Using Centrify's DirectControl with Mac OS X - Cerberis

CENTRIFY WHITE PAPERUSING CENTRIFY’S DIRECTCONTROL WITH MAC OS Xand add those Macs to a Zone. You can have a mixture of Macs in workstation mode andstandard mode in Active Directory, giving you the flexibility to apply tighter accesscontrols to select systems as needed.Organizations can view workstation mode as a permanent solution for managing Macscentrally from Active Directory. Or the workstation mode installation may simplyrepresent a way to quickly deploy DirectControl and add Macs to Active Directory whiledeferring the implementation of Zone-based access controls to a later date.On UNIX and Linux server systems that have not been centrally managed, Zones are alsofrequently useful for enabling the mapping of multiple UIDs and GIDs that may exist fora single user to that user’s Active Directory account. This issue does not exist on Macsbecause logins and permission-based access to, say, network shares are not managedusing UIDs or GIDs but through Kerberos credentials. When a user logs in to a Macjoined to Active Directory in workstation mode, the DirectControl Agent automaticallyderives a valid, globally unique UID from the user’s Active Directory SID, which ensuresconsistency on all Mac OS X systems where the user logs in.DirectControl-managed Macs can also be configured to leverage your organization’scentralized Windows home directory servers as specified in the user’s Active Directorynetwork home profile setting. If an Active Directory user has a network home folderdefined in their profile, then the DirectControl Agent mounts this network share as theuser’s home directory. If the workstation is a portable system, then the portable homedirectory feature can be used to establish a local home directory that is synchronized tothe user’s network home directory. IT administrators can control these settings for useraccounts using Group Policy. There is also a computer Group Policy that can overridethese settings – for example, to prevent local local home directories on a kiosk machineor to provide roaming profiles for Mac users.5 Strong Authentication and Single Sign-on through Smart CardLogin to Active DirectorySmart card-based authentication is a requirement in some industries and is gaining inpopularity in other organizations that, for security and/or compliance reasons, want tomove beyond user authentication based solely on an individual knowing a user name andpassword. DirectControl provides broad support for smart card login to Active Directoryon Mac OS X supporting CAC, PIV and .NET smart cards, enforces Active Directorydefineduser account policies for smart card use, and supplies Group Policies that enableyou to fine-tune smart card settings.© 2006-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 23