Using Centrify's DirectControl with Mac OS X - Cerberis

WHITE PAPERCENTRIFY CORP.OCTOBER 2008Using Centrify’s DirectControl withMac OS XCentralized, Active Directory-based authentication, access control and policyenforcement for Mac OS X systems in Windows environmentsABSTRACTMacintosh computers have found widespread usage within several industriessuch as education, marketing and advertising, and have been adopted bygovernment agencies for a broad range of uses. Many of these Macs have beenmanaged either individually or as a group using tools provided by Apple. As theMac continues to gain in popularity – particularly within large organizationswhere Windows computers and administration tools are predominant, or withingovernment agencies where security concerns are heightened – there is agrowing need to manage and secure Macs using a common set of Windowsbasedadministration tools.Centrify DirectControl for Mac OS X enables IT administrators to add Macintoshcomputers to their Windows Active Directory infrastructure to centrally managethe authentication, authorization and configuration of Mac OS X systems as wellas to lock down the user’s desktop environment. This lets IT administratorsmanage and secure Mac OS X systems using the same tools and processesalready in place to manage Windows systems.This white paper provides an overview of the features and benefits of usingCentrify DirectControl, and describes how an organization can realizesubstantial benefits by using DirectControl to integrate and centrally manageMac OS X systems with Active Directory.

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XInformation in this document, including URL and other Internet Web site references, is subject to changewithout notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mailaddresses, logos, people, places and events depicted herein are fictitious, and no association with any realcompany, organization, product, domain name, e-mail address, logo, person, place or event is intended orshould be inferred. Complying with all applicable copyright laws is the responsibility of the user. Withoutlimiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into aretrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,or otherwise), or for any purpose, without the express written permission of Centrify Corporation.Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rightscovering subject matter in this document. Except as expressly provided in any written license agreement fromCentrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,or other intellectual property.© 2006-2008 Centrify Corporation. All rights reserved.Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries.Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks ortrademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respectiveowners.[WP009-2008-10-21]© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE II

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XContents1 Introduction ................................................................................................ 11.1 IT Support Challenges for Mac OS X in the Enterprise ................................... 11.2 DirectControl Provides the Tools Required for IT to Support Mac OS X ............ 21.3 Centrify and the Enterprise Desktop Alliance................................................ 32 Active Directory Authentication and Access Control for Mac OS X ............... 32.1 Active Directory User Authentication with DirectControl................................. 52.2 User Account and Administration Considerations with DirectControl ................ 82.3 Key Differences between DirectControl and Apple’s Active Directory Plug-in .. 103 Centralized Configuration and Policy Management for Mac OS X ............... 113.1 DirectControl Group Policy Enforcement on Mac OS X ................................. 113.2 Common UNIX Group Policies for Mac OS X ............................................... 123.3 Computer Group Policies for Mac OS X ...................................................... 133.4 User Group Policies for Mac OS X ............................................................. 164 Streamlined Deployment: Workstation Mode and Automated Installation. 215 Strong Authentication and Single Sign-on through Smart Card Login toActive Directory......................................................................................... 236 Customer Benefits of the Centrify DirectControl Solution .......................... 267 Summary ................................................................................................... 278 How to Contact Centrify ............................................................................ 28© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE III

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X1 IntroductionMost organizations have standardized on Windows computers. However, Macintoshcomputers are becoming increasingly popular in a number of different areas. Where theywere once relegated to educational organizations or specific departments within largeorganizations, they are now seen breaking out of the traditional roles of the creativemarketing and advertising groups into the general computer population. However, manyof these organizations have never truly seen these Macs as part of their global ITinfrastructure. It is very common to see Mac OS X systems flying “under the radar” asstandalone systems without any oversight from a central IT organization.1.1 IT Support Challenges for Mac OS X in the EnterpriseIn the past, Macintosh users have typically acquired their own systems and were expectedto support themselves or even work together within their own departments to supporteach other. Apple has focused their Windows and Active Directory integration serviceson providing tools that enable the Macintosh owner or group administrator to plug intothese Windows-centric networks themselves, enabling Active Directory-basedauthentication and providing seamless access to Windows services using Macintoshcentricadministrative tools. However, the configuration of these integration tools ismanaged locally on the individual Macintosh system and does not lend itself to the typeof mass deployment or centralized administration most enterprise IT departments expect.And although Mac OS X systems can be configured with Macintosh-centric tools andservices such as Apple Workgroup Manager, this requires you to set up a Macmanagement infrastructure using Apple’s Open Directory Server that is independent andparallel to your Windows management infrastructure. This is a very typical configurationcalled the golden triangle, where authentication is performed by Active Directory andcentralized configuration management is handled by Open Directory and WorkgroupManager.While the golden triangle configuration will work to provide basic integration, it stillleaves the Macintosh community within the enterprise to support themselves. The realproblem is that the IT staff spends the majority of their time supporting the Windowsnetwork, and they simply do not have the time to learn a new set of tools, nor do theyhave proper tools to manage or support Macintosh systems within their Windows centricenvironment. Consequently, they have left these groups of Macintosh users to manageand support their own systems. This lack of support and integration into the enterpriseresults in several problems that face the typical Macintosh user:• IT staff do not have the tools or abilities to provide support and resolve problems onMacintosh systems.• Security policies are not enforced consistently on Macintosh systems.• Common services are simply not supported or provided to Macintosh users.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 1

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XSeveral factors are driving the need within IT to centralize authentication, authorizationand support services as well as configuration management. IT must address regulatorycompliance requirements across the organization, improve service levels, and enhanceefficiency for both itself and end-users. Given these drivers, IT needs tools that enablethem to provide a consistent level of service to all users regardless of the type ofcomputer they use, preferably administering with the same tools that they use todaywithout having to learn a new tool set.Although government and industry regulations are typically focused on systems whereconfidential customer or business data is stored, organizations in highly regulatedindustries or governmental agencies have an interest in ensuring best practices aroundsecure and responsible use of personal workstations. Barriers to Macintosh adoption maybe lowered in these organizations if IT security managers can be assured they have thetools at hand to lockdown the Mac desktop; for example, to require smart card-based login, to prevent mounting of external storage devices, to disable the ability to createunsecured wireless networks, to limit access to applications, and to define theconfiguration of applications.1.2 DirectControl Provides the Tools Required for IT to Support MacOS XDirectControl for Mac OS X enables IT to integrate Macintosh systems into ActiveDirectory and provide the level of support that these users require. DirectControlprovides Active Directory-based authentication services as well as Group Policyenforcement leveraging the same administrative tools that IT currently uses to manageWindows systems. DirectControl authentication services are designed to integrate theMacintosh computer into Active Directory to provide authentication and login policyenforcement exactly like a Windows computer that is joined to Active Directory. GroupPolicy enforcement is also provided for both a) computer policies on the system to enablecentralized management of the System Preferences configuration and b) user policies toenable centralized desktop configuration lockdown and application access controls on theMacintosh systems. DirectControl also supports smart card-based login.For large organizations, DirectControl provides the granular access controls anddelegated administration features they need to manage logical groups of Mac systemsseparately. Using DirectControl’s unique Zone technology, IT administrators can creategroups of Mac systems that have their own set of users, administrators, and policies.Centrify also enables quick deployment of DirectControl through an automatedinstallation program and a workstation mode that joins Macs to Active Directoryimmediately without the need for any additional setup sets.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 2

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X1.3 Centrify and the Enterprise Desktop AllianceAs Centrify worked with large organizations todefine requirements for Mac integration withina Windows-centric IT environment, customersfrequently also asked questions regardingadditional services that would further easedeployment and management of Macs. As a result, Centrify decided to spearhead thecreation of the Enterprise Desktop Alliance (EDA), a consortium of Macintosh vendorsthat are delivering enterprise-class software solutions for Mac integration andinteroperability with Windows environments. Along with Centrify’s identity and accessmanagement solution for the Mac, the EDA partners also offer solutions for systemslifecycle management, enterprise data protection, file and print services, andvirtualization. The EDA’s web site provides a wide range of white papers to helpcustomers research solutions, and the organization is sponsoring a series of onlinewebinars demonstrating how their solutions can be used in tandem to lower barriers toacceptance of Macs within the enterprise..The following sections describe the services provided by DirectControl, explain howDirectControl differs from Apple’s management tools, and details the unique features andbenefits of using DirectControl to manage populations of Macintosh computers, bothlarge and small.2 Active Directory Authentication and Access Control for Mac OS XWhile every Mac OS X system that Apple ships comes with a built-in repository for userand group information stored in a local NetInfo database, any time there is more than oneMac OS X system in a network where the users will need to either access sharedresources or log in to other systems, it is best to configure a directory service to centrallymanage these accounts, making them available to all the systems in the network. Appleprovides many different options for configuring a network-based directory service, fromplug-ins that allow usage of existing LDAP directories to their own Open Directoryserver. Apple also delivers an Active Directory plug-in that provides the basic functionsof establishing a trusted relationship between the computer and Active Directory, whichenables Active Directory user accounts to be used for login to the Mac OS X system.However, this plug-in requires local configuration to define how the user’s UID and GIDwill be defined based on their Active Directory account; in most cases it is configured toautomatically generate UIDs and GIDs for Active Directory users logging into thesystem. While this may be acceptable for smaller deployments where the configurationcan be manually set for each system, it does not scale well for deployment in largerenvironments with larger numbers of Mac OS X systems.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 3

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XThere are several key differences between DirectControl and the Active Directory plug-inthat Apple provides with Mac OS X for authentication, such as centralized administrativecontrol over the user’s underlying Unix UID and GID assignment as well as the granularaccess controls which are centrally managed within Active Directory. DirectControl isdesigned as a complete Active Directory client for non-Windows systems, including theMac OS X platform, making it a direct replacement for the Apple Mac OS X ActiveDirectory plug-in. All administration of user accounts, password policies and securitypolicies are managed using Active Directory administrative tools, including ActiveDirectory Users and Computers, the Group Policy Management Console, and the GroupPolicy Object Editor as well as the Centrify DirectControl Administrative Console.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 4

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X2.1 Active Directory User Authentication with DirectControlDirectControl for Mac OS X consists of two main architectural components.DirectControl for SystemsDirectControl for SystemsDirectControl for ApplicationsWindows ComputerDirectControl for SystemsMicrosoft Active Directory+ Centrify DirectControlDirectControlManagement ToolsAdministratorFigure 1. Components of the DirectControl Suite.• On the Macintosh platform, a DirectControl Agent is installed on each server orworkstation. The DirectControl Agent is not just a directory service plug-in; rather, itis a central service that provides both authentication and authorization services aswell as Group Policy enforcement. The Agent also determines which DirectControlenabledusers can log in to the system or network services using their ActiveDirectory credentials.• On the Windows platform, the optional DirectControl Management Tools can beinstalled on one or more Windows computers in the domain. These tools include theCentrify Administrator Console, property extensions to Active Directory Users andComputers, and a web-based Administrator’s Console. If you are deployingDirectControl in workstation mode, it is not strictly required to install these tools.However, most organizations will want to use the management tools to implement© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 5

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XGroup Policy on their Mac systems and to run the administrative reports. Themanagement tools are required if you decide to implement the advanced accesscontrols and delegated administration features provided by DirectControl Zones..The optional DirectControl Management Tools are the only Windows software you mightneed. You are not required to install software on your Windows domain controllers, andDirectControl installation never requires modifications to your Active Directory schema.If you choose to use Zone-based access controls, as Macintosh users and computers joinyour Active Directory domain, the Centrify DirectControl Agent unobtrusively stores itsdata in an Active Directory program data container using a standardized method. CentrifyDirectControl also works seamlessly and unobtrusively with Active Directory if you havepreviously installed Microsoft Services for UNIX (SFU), which applies its own schemachanges to Active Directory to store UNIX attributes for user accounts. DirectControlalso works with Microsoft’s UNIX schema extensions that are included in WindowsServer 2003 R2.The DirectControl Agent in effect turns the Mac OS X system into an Active Directoryclient. The Agent enables the Mac client to consume and respond to Active Directoryservices in the same way a Windows client does.Login Apps(login, ftp, ssh, etc.)KerberizedApps(ssh, SMB etc.)SystemConfig FilesDirectory PluginServiceKerberosLibrariesGroup PolicyModuleOfflineCredentialCacheCLIAdminToolsDirectControl Daemon(adclient)Centrify DirectControl AgentWindows DomainControllersMicrosoftActive DirectoryFigure 2. Architecture of the DirectControl for Mac OS X AgentThe DirectControl Agent is responsible for the following functions in order to provide asecure authentication framework for integrating Mac OS X into Active Directory.• Enables the Macintosh computer to join an Active Directory domain. Once theMacintosh system has been joined to the Active Directory domain, it is visible as astandard computer object in the Active Directory Users and Computers console.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 6

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X• Locates the relevant domain controllers based on the Active Directory forest and sitetopology, also known as being site-aware.• Maintains time synchronization with Active Directory domain controllers if desired.• Maintains an MIT-based Kerberos environment so that existing Kerberosapplications will work seamlessly with Active Directory to provide users with singlesign-on access to network resources such as Windows file servers and print queues.• Ensures network security by resetting the password on its machine account at regularintervals according to Active Directory domain policies.• Enables logins using users’ Active Directory credentials. Logging on in this contextmeans not only logging into the Mac OS X graphic interface, but also connecting tothe Macintosh through a remote SSH or Apple Remote Desktop interface.• Enables authentication with smart cards, including PIV, CAC and .Net cards.• Updates a user’s last login time upon Active Directory login to ensure that passwordexpiration policies are being enforced properly.• Stores user credentials and profiles so that users can log on when the computer isdisconnected from the network, which is especially useful for laptop computerswithout requiring a locally defined mobile user.• Caches responses from Active Directory information queries to reduce the load onthe domain controllers.• Validates that the user has appropriate permissions to log in to the Macintosh systembased on account policies. For example, Active Directory provides a set of accountspecificcontrols enabling the administrator to activate or disable a user’s ActiveDirectory account as well as to control the time of day the user is allowed to log in.• When the Mac is a member of a DirectControl Zone, validates that the user hasappropriate permissions to log in based on Zone memberships and allowed groupmembership.• Determines a user’s full UNIX-enabled Active Directory group membership(including nested groups) the first time the user logs on.• Supports users managing their Active Directory passwords from Macintosh systemsboth for the ad hoc password change as well as for expired password at login.• Validates privileged account logins centrally from Active Directory when neededwithout requiring previously defined local administrator accounts.• Dynamically creates home directories locally on the computer for users whoseprofile defines a local home directory path. DirectControl also supports seamlesslymounting network-based home directories from Windows servers or AFP servers as© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 7

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS Xwell as providing the option to define a locally synchronized version of the networkhome directory for laptop users.• Enforces user Group Policies that control the user’s desktop experience such asapplication access control and dock settings as well as to control the user’s ability toexecute privileged operations.• Provides authenticated single sign-on access to Windows print queues using theuser’s Active Directory credentials to ensure proper access and accounting for useraccess to printers.2.2 User Account and Administration Considerations withDirectControlMany organizations will have more than one grouping of computer systems that are usedfor a specific purpose, and typically it is neither desirable nor practical to allow all usersin an enterprise to log on to any system. To deal with this, Centrify has developed theconcept of Zones to create a way of grouping systems in order to provide fine-grainedaccess controls and delegated administration. In addition to using Zones for accesscontrol, organizations with a diverse environment of UNIX, Linux and Mac systems alsohave the option of using Zones to avoid collisions in user IDs and group IDs. AlthoughMac end-users rarely also need login privileges on UNIX or Linux systems, ITadministrators will want to read this section for the complete picture of how Zones workwithin a large, mixed environment. Keep in mind in this section that Zones are notavailable for Macs that were added to Active Directory using DirectControl’s workstationmode.Figure 3. Example of an Enterprise Organized into Departmental ZonesThe DirectControl Zone technology, as shown in the illustration above, works like this:© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 8

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X• Each DirectControl-managed UNIX, Linux or Mac system can be placed into aDirectControl Zone, typically directly mapping to an existing logical securityboundary or administrative grouping such an organizational department or lab.• A user (Joan Smith in Figure 3) is configured in Active Directory with her normalWindows information, such as name, password, group membership and so on. Inaddition, the “Centrify Profiles” that Centrify adds to her Active Directory accountindicates which Zones she can access.• For each Zone, Joan’s UNIX/Mac profile in Active Directory stores accountinformation specific to that Zone: UNIX user name, user ID, shell, and homedirectory for example. Thus, a single Active Directory account can be mapped to anynumber of UNIX/Mac identities.• Joan can log in to computers only in the Zones to which she has been granted access.Whereas Joan has access to several Zones, another user – for example, a student in auniversity setting – could be given rights to access only Macs in a Zone set up for aclassroom lab, and not be given access to Macs or other systems in Zones set up forcomputers used in administrative or research departments.• As Figure 3 illustrates, Joan authenticates through Active Directory regardless ofwhich system she logs in to. The Zones are part of the same Active Directory domainwhere Joan’s account exists.Delegation and separation of duties is a critical component of any centralizedadministration solution where security is a concern. DirectControl Zones provide anenvironment with Active Directory that leverages native access control rules withinActive Directory to delegate UNIX profile management as well as UNIX/Mac systemaccess rights management to UNIX administrators without requiring domainadministrator rights. With DirectControl, UNIX and Mac administrators do not needrights to modify or create user objects, which is typically a privileged operation withinthe enterprise.Additionally, each Zone can have its own set of administrators, each with specificprivileges within the Zone. In our university example, Joan may be an IT administratorwho has the right to create and modify user accounts in Active Directory for students andemployees, and the right to create Zones and add users to Zones. However, a graduatestudent who runs a Macintosh lab could be given rights only to add or remove existinguser accounts to the Mac lab Zone. This added security feature means not only can usersand computers be compartmentalized into logical secure groups, but the administratorswho manage those systems can also be segregated. For many organizations, the ability tofinely control the elevated privileges for administrators is essential for maintainingappropriate levels of confidentiality and for complying with regulatory controls.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 9

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X2.3 Key Differences between DirectControl and Apple’s ActiveDirectory Plug-inDirectControl is designed to provide what seems on the surface as an equivalent solutionto the Active Directory plug-in that Apple provides with Mac OS X out of the box;however, there are several key differences between the solutions. Fundamentally,DirectControl is designed to provide the centralized administration staff with the toolsrequired to centrally manage heterogeneous computing environments from existingWindows administrative tools. Here are some of the key differences:• DirectControl provides consistent Active Directory integration across multipleplatforms. DirectControl provides a single integration solution not only for Mac OSX but for popular UNIX and Linux platforms as well.• DirectControl Zones can be used to further control user access as well as to segregatethe Macintosh user population and administrative staff and keep their rights at aminimum within Active Directory.• Offline login is provided with locally cached account profiles for users with localhome directories. However, if the user has a network home directory he will beprompted to create a mobile account to take advantage of the synchronizationbetween the local and network-based home directories.• DirectControl enables common account administration of both Windows andMacintosh systems leveraging tools such as Active Directory Users and Computers.• UID and GID assignment is managed centrally within Active Directory as additionalattribute information about these objects versus a local configuration within theDirectory Services configuration interfaces.• There are many security-related benefits to using DirectControl for Active Directoryintegration. For example, the machine account password is periodically changed, allcommunications to Active Directory are Kerberized, and user access to Windowsprint queues is authenticated in a single sign-on fashion.• DirectControl provides a reporting facility to enable generation of several reports onActive Directory information such as computer access reports.• DirectControl provides delegated administration with separation of duties betweenActive Directory and Macintosh administrators as well as between groups ofMacintosh administrators.Additionally, the DirectControl Agent that provides user authentication and authorizationservices also provides Group Policy enforcement to enable centralized configurationmanagement. Centralized configuration and Group Policy services are described in moredetail in the next section.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 10

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X3 Centralized Configuration and Policy Management for Mac OS XConfiguration management and policy enforcement across an enterprise is extremelyimportant to most organizations, especially if there is a need to ensure that securitypolicies are properly enforced across all computers. Additionally there are severalbenefits to centralizing the configuration of workstations and servers, including:• Reducing the effort required to bring a new computer into the environment,configuring it properly and ensuring that it stays configured properly throughout itslifecycle, resulting in a much lower total cost of ownership.• Ensuring that security policies are properly enforced across the enterprise to ensurethat no holes exist for potential attackers to exploit.• Automatically configuring the user environment so that all users have a consistentcomputing experience that provides them the services they need to accomplish theirwork.Apple provides a tool to centrally manage the configuration and security policies of MacOS X computers. However, this tool, Workgroup Manager, requires either a set ofschema modifications to Active Directory in order to integrate or a separate OpenDirectory deployment in order to provide centralized management. However, inWindows environments, most administrators use Group Policy to centrally configureWindows workstations to enforce consistent security policies as well as to ensure aconsistent end-user experience across all workstations deployed within the environment.DirectControl provides broad and robust support for Group Policy on the Mac. ITadministrators thus have a single tool to configure and enforce consistent security policiesto all non-Windows computers, including Mac OS X systems. DirectControl also enablesIT administrators to configure and secure their Mac environment through Group Policywithout having detailed knowledge of Mac desktop configuration. In environments whereworkstation security is particularly important, giving IT security administrators the abilityto lockdown Mac workstations through Group Policy can help lower barriers toadoption..3.1 DirectControl Group Policy Enforcement on Mac OS XWindows Group Policy works by forcibly setting user and computer registry keys onWindows machines, and since almost all of a Windows system is configured throughregistry settings, this is a very natural and simple way to enforce almost any policy.However, in UNIX and Mac environments there is no equivalent to the Windowsregistry. The de-facto standard for configuration is ASCII text files. To deliver ActiveDirectory’s Group Policy capabilities in UNIX and Mac environments, DirectControlcreates a “virtual registry” of the policies that apply to either the computer itself or tp theusers who log in to the system.The enforcement of these virtual registry settings is handled by two different mechanismsdepending on the service or configuration that needs to be controlled. For applications© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 11

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS Xthat use a configuration file to manage their settings, DirectControl provides a specificmapper program that knows what needs to be set in the configuration file or, onMacintosh systems, in the plist file for the application associated with the particularvirtual registry setting. Additionally, many of the System Preference settings and userenvironment controls are provided by the MCX subsystem within Mac OS X. Several ofDirectControl’s the user Group Policies are enforced through the MCX subsystem.The DirectControl Agent first must update the Group Policy settings into its virtualregistry based on the computer account or the user who is logged in to the system. Thisload event is triggered by:• System startup. When the DirectControl daemon starts up (usually when the systemboots up), it updates the computer’s registry.• User log on. When a user logs on, the DirectControl Agent creates or updates theuser’s registry settings.• adgpupdate command. The DirectControl Agent can be forced to immediatelyupdate the user and computer registries through this command line.• Periodic refresh interval. The DirectControl Agent will also refresh the virtualregistry on a periodic basis according to the Group Policy refresh interval setting inthe domain policy.The loading of policy is asynchronous, which is equivalent to the behavior in recentWindows versions. The loaded settings are stored on the local machine for disconnectedoperation. Once the virtual registry has been updated through one of the events describedabove, then either the appropriate mapper program is activated to update or create theconfiguration or plist file, or the appropriate MCX setting is defined for the application orSystem Preference being controlled.3.2 Common UNIX Group Policies for Mac OS XCentrify includes a set of Active Directory Group Policies that are common to UNIX,Linux and Mac OS X platforms that can be applied to users or systems, as appropriate.DirectControl includes more Group Policy objects than any other solution, includingpolicies to manage all aspects of DirectControl: how users log on, password prompts,network and cache timeout settings, Kerberos settings, name lookup and userauthentication overrides, password caching, LDAP settings, locally defined user/groupmaps, and more. There are also several other policies that can be generically applied toUNIX, Linux and Mac OS X systems, such as managing crontab settings, iptables-basedfirewall configuration for Linux systems, file system mount points as well as runningcommands or scripts at login and managing the sudo permissions file. DirectControlenforces both computer and user policies and additionally supports advanced GroupPolicy features such as filtering of policies as well as loop back processing for thoseenvironments that require this level of control.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 12

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XA good example of the value of enforced policy can be seen with the administration ofthe sudoers file, since this file defines who can run privileged programs on Mac OS Xsystems such as unlocking privileged System Preferences items. Using this commonGroup Policy, you can ensure that end-users are automatically configured with the rightsthey require at login. It is also possible to configure IT administrator accounts with theappropriate rights they need on all Mac OS X systems regardless of any locally definedconfiguration, even if they do not have a local account, since DirectControl will provideaccess based on centrally managed security policies. The sudo Group Policy can now beused as a direct replacement for the checkbox in the Accounts System Preference to“Allow user to administer this computer” since it will accomplish the same results, but isnow centrally controlled via Group Policy. If the configuration of this file is not strictlycontrolled across every system in your organization, then security is not onlycompromised on an individual system but also potentially compromised across yourorganization. Centrify’s Group Policy enforcement ensures that your systems are securedin a consistent, enforced manner.For added flexibility, you can also create your own custom administrative templates todescribe any additional policy settings that you would like to enforce for your ownapplication or other service which DirectControl does not provide already. In order toenforce these policies on the Mac OS X systems, you can use standard Perl scripting tocreate your own mapping programs that will update or create relevant configuration orplist files. Several example policies are provided to make creating your own policiesmuch simpler.3.3 Computer Group Policies for Mac OS XDirectControl for Mac OS X extends beyond the common UNIX policies describedabove to provide additional Mac OS X-specific policies to enable the administrator tocentrally control the security policies and services of the computer. These policies aredelivered as part of the standard DirectControl for Mac OS X and only need to be enabledwithin the Group Policy Object Editor while editing a policy such as the Default DomainPolicy.The following table shows the categories of computer policies and what each controls asseen within the System Preferences.Computer PolicyCategoryIndividual Policies That Can Be EnforcedSecurity • Require password to unlock each secure systempreference• Disable automatic login• Use secure virtual memory• Log out after n number minutes of inactivity• Enable smart card support• Require smart card login© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 13

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XComputer PolicyCategoryIndividual Policies That Can Be EnforcedSharing Services • Services settings (to turn on|off sharing for each service,such as personal file sharing, remote login, etc.)Network • Adjust list of searched domains• Adjust list of DNS servers• Enable proxies (FTP, HTTP, HTTPS, etc.)• Configure proxiesFirewall Settings • Enable the firewall• Firewall settings (to turn on|off firewall for each servicesuch as iChat, etc.)• Block UDP traffic• Enable network time• Enable firewall logging• Enable stealth modeInternet Sharing • Disallow all Internet sharingAccounts • Display Login Window settings• Show the Restart, Sleep and Shutdown buttons• Set the Display Banner• Control the login Window to show either Name andPassword or List of users• Control password hint display• Enable fast user switching• Map Zone admin groups to local admin groupsEnergy Saver • Configure different energy saver settings listed below forboth AC Power and Battery power• Put display to sleep if inactive• Put computer to sleep if inactive• Put the hard disk(s) to sleep when possible• Wake when the modem detects a ring• Wake for Ethernet network administrator access• Allow power button to sleep the computer• Restart automatically after a power failureSoftware UpdateSettings• Automatically download and install software updates• Specify software update serverRemote Management • Enable ARD administrator group• Enable ARD report group• Enable ARD management group• Enable ARD interactive group© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 14

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XYou can apply these policies to the domain or to an organizational unit (OU), and thepolicies will be applied to the Mac OS X system as soon as it has been joined to theActive Directory domain. This enables rapid bulk configuration of these security policiesfor all Mac OS X computers within the domain or OU without having to manuallyconfigure each system by hand, greatly reducing the total cost of ownership of thesecomputers.Most of these computer policies serve an important role in managing the computer’smore important settings, but let’s take a closer look at one of these policies to see how thecomputer settings are managed with Active Directory Group Policy Object Editor. Thescreen shot below shows the Group Policy interface for controlling the Login Windowsettings.Figure 4. Using Group Policy to control Login Window settings for Mac OS XOnce the settings you want to enforce have been defined within this dialog, they are thenretrieved and enforced on the Mac OS X system by the DirectControl Group Policyservices. The result of the policy being enforced on the system can be seen in the MacSystem Preferences panel after the Group Policy is refreshed on the system with theadgpupdate command or after the periodic update interval has lapsed.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 15

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XFigure 5. The Mac OS X System Preferences panel shows the new setting distributedthrough Group PolicyThe enforcement of these computer policies can help to address regulatory compliancerequirements since many of these policies are designed to provide centralized controlover the defined requirements, such as enforcing machine security when the user is notpresent.3.4 User Group Policies for Mac OS XDirectControl also provides an extended set of Group Policies to control the user’sdesktop environment, which would normally be controlled with Workgroup Manager.These policies enable the administrator to not only configure how the desktopenvironment appears, but also to control the applications that the user is allowed to run aswell as whether or not the user is allowed to access external or recordable media toprevent data theft from the controlled environment. These policies are delivered as part ofthe standard DirectControl for Mac OS X and only need to be enabled within the GroupPolicy Object Editor while editing a policy such as the Default Domain Policy.The following table shows the categories of user policies and what each controls as seenwithin the System Preferences.User PolicyCategoryIndividual Policies That Can Be EnforcedApplication Access • Control access to specific applications• Control access to UNIX tools and utilities• Control access to Apple Script© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 16

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XUser PolicyCategoryDesktop & ScreenSaverIndividual Policies That Can Be Enforced• Enforce screen saver• Screen saver timeoutDock Settings • Dock size• Magnification• Position on screen• Animation for application opening• Auto hide the Dock• Lock the Dock display to prevent changes• Control applications displayed in the Dock• Display other folders or documents in the DockFinder Settings • Set Finder Type to Normal or SimpleFolder Redirection • At Login, Logout or periodic intervals perform thefollowing folder redirection settings.• Delete a user’s path• Delete symbolic links• Create symbolic links• Rename symbolic linksOther ApplicationSettingsMedia AccessControlsMobility SyncSettings• Distribute application specific plist files• Control access to CDs and CD-ROMs• Control access to DVDs• Control access to recordable discs• Control access to internal disks• Control access to external disks (including USB Flash disksand iPods)• Force eject of removable media at logout• Control synchronization• Control what items will sync at login/logout• Control what items will sync in the background• Control what items should be skippedScripts • Specify login and logout scriptsSecurity • Require password to wake this computer from sleep orscreen saver• Smart card removal policy to lock screen or logout• Prohibit screen saver unlock with expired password (whenoffline)System PreferenceSettings• Limit which items will be shown in System Preferences• Control display of each item in System Preferences© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 17

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XUser policies such as these can be applied in many ways. The typical method is to applythe policy to an OU within Active Directory, which will apply the policy to all the userswithin that OU of the directory. Other methods of applying these user policies includegroup filtering, which allows the policy to be applied at a higher level within theDirectory tree structure so that an Active Directory group can be used as the filter so thatthe policy would apply only to the members of that group. Another more complexmethod is to apply the policy to an OU of computers so that the specific user policies willbe applied to the users when they login to these specific computers, which is called loopback processing.Once policies have been applied to the appropriate domain, OU or filtered on a group, thepolicies will be applied to the Mac OS X system as soon as the user logs into the ActiveDirectory domain. This ensures that the most current policy is enforced at all times acrossthe enterprise.These user policies can be used to ensure that the user is presented a consistent andcontrolled desktop environment as well as to prevent the user from changing systemsettings that are under administrative control either manually or via Group Policy control.The following Group Policy is used to define the user’s ability to see the SystemPreferences, specifically the System items within the System Preferences.Figure 6. With Group Policy you can control the Mac OS X desktop environment andprevent users from using specific System items.Once these settings are defined and a user logs into the system, they will be able to seeonly the System Preference items that are enabled; disabled items are not shown. Based© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 18

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS Xon the settings defined in Figure 6 across all the System Preference visibility settings, theuser will see the following interface after login.Figure 7. Specific System settings have been disabled through Group Policy.Other policies are designed to lock down the environment and control what the user isallowed to do, including locking the Dock, controlling which applications the user canrun, and preventing the user from accessing removable media of any kind that wouldallow data to be extracted. Application access controls are easily enforced in the GroupPolicy interface by selecting the specific applications that the user should be able to run,denying the user the right to run any program they are not authorized for.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 19

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XFigure 8. This user policy specifies that the Chess, DVD Player, and iChat applicationscannot be launched.With the policy settings specified in Figure 8 in place, an Mac OS X user who tried tolaunch the DVD Player would see the following message.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 20

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XFigure 9. Mac OS X users are notified when they try to launch a proscribed application.4 Streamlined Deployment: Workstation Mode and AutomatedInstallationThe Centrify DirectControl for Mac OS X installation program, provided in universalbinary format, makes it easy to deploy DirectControl whether you need to install on Macsindividually or centrally install on hundreds or thousands of Macs across your enterprise.A pre-installation environment analysis tool and DirectControl’s workstation mode alsostreamline deployment.On individual systems, a graphic, interactive installation program walks users through thesetup. System administrators can of course also use this interactive installation programon individual systems, but for large deployments they will want to extract the packagefile for use with Apple Remote Desktop; see Using Apple Remote Desktop to DeployCentrify DirectControl on the Centrify web site for instructions. The installation packagecan also be distributed using third-party systems management solutions such LanREV.The ADcheck analyzer can identify any issues that could prevent a successfulinstallation. The most common problems are DNS configuration issues that prevent theMac from locating an Active Directory domain controller on the network. End-users canrun the ADCheck tool themselves prior to installing DirectControl as long as theADcheck tool does not identify any issues; although they would probably need assistancefrom IT if ADcheck discovers any problems.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 21

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XIn many organizations, Mac OS X workstations can be treated just like Windowsworkstations for access control purposes, permitting anyone with an Active Directoryaccount to log in once the Mac has joined the domain. For those organizations,DirectControl’s workstation mode streamlines installation using the same methodology toadd a Mac workstation to an Active Directory domain as that used to add Windowsworkstations. The interactive installation program offers users the option to add the Macin workstation mode. Remote installations can specify workstation mode throughcommand-line parameters.Figure 10. Administrators can join Mac OS X systems into AD just as any other Windowssystem in Workstation Mode into a Centrify Zone for more complex environments.Macs operating in workstation mode have almost identical features to Macs operating instandard DirectControl mode. For example, end-users have transparent access to local ornetwork home directories, and they enjoy the same single sign-on benefits to other ActiveDirectory integrated services and applications. Administrators can also use Group Policyto remotely manage security and configuration settings on DirectControl-managed Macsin workstation mode.However, workstation mode differs from standard mode in two regards. First, theinstallation process has been streamlined. You do not need to install the CentrifyAdministrator’s Console first. You simply install DirectControl on a Mac and it isautomatically joined to Active Directory and appears as a computer object in ActiveDirectory Users and Computers. Second, the Mac is added to Active Directory withoutbeing associated to a DirectControl Zone. This means that any user with an ActiveDirectory account can log into that Mac, just as any user with an Active Directoryaccount can log into a Windows workstation. If you need to limit access to a subset ofActive Directory users, it is easy enough to install the Centrify Administrator Console© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 22

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS Xand add those Macs to a Zone. You can have a mixture of Macs in workstation mode andstandard mode in Active Directory, giving you the flexibility to apply tighter accesscontrols to select systems as needed.Organizations can view workstation mode as a permanent solution for managing Macscentrally from Active Directory. Or the workstation mode installation may simplyrepresent a way to quickly deploy DirectControl and add Macs to Active Directory whiledeferring the implementation of Zone-based access controls to a later date.On UNIX and Linux server systems that have not been centrally managed, Zones are alsofrequently useful for enabling the mapping of multiple UIDs and GIDs that may exist fora single user to that user’s Active Directory account. This issue does not exist on Macsbecause logins and permission-based access to, say, network shares are not managedusing UIDs or GIDs but through Kerberos credentials. When a user logs in to a Macjoined to Active Directory in workstation mode, the DirectControl Agent automaticallyderives a valid, globally unique UID from the user’s Active Directory SID, which ensuresconsistency on all Mac OS X systems where the user logs in.DirectControl-managed Macs can also be configured to leverage your organization’scentralized Windows home directory servers as specified in the user’s Active Directorynetwork home profile setting. If an Active Directory user has a network home folderdefined in their profile, then the DirectControl Agent mounts this network share as theuser’s home directory. If the workstation is a portable system, then the portable homedirectory feature can be used to establish a local home directory that is synchronized tothe user’s network home directory. IT administrators can control these settings for useraccounts using Group Policy. There is also a computer Group Policy that can overridethese settings – for example, to prevent local local home directories on a kiosk machineor to provide roaming profiles for Mac users.5 Strong Authentication and Single Sign-on through Smart CardLogin to Active DirectorySmart card-based authentication is a requirement in some industries and is gaining inpopularity in other organizations that, for security and/or compliance reasons, want tomove beyond user authentication based solely on an individual knowing a user name andpassword. DirectControl provides broad support for smart card login to Active Directoryon Mac OS X supporting CAC, PIV and .NET smart cards, enforces Active Directorydefineduser account policies for smart card use, and supplies Group Policies that enableyou to fine-tune smart card settings.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 23

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XFigure 11. Users inserting a smart card are prompted for their PIN for a streamlinedlogin method.In government agencies and organizations doing business with them, the requirement forsmart card-based access is being driven by Homeland Security Presidential Directive 12(HSPD-12), which seeks to replace the wide variety of personal identification systems inuse with a single, common standard for identifying Federal employees and contractors forthe purposes of access both to physical facilities and to information systems. NonmilitaryFederal agencies have begun distributing Personal Identity Verification (PIV)cards to employees and contractors, while the Department of Defense has been usingCommon Access Cards (CAC). DirectControl leverages the smart card middlewareprovided by Apple to support both PIV and CAC smart cards, as well as other cards thatsupport the Apple tokend interface, such as Gemalto's .NET smart cards.To streamline deployment of smart card-protected systems, DirectControl automates theconfiguration of the system to support smart card login as well as to ensure that thesystem trusts the root certificate authorities that are trusted by Active Directory when aMacintosh joins the domain.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 24

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XFigure 12. Once the user logs in with a smart card, PKI certificates are available via theKeychain for access to other PKI enabled applications.Active Directory enforces smart card access to Windows systems through the Accountoption “Smart card is required for interactive logon” policy. DirectControl enforces thispolicy on Mac OS X systems as well, giving you the ability to enforce smart card accessconsistently across your organization. An additional DirectControl Group Policy can alsobe used selectively (for example, through filtering) to protect high-security machinesfrom being accessed interactively without a smart card.Figure 13. Smart card login to Active Directory with DirectControl provides the user withKerberos tickets in order to support Single Sign-on to other applications and services.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 25

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XDirectControl also provides Group Policies to enable centralized management of smartcard login. These Group Policies can be used to require a Macintosh system to go intoscreen lock or to force a logout when the smart card is removed from the reader during asession. This policy enforcement on Mac OS X systems enables organizations to easilyenable the secured usage of Mac systems within their Windows environments leveragingthe same tools, procedures and policies that they are already familiar with today.6 Customer Benefits of the Centrify DirectControl SolutionEach of the DirectControl features outlined in this white paper directly translates intotangible benefits for administrators and end-users. Some of the benefits for administratorsand IT managers include:• True centralized control over authentication, authorization and administration of MacOS X systems is possible using familiar Windows administration tools.• Zone-based access controls enable you to organize Macs (and UNIX or Linuxsystems if you so choose) into logical groups for departments, labs, etc., and grantaccess to the systems within a Zone based on a user’s role within the organization. .• Separation of duties enables Active Directory-based delegated administration formanaging user access to systems without having to grant domain admin rights toMac administrators.• Security policies are maintained across all systems, not just Windows, for bothcomputer-related security settings as well as end-user-specific settings.• User environments can now be centrally managed to ensure consistency.• Workstation mode and an automated installation program provide quick deploymentto hundreds or dozens of Mac systems.• Support for the most popular smart card formats and Group Policy-based controlover smart card settings mean organizations can quickly implement smart cardsecurity without the need for additional point products.End-users will notice few changes to their Mac OS X user experience (a good thing),while the systems are centrally managed, enabling IT to provide a much higher level ofservice to these users. Additional benefits for the end-users include:• No extra account or password information to remember – Active Directorycredentials can be used to log in to Mac OS X or Windows computers as required.• Single sign-on is maintained for access to Windows file shares and SPNEGOenabledweb sites, and additionally single sign-on is provided for access to Windowsprint queues.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 26

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X• User Group Policy support means users will have a consistent experience as they login to systems across your enterprise, including access to applications, network homedirectories, and the like.7 SummaryCentrify DirectControl enables organizations to leverage their existing investments inMicrosoft’s Active Directory to seamlessly centralize the user management of Mac OS Xsystems as well as to centrally manage configurations and enforce security policies.DirectControl is a single product architecture designed to provide authentication,authorization and policy enforcement across Macintosh, UNIX, and Linux systems aswell as web and Java applications.• Active Directory user accounts can be used to log in to a wide range of operatingsystems and applications as well as to provide single sign-on for end users.• Integration services are modeled after Windows XP to provide consistent operationalbehavior across the enterprise.DirectControl provides broad and robust Group Policy services to enforce centralizedconfiguration and security policies on Macintosh systems, enabling complete replacementof Workgroup Manager with Active Directory-centric tools.• Leveraging existing Active Directory tools enables administrators to minimizeretraining and use the tools that they already know in order to centrally manageconfiguration preferences and policy settings on all systems within the enterprise.• Schema modification are not required, and parallel OpenDirectory infrastructures areeliminated when using DirectControl and Group Policy for centralized configurationmanagement.DirectControl’s unique Zone technology provides the ability to manage access rightsindependently for each Zone and to achieve separation of duties for central IT staff andlocal system administrators.• Mac system administrators can be granted individual rights to manage accesspermissions within their Zone of computers independent of other Mac (and UNIX orLinux) administrators and their Zones.• Users can have independent and unique Mac profiles for different groups of Macsystems versus a single Mac account profile for all systems joined to ActiveDirectory.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 27

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X8 How to Contact CentrifyNorth America(And All Locations Outside EMEA)Centrify Corporation444 Castro St., Suite 1100Mountain View, CA 94041United StatesEurope, Middle East, Africa(EMEA)Centrify EMEAAsmec CentreMerlin HouseBrunel RoadTheale, Berkshire, RG7 4ABUnited KingdomSales: +1 (650) 961-1100 Sales: +44 1189 026580Enquiries:Web site:info@centrify.comwww.centrify.com© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 28