policies have been applied to the appropriate domain, OU or filtered on a group, the policies will be applied to the Mac OS X system as soon as the user logs into the Active Directory domain. This ensures that the most current policy is enforced at all times across the enterprise.
These user policies can be used to ensure that the user is presented a consistent and controlled desktop environment as well as to prevent the user from changing system settings that are under administrative control either manually or via Group Policy control. The following Group Policy is used to define the user’s ability to see the System Preferences, specifically the System items within the System Preferences.
Figure 6. With Group Policy you can control the Mac OS X desktop environment and
prevent users from using specific System items.
Once these settings are defined and a user logs into the system, they will be able to see only the System Preference items that are enabled; disabled items are not shown. Based
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
on the settings defined in Figure 6 across all the System Preference visibility settings, the user will see the following interface after login.
Figure 7. Specific System settings have been disabled through Group Policy.
Other policies are designed to lock down the environment and control what the user is allowed to do, including locking the Dock, controlling which applications the user can run, and preventing the user from accessing removable media of any kind that would allow data to be extracted. Application access controls are easily enforced in the Group Policy interface by selecting the specific applications that the user should be able to run, denying the user the right to run any program they are not authorized for.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Figure 9. Mac OS X users are notified when they try to launch a proscribed application.
4 Streamlined Deployment: Workstation Mode and Automated Installation
The Centrify DirectControl for Mac OS X installation program, provided in universal binary format, makes it easy to deploy DirectControl whether you need to install on Macs individually or centrally install on hundreds or thousands of Macs across your enterprise. A pre-installation environment analysis tool and DirectControl’s workstation mode also streamline deployment.
On individual systems, a graphic, interactive installation program walks users through the setup. System administrators can of course also use this interactive installation program on individual systems, but for large deployments they will want to extract the package file for use with Apple Remote Desktop; see Using Apple Remote Desktop to Deploy Centrify DirectControl on the Centrify web site for instructions. The installation package can also be distributed using third-party systems management solutions such LanREV.
The ADcheck analyzer can identify any issues that could prevent a successful installation. The most common problems are DNS configuration issues that prevent the Mac from locating an Active Directory domain controller on the network. End-users can run the ADCheck tool themselves prior to installing DirectControl as long as the ADcheck tool does not identify any issues; although they would probably need assistance from IT if ADcheck discovers any problems.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
In many organizations, Mac OS X workstations can be treated just like Windows workstations for access control purposes, permitting anyone with an Active Directory account to log in once the Mac has joined the domain. For those organizations, DirectControl’s workstation mode streamlines installation using the same methodology to add a Mac workstation to an Active Directory domain as that used to add Windows workstations. The interactive installation program offers users the option to add the Mac in workstation mode. Remote installations can specify workstation mode through command-line parameters.
Figure 10. Administrators can join Mac OS X systems into AD just as any other Windows
system in Workstation Mode into a Centrify Zone for more complex environments.
Macs operating in workstation mode have almost identical features to Macs operating in standard DirectControl mode. For example, end-users have transparent access to local or network home directories, and they enjoy the same single sign-on benefits to other Active Directory integrated services and applications. Administrators can also use Group Policy to remotely manage security and configuration settings on DirectControl-managed Macs in workstation mode.
However, workstation mode differs from standard mode in two regards. First, the installation process has been streamlined. You do not need to install the Centrify Administrator’s Console first. You simply install DirectControl on a Mac and it is automatically joined to Active Directory and appears as a computer object in Active Directory Users and Computers. Second, the Mac is added to Active Directory without being associated to a DirectControl Zone. This means that any user with an Active Directory account can log into that Mac, just as any user with an Active Directory account can log into a Windows workstation. If you need to limit access to a subset of Active Directory users, it is easy enough to install the Centrify Administrator Console
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
and add those Macs to a Zone. You can have a mixture of Macs in workstation mode and standard mode in Active Directory, giving you the flexibility to apply tighter access controls to select systems as needed.
Organizations can view workstation mode as a permanent solution for managing Macs centrally from Active Directory. Or the workstation mode installation may simply represent a way to quickly deploy DirectControl and add Macs to Active Directory while deferring the implementation of Zone-based access controls to a later date.
On UNIX and Linux server systems that have not been centrally managed, Zones are also frequently useful for enabling the mapping of multiple UIDs and GIDs that may exist for a single user to that user’s Active Directory account. This issue does not exist on Macs because logins and permission-based access to, say, network shares are not managed using UIDs or GIDs but through Kerberos credentials. When a user logs in to a Mac joined to Active Directory in workstation mode, the DirectControl Agent automatically derives a valid, globally unique UID from the user’s Active Directory SID, which ensures consistency on all Mac OS X systems where the user logs in.
DirectControl-managed Macs can also be configured to leverage your organization’s centralized Windows home directory servers as specified in the user’s Active Directory network home profile setting. If an Active Directory user has a network home folder defined in their profile, then the DirectControl Agent mounts this network share as the user’s home directory. If the workstation is a portable system, then the portable home directory feature can be used to establish a local home directory that is synchronized to the user’s network home directory. IT administrators can control these settings for user accounts using Group Policy. There is also a computer Group Policy that can override these settings – for example, to prevent local local home directories on a kiosk machine or to provide roaming profiles for Mac users.
5 Strong Authentication and Single Sign-on through Smart Card Login to Active Directory
Smart card-based authentication is a requirement in some industries and is gaining in popularity in other organizations that, for security and/or compliance reasons, want to move beyond user authentication based solely on an individual knowing a user name and password. DirectControl provides broad support for smart card login to Active Directory on Mac OS X supporting CAC, PIV and .NET smart cards, enforces Active Directory-defined user account policies for smart card use, and supplies Group Policies that enable you to fine-tune smart card settings.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Figure 11. Users inserting a smart card are prompted for their PIN for a streamlined
login method.
In government agencies and organizations doing business with them, the requirement for smart card-based access is being driven by Homeland Security Presidential Directive 12 (HSPD-12), which seeks to replace the wide variety of personal identification systems in use with a single, common standard for identifying Federal employees and contractors for the purposes of access both to physical facilities and to information systems. Non-military Federal agencies have begun distributing Personal Identity Verification (PIV) cards to employees and contractors, while the Department of Defense has been using Common Access Cards (CAC). DirectControl leverages the smart card middleware provided by Apple to support both PIV and CAC smart cards, as well as other cards that support the Apple tokend interface, such as Gemalto's .NET smart cards.
To streamline deployment of smart card-protected systems, DirectControl automates the configuration of the system to support smart card login as well as to ensure that the system trusts the root certificate authorities that are trusted by Active Directory when a Macintosh joins the domain.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
Figure 12. Once the user logs in with a smart card, PKI certificates are available via the Keychain for access to other PKI enabled applications.
Active Directory enforces smart card access to Windows systems through the Account option “Smart card is required for interactive logon” policy. DirectControl enforces this policy on Mac OS X systems as well, giving you the ability to enforce smart card access consistently across your organization. An additional DirectControl Group Policy can also be used selectively (for example, through filtering) to protect high-security machines from being accessed interactively without a smart card.
Figure 13. Smart card login to Active Directory with DirectControl provides the user with Kerberos tickets in order to support Single Sign-on to other applications and services.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
DirectControl also provides Group Policies to enable centralized management of smart card login. These Group Policies can be used to require a Macintosh system to go into screen lock or to force a logout when the smart card is removed from the reader during a session. This policy enforcement on Mac OS X systems enables organizations to easily enable the secured usage of Mac systems within their Windows environments leveraging the same tools, procedures and policies that they are already familiar with today.
6 Customer Benefits of the Centrify DirectControl Solution
Each of the DirectControl features outlined in this white paper directly translates into tangible benefits for administrators and end-users. Some of the benefits for administrators and IT managers include:
True centralized control over authentication, authorization and administration of Mac OS X systems is possible using familiar Windows administration tools.
Zone-based access controls enable you to organize Macs (and UNIX or Linux systems if you so choose) into logical groups for departments, labs, etc., and grant access to the systems within a Zone based on a user’s role within the organization. .
Separation of duties enables Active Directory-based delegated administration for managing user access to systems without having to grant domain admin rights to Mac administrators.
Security policies are maintained across all systems, not just Windows, for both computer-related security settings as well as end-user-specific settings.
User environments can now be centrally managed to ensure consistency.
Workstation mode and an automated installation program provide quick deployment to hundreds or dozens of Mac systems.
Support for the most popular smart card formats and Group Policy-based control over smart card settings mean organizations can quickly implement smart card security without the need for additional point products.
End-users will notice few changes to their Mac OS X user experience (a good thing), while the systems are centrally managed, enabling IT to provide a much higher level of service to these users. Additional benefits for the end-users include:
No extra account or password information to remember – Active Directory credentials can be used to log in to Mac OS X or Windows computers as required.
Single sign-on is maintained for access to Windows file shares and SPNEGO-enabled web sites, and additionally single sign-on is provided for access to Windows print queues.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
User Group Policy support means users will have a consistent experience as they log in to systems across your enterprise, including access to applications, network home directories, and the like.
7 Summary
Centrify DirectControl enables organizations to leverage their existing investments in Microsoft’s Active Directory to seamlessly centralize the user management of Mac OS X systems as well as to centrally manage configurations and enforce security policies.
DirectControl is a single product architecture designed to provide authentication, authorization and policy enforcement across Macintosh, UNIX, and Linux systems as well as web and Java applications.
Active Directory user accounts can be used to log in to a wide range of operating systems and applications as well as to provide single sign-on for end users.
Integration services are modeled after Windows XP to provide consistent operational behavior across the enterprise.
DirectControl provides broad and robust Group Policy services to enforce centralized configuration and security policies on Macintosh systems, enabling complete replacement of Workgroup Manager with Active Directory-centric tools.
Leveraging existing Active Directory tools enables administrators to minimize retraining and use the tools that they already know in order to centrally manage configuration preferences and policy settings on all systems within the enterprise.
Schema modification are not required, and parallel OpenDirectory infrastructures are eliminated when using DirectControl and Group Policy for centralized configuration management.
DirectControl’s unique Zone technology provides the ability to manage access rights independently for each Zone and to achieve separation of duties for central IT staff and local system administrators.
Mac system administrators can be granted individual rights to manage access permissions within their Zone of computers independent of other Mac (and UNIX or Linux) administrators and their Zones.
Users can have independent and unique Mac profiles for different groups of Mac systems versus a single Mac account profile for all systems joined to Active Directory.
CENTRIFY WHITE PAPER USING CENTRIFY’S DIRECTCONTROL WITH MAC OS X
