This article will show you how to only allow access to a web application from a device that has been enrolled into Centrify's MDM. Please note these instructions may change in the future.

 

Enroll your device into Centrify MDM

 

Configure your web application

1. Log into the Centrify Admin Portal.

2. Edit your web application and select Policy from the left column.

 

Restrict to managed devices.png

 

3. In the right pane, select the checkbox to "Use script to specify login authentication rules (configured rules are ignored)"then click on the Load Sample button. A new window will appear.

 

use script policy.png

 

4. Select the option "require strong auth for unmanaged devices.js"then click on the Load button.

 

script sample.png

 

5. In the policy script, change the value for policy.RequiredLevel  to 0. This will deny access from devices that are not managed by Centrify.

 

 edit policy script.png

 

6. Select a Default Profile to Always Allow or a predefined authentication profile to perform multi-factor authentication to access the web application. This determins if the user is logging in from a managed device. Press Save when your configuration is complete.

 

default profile.png

 

To restrict web application access based on time, location, or other device conditions:

See instructions.

Using local MacOS administrator accounts can lead to security and compliance issues such as unauthorized sharing of the administrator password with non-administrators or remote access by a former employee. The secure approach is to grant Active Directory users Mac administrator rights to minimize risk and meet regulatory compliance. This article will show you how to grant Mac administrator rights to Active Directory users through Centrify's Active Directory group policy settings.

 

 1. In Group Policy Management, create a GPO and enable: Computer Settings > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone groups to local admin group

 

mapADgroupMacAdmin.png

 

   a) Click on the Add... button. A new window will appear.

 

ClickAddgroup.png

 

   b) Click on the Browse button. A new window will appear. You can enter manually enter a group name in this window but it is better to browse and select the group to ensure the proper group name is entered.

 

 

Selecting Group.png

 

   c) Enter a keyword into the Name field for the Active Directory group that you want to add, then click on Find Now. Make sure you add IT/helpdesk team and any user that needs admin rights on the Mac.

 

type group name.png

 

   d) Select the desired group name and click OK.

 

Select desired group.png

 

The setting will apply when the user logs out and logs back in.

 

If your Mac is using Zone mode, use the following article: https://centrify.force.com/support/Article/KB-3049-How-to-use-the-Map-zone-groups-to-local-admin-gro...

 

 

Prevent unauthorized access and minimize risk by restricting MacOS login access to specific Active Directory users or groups. 

Read more...

How to retaining the user's Mac home directory, when a user wants to change their name after marriage or divorce.

Read more...

Want to configure wireless settings for your users without having to manually touch each device? With the Centrify Identity Service, WiFi settings can be pushed to Mac, iOS, and Android mobile devices using policy.

Read more...

Quick Mac Troubleshooting Tip/Tool

By Centrify Contributor III on ‎12-23-2016 12:23 PM

A Little Mac Testing Help

 

When I am testing new group policy configurations for the Mac, I like to have the Centrify Mac Diagnostic tool at the ready. Here are the steps that I use to put the Diagnostic tool on the Dock. The MacDiagnosticTool allows the tester to quickly see via a graphical interface the following:

 

  • AD Connectivity and Network Information for the Machine
  • Group Policy Settings that are being applied to the machine
  • User Information such as their UID, AD Group Membership etc.
  • Centrify Debug Information
  • And contact information for Centrify Support.

 

 

 

Read more...

The attached script can be used with the Deployment Manager to unbind a Mac that is bound to Active Directory via the Apple Directory Services plugin. This will allow mass deployments of the Centrify agent with binding to Active Directory using the Centrify Directory Services plugin.

Read more...

Center for Internet Security (CIS) Security Benchmarks are consensus-based security configuration guides both developed and accepted by government, business, industry, and academia. The benchmarks are used by organizations worldwide to help meet compliance requirements for FISMA, PCI, HIPAA and more. The CIS Apple OSX 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple OSX 10.11. Centrify enables the ability to manage these security settings on the Mac through Active Directory Group Policies

 

Note: Be sure to test and review the settings before deploying into production. Some settings may interfere with normal operations.

 

1.2 Enable Auto Update

See instructions 

 

1.3 Enable app update installs

See instructions

 

1.4 Enable system data files and security update install

See instructions

 

1.5 Enable OS X update installs

See instructions

 

2.2.1 Enable "Set time and date automatically"

Centrify will automatically configure the Mac to use your domain controller for the NTP service when the Mac is bound to AD through the Centrify agent.

 

2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver

See instructions

 

2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver

See instructions

 

2.4.1 Disable Remote Apple Events

See instructions

 

2.4.2 Disable Internet Sharing

See instructions

 

2.4.4 Disable Printer Sharing

See instructions

 

2.4.5 Disable Remote Login

See instructions

 

2.4.8 Disable File Sharing

See instructions

 

2.4.9 Disable Remote Management

See instructions

 

2.5.1 Disable "Wake for network access"

See instructions

 

2.5.2 Disable sleeping the computer when connected to power

See instructions

 

2.6.1 Enable FileVault

See instructions

 

2.6.2 Enable Gatekeeper

See instructions

 

2.6.3 Enable Firewall

See instructions

 

2.6.4 Enable Firewall Stealth Mode

See instructions

 

2.7.1 iCloud configuration

See instructions

 

2.7.2 iCloud keychain

See instructions

 

2.7.3 iCloud Drive

See instructions

 

4.3 Create network specific locations

See instructions

 

4.4 Ensure http server is not running

See instructions

 

4.5 Ensure ftp server is not running

See instructions

 

5.2.1 Configure account lockout threshold

The domain account lockout threshold policy will apply when the Mac is bound to Active Directory.

 

5.2.2 Set a minimum password length

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.3 Complex passwords must contain an Alphabetic Character

Domain password policies will apply when the Mac is bound to Active Directory. 

 

5.2.4 Complex passwords must contain a Numeric Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.5 Complex passwords must contain a Special Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.6 Complex passwords must uppercase and lowercase letters

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.7 Password Age

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.8 Password History

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.6 Enable OCSP and CRL certificate checking

See instructions

 

5.8 Disable automatic login

See instructions

 

5.9 Require a password to wake the computer from sleep or screen saver

See instructions

 

5.10 Require an administrator password to access system-wide preferences

See instructions

 

5.12 Create a custom message for the Login Screen

See instructions

 

5.13 Create a Login window banner

See instructions

 

5.14 Do not enter a password-related hint

See instructions

 

5.15 Disable Fast User Switching

Fast User Switching is disabled by default, but the setting can be managed by Centrify through group policy. To learn more see instructions.

 

5.16 Secure individual keychains and items

See instructions

 

5.19 Install an approved TokenD for smartcard authentication

A TokenD module is automatically installed with the Centrify Mac Agent. See instructions for configuring smart card authentication.

 

6.1.1 Display login window as name and password

See instructions

 

6.1.2 Disable "Show password hints"

See instructions

A security researcher from Segment has discovered a vulnerability in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine. The advisory indicates the affected versions are 8.0.36 and "probably prior". Until Microsoft provides a patch, a suggested mitigation is to temporarily disable Microsoft Remote Desktop Client for Mac. 

 

Using Centrify, enable the following group policy settings to block Microsoft Remote Desktop from being launched on the Mac.

 

Step 1. Enable: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Application Access Settings > Permit/prohibit access to applications. For Access mode, select User can open all Applications except these.

 

Prohibit applications.png

 

 

Step 3. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Application Access Settings > Permit/prohibit access to the user-specific applications.

 

User-specific applications.png

 

Click Add and enter com.microsoft.rdc.mac.

 

The policy will apply the next time the user logs out and logs back in. When the user attempts to launch Microsoft Remote Desktop the following dialog boxes wll appear.

 

RDP restricted.png 

Restricting access to the USB port can help protect Macs against some USB attacks and help prevent data from being copied to external USB drives. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Media Access Settings > Permit/prohibit access: External Disks and select the desired access setting.

 

USB port policy.png

 

For more details regarding this setting and other media access settings, see documentation on Media Access Settings.

Many federal IT departments are being told to provide 2-factor authentication not only for all logins, but also for all privilege elevations, including the launching of critical applications. Here’s how Centrify can help.

Read more...

Requiring an administrator password to access system-wide preferences prevent users from changing locked system preferences without an administrator’s password. This setting helps to improve data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies.

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to unlock each secure system preference

 

RequirePasswordSysPref.png

 

 The policy will apply after the next group policy interval.

 

If you want to block access to certain System Preferences panes from administrators read the article

Restricting System Preferences access

[Mac] Enable Gatekeeper

By Centrify Advisor I on ‎11-04-2016 09:44 AM

Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. Enabling Gatekeeper improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Gatekeeper

 

 

EnableGatekeeper.png

 

Step 2. Select the desired Gatekeeper setting

 

GatekeeperOptions.png

 

The policy will apply after the next group policy interval.

 


 

[Mac] Disable automatic login

By Centrify Advisor I ‎11-03-2016 10:03 AM

The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically logs in at startup or after entering the credentials to unlock FileVault at the EFI login screen. Disabling automatic login improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Disable automatic login

 

DisableAutomaticLogin.png

 

The policy will apply after the next group policy interval and logout.

passwordhint.png

 

Disabling "Show password hints" improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user or gathered through social engineering. Centrify enables the ability to manage this settings on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Confiugration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

Showpasswordhints.png

 

Step 2. Make sure "Show password hints" is unchecked.

 

The policy will apply after the next group policy interval and logout.

nameandpasswordlogin.png Listofusers.png

 

Displaying the Mac login page with the name and password fields instead of the list of local Mac accounts improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. For hackers, knowing the login name is half the battle. Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Confiugration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

Name and Password.png

 

Step 2. Select "Name and password" from pulldown list for Display login window as.

 

The policy will apply after the next group policy interval and logout.

Restricting users from making changes in System Preferences can help improve security, lower support tickets, and prevent users from reversing settings required for maintaining compliance. Centrify can block users from access System Preferences even if they have administrative rights on the Mac. The restriction is applied at the user level so users such as IT can be excluded.

 

Step 1. Since this setting is user-based, you will need to enable loopback processing mode: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Use version specific settings

 

SystemPreferencesVersionSpecific.png

 

Step 3. Enable:  User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Mac OS X 10.10 or above Settings > Limit items usage on System Preferences

 

LimitItemUsageSysPref.png

 

Step 4. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Mac OS X 10.10 or above Settings > Enable System Preferences Panes > Enable built-in System Preferences panes

 

DisableSystemPreferencesPane.png

 

Step 5. Deselect the System Preferences pane you want to block users from accessing.

 

PreferencePaneList.png 

 

The policy will take effect when the user logs off and logs back in. When the policy is in effect, the disabled System Preferences pane(s) will be greyed out and not accessible even by domain users with Mac admin rights.

 

GreyedOutSystemPref.png

 

 

Other articles of interest:

Remote Apple Events enables your Mac to accept Apple events from apps running on other computers. An Apple event is a task being performed on a Mac, such as “open this document” or “print.” With remote Apple events turned on, an AppleScript program running on another Mac can interact with your Mac. Disabling remote Apple Events is recommended for hardening your Macs from network attacks and a requirement for the CIS (Center for Internet Security) benchmark.

 

Step 1: Configure the follow group policy setting and set to Disabled: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Services > Enable remote Apple events

 

Remote Apple Events.png

 

Once the setting is configured, the policy will take effect at the next group policy interval.

Setting the inactivity time to trigger display sleep to a value larger than the inactivity time to trigger the screen saver is a recommendation by the CIS (Center for Internet Security) benchmark. If the display goes to sleep before your screen saver is triggered, users can mistakenly assume their computer is protected and walk away. 

 

Using Centrify, you can push out group policy settings to configure both the display sleep time and screen saver time to meet the security settings.

 

Configuring Display Sleep Time 

When configuring the display sleep time, be sure to configure both On AC power and On battery power settings.

 

1. Enable and configure: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Energy Saver > On AC power > Set display sleep time Make sure the time is set longer than your screen saver time.

 

OnACpower.png

 

2. Enable and configure: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Energy Saver > On battery power > Set display sleep time Make sure the time is set longer than your screen saver time.

 

OnBatterypower.png

 

Once the settings are configured, the policy will take effect at the next group policy interval.

 

Configuring Screen Saver Time and Require Password

1. To meet the security policy to require a password to wake a machine from sleep, enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to wake this computer from sleep or screen saver

 

Requirepasswordfromsleep.png


2. Set the time to require a password after the Mac goes to sleep or screen saver begins. Make sure this time is less than the display sleep time.
Enable and configure: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Desktop Settings > Set computer idle time for Starting screen saver

 

Screensavertime.png

 

3. Since this is a User Configuration, you may need to also apply the following group policy setting:
Computer Configuration > Policies > Administrative Tempaltes > System > Group Policy > Configure User Group Policy loopback processing mode

 

Loopback.png


Set the Mode to Merge.

 

LoopbackMerge.png


Once enabled, this group policy takes effect at next user logon.

A policy banner is a window that you can display before the login page that requires a user to acknowledge it before proceeding. The policy banner can display a longer message than the login banner on the login page to inform users of the usage policies, help deter unauthorized use, aid in the prosecution against attackers, and meet the requirement for CIS (Center for Internet Security) benchmark and other security standards.

 

PolicyBannerwindow.png

 

Step 1: Create a text document (using TextEdit) with the information you wish to display at the login window.
You can use either a Plain Text File (.txt) or Rich Text Format (.rtf)

 

Step 2: Save this file with the exact title ‘PolicyBanner’ to your Desktop. (The document MUST be titled exactly ‘PolicyBanner’ as one word, with a capital ‘P’ and ’B’ with NO space between the 2 words). For example PolicyBanner.txt or PolicyBanner.rtf.

 

Step 3: Copy the PolicyBanner file to SYSVOL > (yourdomain) directory on your domain controller.

 

SYSVOL policybanner.png

 

Step 4. Enable the group policy setting: Computer Configuration > Policies > Centrify Settings > Common UNIX Settings > Copy files

 

UNIX copy files.png

 

Step 5. Click Add, then Browse to the PolicyBanner file on your SYSVOL  > (your domain) directory. Enter "/Library/Security" without quotes into the Destination field, then click OK.

 

SYSVOL policbanner.png

 

The policy banner window will appear after the next group policy interval and logout.

 

Other settings to consider:

 

 

 

A login banner is a brief message that you can display on the Mac OS X login page to warn users of policies, help deter unauthorized users and meet the security requirement for CIS (Center for Internet Security) benchmark and other security standards.

 

Macloginscreenbanner.png

 

Follow these steps to enable a login banner through Centrify.

 

Step 1: Enable the setting: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

MacLoginbanner.png

 

Step 2: Enter your custom message into the Banner field and click OK. The policy will apply at the next group policy interval and log out.

 

Other settings to consider:

 

Many administators still don't realize that anyone can walk up to a non-protected Mac, power-cycle the computer, boot into Recovery Mode, and change anyone's password, including the System Administrator (root account). It's that simple.

Luckily, there is an easy and efficient way of encrypting your Mac disk drives, and you can leverage Centrify to centralize the management.

Read more...

Centrify's Mac agent has an installation script that can be used to fully automate not only the install, but also the AD bind process. This can be helpful for automating Centrify agent deployments in imaging processes or other third-party deployment tools. 

Read more...

[Mac] Logon banners for SSH

By Centrify Contributor I ‎09-12-2016 11:50 AM

Have you ever wondered if you can enable SSH logon banners for Macs, just as you can for UNIX/Linux?  With Centrify you can!  

Read more...

What is a clear screen policy?

Various security standards require the computer screen to be locked or logged off after a period of inactivity. This policy helps to prevent unauthorized users from viewing or accessing sensitive data such as patient information, and credit card numbers.

 

Surveys and studies have shown a significant number of cyberattacks involved malicious insiders. Leaving computers unattended while going for a short break or meeting can expose your computer to malware installation, data deletion, modification or theft by an insider.

 

How do I enforce through Centrify?

In Group Policy Manager, create or edit a group policy object and add one of the following settings. 

 

Option 1: Automatically log out after a period of inactivity

1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Log out after number of minutes of inactivity

2. Set the time to log out.

Once enabled, this group policy takes effect at next user logon.

 

Logoutinactive.png

 

 

Option 2: Require a password to wake the Mac from sleep or screensaver

1. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to wake this computer from sleep or screen saver 

Requirepasswordfromsleep.png

2. Set the time to require a password after the Mac goes to sleep or screen saver begins.

Enable and configure: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Desktop Settings > Set computer idle time for Starting screen saver

Screensavertime.png

3. Since this is a User Configuration, you may need to also apply the following group policy setting:

Computer Configuration > Policies > Administrative Tempaltes > System > Group Policy > Configure User Group Policy loopback processing mode

Loopback.png

 Set the Mode to Merge.

 LoopbackMerge.png

Once enabled, this group policy takes effect at next user logon.

 

What time interval do I use?

Each security standard defines a different time of inactivity before locking the screen.

HIPAA: 10 minutes. 2 to 3 minutes for high-traffic areas. 

PCI-DSS v3 (8.1.8): 15 minutes

Center for Internet Security OS X 10.11 Benchmark (2.3.1): 20 minutes

ISO/IEC 27002: 10 minutes

Other standards 

 

Did you know that you can give Active Directory users the ability to do specific priveleges without giving them full local administrative rights? Well, you can with Centrify's Group Policies by mapping AD group membership to local groups on the Mac.

Read more...

Did you know that you can deploy OS X applications using our MDM features in the Centrify Identity Service?

 

Centrify's Cloud Service is capable of pushing OS X applications to enrolled Macs. In fact, Centrify Cloud Administrators can set up a Mac Enterprise App Store so that your users can install applications that are provisioned to them without any admin rights whatsoever!

Read more...

When joining a Mac to AD with Centrify, there are a few different options.  However, the option I would like to discuss is "Utilize Apple UID generation scheme".  What does this mean?  When do I use it?  What is it?

 

For reference, here is a screenshot of the aforementioned property:

 

 

  • What is it?

This property uses the Apple UID generation method, Vs the Centrify method.  To fully understand why this is critical in your environment, let's roll back a few steps and get some background.

 

  • UID Generation

At a very basic level, a UID is a numeric string that is associated with a single user within Active Directory.  This string defines a user, and is used within OS X to define filesystem ownership.  When a user logs into an OS X system for the first time, a home folder is created for this user in the /Users directory.  Upon folder creation, the home folder is assigned user ownership by their UID.  Now, what kinds of UIDs can be spotted out in the wild?  Here are the three most common:

 

  1. ) Local UID - These are UIDs created by OS X when local users are created.  The first user is 501, second is 502, etc. 
  2. ) Apple AD UID - Created when users log into a machine bound by Apple's AD plug-in, or when explicitly configuring Centrify to use it.
  3. ) Centrify AD UID- Created when users log into a machine bound by Centrify's AD plug-in.

For our purposes, let's focus on Apple and Centrify UID generation methods.  The biggest difference between these UID generation methods is how the UID is generated.  Apple UID is generated using the user's GUID.  Centrify on the other hand uses the user's SID.

 

  • Why does this matter?

To fully understand why this matters, let's take a closer look at Apple's generation method:

 

Apple translates the 128 bit GUID to a 32 bit UID.    However, they only use the first 32 bits in the translation.  This means that it's possible for more than one user to have the same UID on a Mac!  Backing up to our earlier discussion, this is supposed to be a unique value per-user that defines filesystem ownership. 

 

Bottom line?  Users could have the ability to "own" each other's files.  Now, granted- if you have a small AD, this is very unlikely.  But, the bigger your AD, the greater the chance.  Not really a chance I want to take, especially with network home folders.

 

So...How is Centrify different, and ultimately better and more secure?

 

Centrify uses the user's SID/RID to generate the user's UID.  The SID is guaranteed to be unique by AD, and the RID is guaranteed to be unique within the domain.  The RID is, by default, what Centrify DirectControl uses for UID/GID generation.  The domain portion of the SID is reduced to a configurable prefix. 

 

Bottom line?  This issue does not exist with Centrify's method of UID generation.   

 

  • When and WHY would I use Apple's method?

 

With the above knowledge, in what situation would you want to use Apple's UID method?  There's really only one scenario- when the machines were joined in the past (before Centrify) with the default Apple plug-in.  This will ensure compatibility for existing users, when they log into their newly Centrify-joined machine.

 

If the machine was joined in the past using Apple's plug-in, the user's home folder will be stamped with a UID generated via Apple's method.  If a user were to log into the machine that's joined with Centrify and NOT using Apple's method, there will be a UID mismatch.  The user will be able to log into their account, but will not be able to access any of their files due to the fact that they technically do not own them, because their UID is now different when generated with Centrify.

 

  • What if I want to convert all previously joined machines to Centrify's method?

 

This is actually an easy process.  All you need to do is:

  1. Log into the machine as local admin
  2. Join the machine to AD with Centrify DirectControl
  3. Run the change ownership command, to allow the new UID to be applied to the home folder:
    1. sudo chown -R  ad.user.name /Users/homefoldername 
      1. In the above command, replace "ad.user.name" with the user's AD login name, and "homefoldername" with the home folder's actual name.  (For example: sudo chown -R john.doe /Users/john.doe)
  4. If you want to verify that the change took place, you can compare the output of ls -ln /Users and adquery user -u ad.user.name 
    1. Again, replace "ad.user.name" with the user's AD login name.
  5. Take a look at the screenshot below to see these commands in action, and comparison after the change. 

 

 

As you can see- before the chown command, the UID on the home folder and the UID associated with the AD user is different.

After the chown command, the UID on the home folder, matches the UID associated with the AD user, which signifies a successful change ownership operation took place.  

 

Hopefully this helps make sense of a subtle, yet important piece of OS X and AD Join.

 

As usual, feel free to post any comments or questions below.

 

-Nick

Recover individual FileVault recovery keys in Active Directory

By Centrify Contributor II on ‎03-30-2016 05:01 PM - last edited ‎03-31-2016 09:25 AM

Did you know that you can use Centrify's OS X group policy settings to enable FileVault 2 encryption on your OS X machines and also store the individual recovery key in Active Directory? As of the latest release Centrify Server Suite 2016, this feature is now available.

Read more...

Showing results for 
Search instead for 
Do you mean 
Labels
Leaderboard

Community Control Panel