Using Centrify's DirectControl with Mac OS X - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS X• Locates the relevant domain controllers based on the Active Directory forest and sitetopology, also known as being site-aware.• Maintains time synchronization with Active Directory domain controllers if desired.• Maintains an MIT-based Kerberos environment so that existing Kerberosapplications will work seamlessly with Active Directory to provide users with singlesign-on access to network resources such as Windows file servers and print queues.• Ensures network security by resetting the password on its machine account at regularintervals according to Active Directory domain policies.• Enables logins using users’ Active Directory credentials. Logging on in this contextmeans not only logging into the Mac OS X graphic interface, but also connecting tothe Macintosh through a remote SSH or Apple Remote Desktop interface.• Enables authentication with smart cards, including PIV, CAC and .Net cards.• Updates a user’s last login time upon Active Directory login to ensure that passwordexpiration policies are being enforced properly.• Stores user credentials and profiles so that users can log on when the computer isdisconnected from the network, which is especially useful for laptop computerswithout requiring a locally defined mobile user.• Caches responses from Active Directory information queries to reduce the load onthe domain controllers.• Validates that the user has appropriate permissions to log in to the Macintosh systembased on account policies. For example, Active Directory provides a set of accountspecificcontrols enabling the administrator to activate or disable a user’s ActiveDirectory account as well as to control the time of day the user is allowed to log in.• When the Mac is a member of a DirectControl Zone, validates that the user hasappropriate permissions to log in based on Zone memberships and allowed groupmembership.• Determines a user’s full UNIX-enabled Active Directory group membership(including nested groups) the first time the user logs on.• Supports users managing their Active Directory passwords from Macintosh systemsboth for the ad hoc password change as well as for expired password at login.• Validates privileged account logins centrally from Active Directory when neededwithout requiring previously defined local administrator accounts.• Dynamically creates home directories locally on the computer for users whoseprofile defines a local home directory path. DirectControl also supports seamlesslymounting network-based home directories from Windows servers or AFP servers as© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 7
CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS Xwell as providing the option to define a locally synchronized version of the networkhome directory for laptop users.• Enforces user Group Policies that control the user’s desktop experience such asapplication access control and dock settings as well as to control the user’s ability toexecute privileged operations.• Provides authenticated single sign-on access to Windows print queues using theuser’s Active Directory credentials to ensure proper access and accounting for useraccess to printers.2.2 User Account and Administration Considerations withDirectControlMany organizations will have more than one grouping of computer systems that are usedfor a specific purpose, and typically it is neither desirable nor practical to allow all usersin an enterprise to log on to any system. To deal with this, Centrify has developed theconcept of Zones to create a way of grouping systems in order to provide fine-grainedaccess controls and delegated administration. In addition to using Zones for accesscontrol, organizations with a diverse environment of UNIX, Linux and Mac systems alsohave the option of using Zones to avoid collisions in user IDs and group IDs. AlthoughMac end-users rarely also need login privileges on UNIX or Linux systems, ITadministrators will want to read this section for the complete picture of how Zones workwithin a large, mixed environment. Keep in mind in this section that Zones are notavailable for Macs that were added to Active Directory using DirectControl’s workstationmode.Figure 3. Example of an Enterprise Organized into Departmental ZonesThe DirectControl Zone technology, as shown in the illustration above, works like this:© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 8
Page 1 and 2: WHITE PAPERCENTRIFY CORP.OCTOBER 20
Page 3 and 4: CENTRIFY WHITE PAPERUSING CENTRIFY
Page 9: CENTRIFY WHITE PAPERUSING CENTRIFY
Page 31: CENTRIFY WHITE PAPERUSING CENTRIFY

Using Centrify's DirectControl with Mac OS X - Cerberis

Create successful ePaper yourself

Delete template?

Save as template?