Using Centrify's DirectControl with Mac OS X - Cerberis

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS XA good example of the value of enforced policy can be seen with the administration ofthe sudoers file, since this file defines who can run privileged programs on Mac OS Xsystems such as unlocking privileged System Preferences items. Using this commonGroup Policy, you can ensure that end-users are automatically configured with the rightsthey require at login. It is also possible to configure IT administrator accounts with theappropriate rights they need on all Mac OS X systems regardless of any locally definedconfiguration, even if they do not have a local account, since DirectControl will provideaccess based on centrally managed security policies. The sudo Group Policy can now beused as a direct replacement for the checkbox in the Accounts System Preference to“Allow user to administer this computer” since it will accomplish the same results, but isnow centrally controlled via Group Policy. If the configuration of this file is not strictlycontrolled across every system in your organization, then security is not onlycompromised on an individual system but also potentially compromised across yourorganization. Centrify’s Group Policy enforcement ensures that your systems are securedin a consistent, enforced manner.For added flexibility, you can also create your own custom administrative templates todescribe any additional policy settings that you would like to enforce for your ownapplication or other service which DirectControl does not provide already. In order toenforce these policies on the Mac OS X systems, you can use standard Perl scripting tocreate your own mapping programs that will update or create relevant configuration orplist files. Several example policies are provided to make creating your own policiesmuch simpler.3.3 Computer Group Policies for Mac OS XDirectControl for Mac OS X extends beyond the common UNIX policies describedabove to provide additional Mac OS X-specific policies to enable the administrator tocentrally control the security policies and services of the computer. These policies aredelivered as part of the standard DirectControl for Mac OS X and only need to be enabledwithin the Group Policy Object Editor while editing a policy such as the Default DomainPolicy.The following table shows the categories of computer policies and what each controls asseen within the System Preferences.Computer PolicyCategoryIndividual Policies That Can Be EnforcedSecurity • Require password to unlock each secure systempreference• Disable automatic login• Use secure virtual memory• Log out after n number minutes of inactivity• Enable smart card support• Require smart card login© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 13