Step 1. Use Apple Configurator 2 to create the desired WiFi setting, then export the profile.

1. Launch Apple Configurator and select File > New Profile.

2. Enter a display name for the profile in General. 

3. In the left column, select WiFi, click the Configure button, then enter your WiFi settings.

4. Once you have completed your configuration, go to File > Save.

 

Step 2. Upload the saved mobileconfig profile into your domain controller: \\yourdomain\SYSVOL\yourdomain\mobileconfig Create this directory if it does not exist.

 

Step 3. Specify the profile in one of the following GPO settings to apply the WiFi settings:

  • Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles or
  • User Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles

installWiFimobileconfig.png

 

For more details on computer configuration or user configuration.

 

Other settings to consider:

 

 

How to deploy Safari extension to Mac using Centrify

By Centrify Advisor III on ‎06-14-2017 01:43 AM - last edited ‎06-14-2017 01:37 PM

**Disclaimer: The deployment will depend on the version of macOS/Mac OSX and safari and might not work in later version**

 

Please find the below steps in making use of Centrify Group policy and apple script (scripts are provided as a sample and you can modify it to fit your environment need):

 

1. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Copy Files” Group Policy to copy over the centrify.safariextz(at the time of written, it is of version 1.150.17052 and please replace the newest if there is any), safari-ext.sh and safari.scpt to the following location on Mac: /tmp/

 

2. Please set the file permissions to 0755 and the owner UID and GID to 0.

 

3. Please also check the box for “Copy as binary” in the GP.

Screen Shot 2017-06-14 at 4.22.56 PM.png

 

 

4. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Specify command to run” Group Policy in order to run the safari-ext.sh: “sudo /tmp/safari-ext.sh”, it is used to enable the GUI scripting for applescript.

Screen Shot 2017-06-14 at 4.24.53 PM.png

 

5. Use “Computer Configuration > Centrify Settings > Mac OS X Settings > Scripts(Login/Logout) > Specify multiple login scripts” Group Policy in machine level for the script safari-ext2.sh. It is used to run the applescript.

Screen Shot 2017-06-14 at 4.24.19 PM.png

 

6. Once done configuring the 3 GPs mentioned above, please run adgpupdate as the AD user, then the extension will be installed at next user login session.

[How to] Manage access to Dropbox

By Centrify Advisor I ‎06-08-2017 03:18 PM

Ensure access to Dropbox and other Apps from managed devices only

Read more...

This blog will show you how to join a Mac OS X computer to a domain and enroll it in the Centrify Identity Service platform at the same time. Typically, an Active Directory administrator performs this procedure, but during the enrollment steps, assigns the computer to a different Active Directory user account.

The assigned user is added to the identity platform as the device owner and is able to view and manage the enrolled computer through the Centrify user portal. An identity platform administrator can assign the user to one or more roles that determine the applications, permissions, and policies that apply to the user on this computer.

Here is how to use Centrify Join Assistant to join a computer to a domain and enroll it in the identity platform:

 

1. First you will need the following accounts:

a. Active Directory account that can join a computer to a domain

 

AD Admin.png


b. Administrator that has System Administrator or Device Management permissions to the Admin Portal.

Cloud Admin.png

 


c. Active Directory user account.

Jane Doe.png

 

2. Download the Centrify DirectControl agent onto the Mac system at the Support Portal Download Center.



3. Install the Centrify DirectControl agent

 

CDC Downloads folder.pngInstall CDC.pngClick Continue.pngClik Continue - 2.pngAgree to license.pngCDC Install.png

Agree to license.png

Clik Continue - 2.png

Enter local admin password.png

Install begin.png

Select Join Assistant.png

4. After installation, go to Finder > System Preferences > Centrify > Centrify Join Assistant

Join Assistant.png

At the Welcome page, click on Continue

 

Begin Join Assistant.png

Enter the local admin password

 

Enter Admin- JA.png

Enter domain you would like to join the Mac system to and enter the username and password of the Active Directory account that has permissions to join to a domain.

 

Enter AD Creds.png

Click Continue.

 

Decide if you are using Auto Zone or Zone for the user and computer objects. Select the option "Enroll with Centrify Cloud Service to enable remote management". Enter the Container DN you would like to place the computer object.

 

License Mode page.png


Click Join and the Mac will being to join to the domain

 

Joining Mac.png

After the join to the domain is completed, you will be prompted to enter the Identity Service URL and the username of the user would like to enroll the device for

jane.doe.png

The enrollment of the device will then begin

Loading to the cloud.png

When the enrollment has completed, you will receive a confirmation that the enrollment for the user is successful

jane joined succes.png

When the user logs into the Centrify User Portal, they will see the device listed under the Device section

jane device.pngjane device.png

 

Organizations may need to configure the screen saver start time for security or compliance. This article will show you how to use Active Directory group policies to prevent users from changing the screen saver start time. 

 

screensavertimelocked.png

 

Step 1. On a Mac, create a custom profile with Apple Configurator 2

1. Launch Apple Configurator 2. You can also create this with Profile Manager.

2. Go to File > New Profile.

3. Enter a profile name in the Name field.

profile-name.png

 

4. Then go to Passcode on the left column and set a time for Maximum Auto-Lock.

profile-lock-time.png

5. Go to File > Save

 

Step 2. Upload the profile to SYSVOL

1. Go to \\<domain>\SYSVOL\<domain> and create a mobileconfig folder if it does not exist.

2. Upload the profile to the mobileconfig folder.

3. In the Group Policy for your Macs, enable Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles.

Installmobileconfig.png

4. Click on the Add button, enter the name of your profile, then click OK.

5. Click OK.

 

The policy will apply at the next group policy interval, or you can launch Terminal ont he Mac and run adgpupdate to apply immediately.

This Cheat Sheet should be used with Centrify Mac Agent version 5.2.4 and higher.

 

The Centrify Mac Diagnostic Tool location:
/Library/Application Support/Centrify/MacDiagnosticTool.app

  

 

Centrify Agent

 

To join the domain in Auto Zone:
sudo /usr/local/sbin/adjoin --user domain_admin_username --workstation domain.com

 

To join the domain in Zone mode:
sudo /usr/local/sbin/adjoin --user domain_admin_username --zone zonename domain.com

 

To leave the domain and disable the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username 

 

To leave the domain and remove the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove

 

To leave the domain and leave the computer object untouched in Active Directory:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove

 

To print information for the domain:
/usr/local/bin/adinfo

 

To print network diagnostic information for the domain:
sudo /usr/local/bin/adinfo --diag

 

To view licensing mode:

/usr/local/sbin/adlicense

 

To enable licensed features:

sudo /usr/local/sbin/adlicense --licensed

 

To look up an Active Directory user's information:

/usr/local/bin/adquery user -A username

 

To look up an Active Directory computer's information:

/usr/local/bin/adquery user -A computername$

 

To look up an Active Directory computer's Manager (managedBy attribute used with FileVault policy):

 

/usr/local/bin/adquery user -b managedBy computername$

 

To look up an Active Directory group's information:

/usr/local/bin/adquery group -A groupname

 

To change the currently logged in user's Active Directory password:

/usr/local/bin/adpasswd

 

To change an Active Directory user's password:

/usr/local/bin/adpasswd --adminuser domain_admin_username username@domain.com

 

To flush the Mac agent cache (Active Directory users will need to login again to cache their credentials after this is ran):

sudo /usr/local/sbin/adflush

 

The location of the Centrify configuration file:
/etc/centrifydc/centrifydc.conf

 

The location of Centrify Kerberos tools:
/usr/local/share/centrifydc/kerberos/bin/

 

To restart the Mac agent:
sudo /usr/local/share/centrifydc/bin/centrifydc restart 


 

To turn on logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug on

 

To turn off logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug off 

 

To clear out the current log file:

sudo/usr/local/share/centrifydc/bin/addebug clear


Log file location:
/var/log/centrifydc.log

 

To uninstall the Mac agent:
sudo /usr/local/share/centrifydc/bin/uninstall.sh

 

To uninstall silently:
sudo /usr/local/share/centrifydc/bin/uninstall.sh --std-suite

 

 

Group Policy

 

To force group policy updates for both user and machine policies:
/usr/local/bin/adgpupdate

 

To update group policy for user policies only:
/usr/local/bin/adgpupdate --target User

 

To update group policy for machine policies only:
/usr/local/bin/adgpupdate --target Computer

 

To view the curent set group policies:

/usr/local/bin/adgpresult

 

To view the curent set user group policies:

/usr/local/bin/adgpresult --user username

 

To view the curent set machine group policies:

/usr/local/bin/adgpresult --machine

 

The location of computer group policy reports:
/var/centrifydc/reg/machine/gp.report 

 

The location of the user group policy reports:
/var/centrifydc/reg/user/username/gp.report  

 

The location of login scripts:
/var/centrifydc/loginscripts/machine
/var/centrifydc/loginscripts/user/username

/var/centrifydc/scripts/additional/login
/var/centrifydc/scripts/additional/logout

 

To retrieve machine certificates:
sudo /usr/local/share/centrifydc/sbin/adcert --machine --keychain

 

To retrieve user certificates:
/usr/local/share/centrifydc/sbin/adcert --user --keychain

 

The location of machine certificates:
/var/centrify/net/certs

 

The location of user certificates:
~/.centrify

/Users/username/.centrify

 

 

Directory Services

 

To see if the machine is joined to the domain using the Apple plugin:
/usr/sbin/dsconfigad –show

 

To unbind from the domain using the Apple plugin:

sudo /usr/sbin/dsconfigad –remove -username domain_admin_username

 

To list all of the users in the Directory Service and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Users

 

To list only the Active Directory users enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Users

 

To display detailed information about the specified Active Directory user:
/usr/bin/dscl /CentrifyDC -read /Users/username

 

To list all of the groups in the DirectoryService and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Groups


 

To list only the Active Directory groups enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Groups

 

Command to display detailed informationa bout the specified Active Directory group name:
/usr/bin/dscl /CentrifyDC -read /Groups/groupname

  

 

FileVault

 

To see if FileVault is enabled:

/usr/bin/fdesetup status

 

To list FileVault enabled users:

/usr/bin/fdesetup list

 

To disable FileVault:

sudo /usr/bin/fdesetup disable

 

To add a local or mobile account to the FileVault user list:

sudo /usr/bin/fdesetup add -usertoadd username

 

 

Smart Card

 

To see if smart card support is enabled: 
/usr/local/bin/sctool --status

 

To enable smart card support: 
/usr/local/bin/sctool --enable

 

To disable smart card support: 
/usr/local/bin/sctool --disable

 

To dump out all the certificates and Active Directory information present on the smart card:

/usr/local/bin/sctool --dump

 

To get a new kerberos ticket: 

/usr/local/bin/sctool --pkinit

 

Related Articles:

 

A Centrify Server Suite Cheat Sheet

Centrify provides an account migration tool that simplifies the process of converting a local account's home directory into the Active Directory account. Migrating the account helps to save the user's files, application settings, and browser bookmarks.

Read more...

Centrify Identity Service now includes a turnkey Munki solution for application management for managed Macs delivering a best in class user experience without any setup or configuration hassle.

Read more...

This article will show you how to secure the access to a web application by only allowing access from a device that has been enrolled into Centrify's MDM or prompt for multi-factor authentication when accessing from a non-managed device. 

 

Enroll your device into Centrify MDM

 

Configure your web application

1. Log into the Centrify Admin Portal.

2. Edit your web application and select Policy from the left column, then click Add Rule.

 

 

Add policy.png 

3. When a new window appears, click Add Filter.

 add filter.png

 

 

4. Select Managed Device and desired condition, then click Add.

 

filter condition policy.png

 

 

5. Select a Authentication Profile such as - Not Allowed -  or a predefined authentication profile to perform multi-factor authentication to access the web application.

 

filter authentication profile.png 

 

6. Select a Default Profile to - Always Allow - or a predefined authentication profile to perform multi-factor authentication for Managed Device users.

7. Press Save when your configuration is complete.

 

Other settings to consider:

Using local MacOS administrator accounts can lead to security and compliance issues such as unauthorized sharing of the administrator password with non-administrators or remote access by a former employee. The secure approach is to grant Active Directory users Mac administrator rights to minimize risk and meet regulatory compliance. This article will show you how to grant Mac administrator rights to Active Directory users through Centrify's Active Directory group policy settings.

 

 1. In Group Policy Management, create a GPO and enable: Computer Settings > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone groups to local admin group

 

mapADgroupMacAdmin.png

 

   a) Click on the Add... button. A new window will appear.

 

ClickAddgroup.png

 

   b) Click on the Browse button. A new window will appear. You can enter manually enter a group name in this window but it is better to browse and select the group to ensure the proper group name is entered.

 

 

Selecting Group.png

 

   c) Enter a keyword into the Name field for the Active Directory group that you want to add, then click on Find Now. Make sure you add IT/helpdesk team and any user that needs admin rights on the Mac.

 

type group name.png

 

   d) Select the desired group name and click OK.

 

Select desired group.png

 

The setting will apply when the user logs out and logs back in.

 

If your Mac is using Zone mode, use the following article: https://centrify.force.com/support/Article/KB-3049-How-to-use-the-Map-zone-groups-to-local-admin-gro...

 

 

Prevent unauthorized access and minimize risk by restricting MacOS login access to specific Active Directory users or groups. 

Read more...

How to retaining the user's Mac home directory, when a user wants to change their name after marriage or divorce.

Read more...

Want to configure wireless settings for your users without having to manually touch each device? With the Centrify Identity Service, WiFi settings can be pushed to Mac, iOS, and Android mobile devices using policy.

Read more...

Quick Mac Troubleshooting Tip/Tool

By Centrify Contributor III on ‎12-23-2016 12:23 PM

A Little Mac Testing Help

 

When I am testing new group policy configurations for the Mac, I like to have the Centrify Mac Diagnostic tool at the ready. Here are the steps that I use to put the Diagnostic tool on the Dock. The MacDiagnosticTool allows the tester to quickly see via a graphical interface the following:

 

  • AD Connectivity and Network Information for the Machine
  • Group Policy Settings that are being applied to the machine
  • User Information such as their UID, AD Group Membership etc.
  • Centrify Debug Information
  • And contact information for Centrify Support.

 

 

 

Read more...

The attached script can be used with the Deployment Manager to unbind a Mac that is bound to Active Directory via the Apple Directory Services plugin. This will allow mass deployments of the Centrify agent with binding to Active Directory using the Centrify Directory Services plugin.

Read more...

Enforcing CIS Apple OSX 10.11 Benchmark with Centrify

By Centrify Advisor II on ‎12-14-2016 02:02 PM - last edited Monday

Center for Internet Security (CIS) Security Benchmarks are consensus-based security configuration guides both developed and accepted by government, business, industry, and academia. The benchmarks are used by organizations worldwide to help meet compliance requirements for FISMA, PCI, HIPAA and more. The CIS Apple OSX 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple OSX 10.11. Centrify enables the ability to manage these security settings on the Mac through Active Directory Group Policies

 

Note: Be sure to test and review the settings before deploying into production. Some settings may interfere with normal operations.

 

1.2 Enable Auto Update

See instructions 

 

1.3 Enable app update installs

See instructions

 

1.4 Enable system data files and security update install

See instructions

 

1.5 Enable OS X update installs

See instructions

 

2.2.1 Enable "Set time and date automatically"

Centrify will automatically configure the Mac to use your domain controller for the NTP service when the Mac is bound to AD through the Centrify agent.

 

2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver

See instructions

 

2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver

See instructions

 

2.4.1 Disable Remote Apple Events

See instructions

 

2.4.2 Disable Internet Sharing

See instructions

 

2.4.4 Disable Printer Sharing

See instructions

 

2.4.5 Disable Remote Login

See instructions

 

2.4.8 Disable File Sharing

See instructions

 

2.4.9 Disable Remote Management

See instructions

 

2.5.1 Disable "Wake for network access"

See instructions

 

2.5.2 Disable sleeping the computer when connected to power

See instructions

 

2.6.1 Enable FileVault

See instructions

 

2.6.2 Enable Gatekeeper

See instructions

 

2.6.3 Enable Firewall

See instructions

 

2.6.4 Enable Firewall Stealth Mode

See instructions

 

2.7.1 iCloud configuration

See instructions

 

2.7.2 iCloud keychain

See instructions

 

2.7.3 iCloud Drive

See instructions

 

4.3 Create network specific locations

See instructions

 

4.4 Ensure http server is not running

See instructions

 

4.5 Ensure ftp server is not running

See instructions

 

5.2.1 Configure account lockout threshold

The domain account lockout threshold policy will apply when the Mac is bound to Active Directory.

 

5.2.2 Set a minimum password length

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.3 Complex passwords must contain an Alphabetic Character

Domain password policies will apply when the Mac is bound to Active Directory. 

 

5.2.4 Complex passwords must contain a Numeric Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.5 Complex passwords must contain a Special Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.6 Complex passwords must uppercase and lowercase letters

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.7 Password Age

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.8 Password History

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.6 Enable OCSP and CRL certificate checking

See instructions

 

5.8 Disable automatic login

See instructions

 

5.9 Require a password to wake the computer from sleep or screen saver

See instructions

 

5.10 Require an administrator password to access system-wide preferences

See instructions

 

5.12 Create a custom message for the Login Screen

See instructions

 

5.13 Create a Login window banner

See instructions

 

5.14 Do not enter a password-related hint

See instructions

 

5.15 Disable Fast User Switching

Fast User Switching is disabled by default, but the setting can be managed by Centrify through group policy. To learn more see instructions.

 

5.16 Secure individual keychains and items

See instructions

 

5.19 Install an approved TokenD for smartcard authentication

A TokenD module is automatically installed with the Centrify Mac Agent. See instructions for configuring smart card authentication.

 

6.1.1 Display login window as name and password

See instructions

 

6.1.2 Disable "Show password hints"

See instructions

A security researcher from Segment has discovered a vulnerability in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine. The advisory indicates the affected versions are 8.0.36 and "probably prior". Until Microsoft provides a patch, a suggested mitigation is to temporarily disable Microsoft Remote Desktop Client for Mac. 

 

Using Centrify, enable the following group policy settings to block Microsoft Remote Desktop from being launched on the Mac.

 

Step 1. Enable: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Application Access Settings > Permit/prohibit access to applications. For Access mode, select User can open all Applications except these.

 

Prohibit applications.png

 

 

Step 3. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Application Access Settings > Permit/prohibit access to the user-specific applications.

 

User-specific applications.png

 

Click Add and enter com.microsoft.rdc.mac.

 

The policy will apply the next time the user logs out and logs back in. When the user attempts to launch Microsoft Remote Desktop the following dialog boxes wll appear.

 

RDP restricted.png 

 

How to get the CFBundleIdentifier for othe Mac applications you want to block.

Restricting access to the USB port can help protect Macs against some USB attacks and help prevent data from being copied to external USB drives. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Media Access Settings > Permit/prohibit access: External Disks and select the desired access setting.

 

USB port policy.png

 

For more details regarding this setting and other media access settings, see documentation on Media Access Settings.

Many federal IT departments are being told to provide 2-factor authentication not only for all logins, but also for all privilege elevations, including the launching of critical applications. Here’s how Centrify can help.

Read more...

Requiring an administrator password to access system-wide preferences prevent users from changing locked system preferences without an administrator’s password. This setting helps to improve data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies.

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to unlock each secure system preference

 

RequirePasswordSysPref.png

 

 The policy will apply after the next group policy interval.

 

If you want to block access to certain System Preferences panes from administrators read the article

Restricting System Preferences access

[Mac] Enable Gatekeeper

By Centrify Advisor II on ‎11-04-2016 09:44 AM

Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. Enabling Gatekeeper improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Gatekeeper

 

 

EnableGatekeeper.png

 

Step 2. Select the desired Gatekeeper setting

 

GatekeeperOptions.png

 

The policy will apply after the next group policy interval.

 


 

[Mac] Disable automatic login

By Centrify Advisor II ‎11-03-2016 10:03 AM

The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically logs in at startup or after entering the credentials to unlock FileVault at the EFI login screen. Disabling automatic login improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Disable automatic login

 

DisableAutomaticLogin.png

 

The policy will apply after the next group policy interval and logout.

passwordhint.png

 

Disabling "Show password hints" improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user or gathered through social engineering. Centrify enables the ability to manage this settings on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Confiugration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

Showpasswordhints.png

 

Step 2. Make sure "Show password hints" is unchecked.

 

The policy will apply after the next group policy interval and logout.

nameandpasswordlogin.png Listofusers.png

 

Displaying the Mac login page with the name and password fields instead of the list of local Mac accounts improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. For hackers, knowing the login name is half the battle. Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Confiugration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

Name and Password.png

 

Step 2. Select "Name and password" from pulldown list for Display login window as.

 

The policy will apply after the next group policy interval and logout.

Restricting users from making changes in System Preferences can help improve security, lower support tickets, and prevent users from reversing settings required for maintaining compliance. Centrify can block users from access System Preferences even if they have administrative rights on the Mac. The restriction is applied at the user level so users such as IT can be excluded.

 

Step 1. Since this setting is user-based, you will need to enable loopback processing mode: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Use version specific settings

 

SystemPreferencesVersionSpecific.png

 

Step 3. Enable:  User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Mac OS X 10.10 or above Settings > Limit items usage on System Preferences

 

LimitItemUsageSysPref.png

 

Step 4. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Mac OS X 10.10 or above Settings > Enable System Preferences Panes > Enable built-in System Preferences panes

 

DisableSystemPreferencesPane.png

 

Step 5. Deselect the System Preferences pane you want to block users from accessing.

 

PreferencePaneList.png 

 

The policy will take effect when the user logs off and logs back in. When the policy is in effect, the disabled System Preferences pane(s) will be greyed out and not accessible even by domain users with Mac admin rights.

 

GreyedOutSystemPref.png

 

 

Other articles of interest:

Remote Apple Events enables your Mac to accept Apple events from apps running on other computers. An Apple event is a task being performed on a Mac, such as “open this document” or “print.” With remote Apple events turned on, an AppleScript program running on another Mac can interact with your Mac. Disabling remote Apple Events is recommended for hardening your Macs from network attacks and a requirement for the CIS (Center for Internet Security) benchmark.

 

Step 1: Configure the follow group policy setting and set to Disabled: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Services > Enable remote Apple events

 

Remote Apple Events.png

 

Once the setting is configured, the policy will take effect at the next group policy interval.

Setting the inactivity time to trigger display sleep to a value larger than the inactivity time to trigger the screen saver is a recommendation by the CIS (Center for Internet Security) benchmark. If the display goes to sleep before your screen saver is triggered, users can mistakenly assume their computer is protected and walk away. 

 

Using Centrify, you can push out group policy settings to configure both the display sleep time and screen saver time to meet the security settings.

 

Configuring Display Sleep Time 

When configuring the display sleep time, be sure to configure both On AC power and On battery power settings.

 

1. Enable and configure: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Energy Saver > On AC power > Set display sleep time Make sure the time is set longer than your screen saver time.

 

OnACpower.png

 

2. Enable and configure: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Energy Saver > On battery power > Set display sleep time Make sure the time is set longer than your screen saver time.

 

OnBatterypower.png

 

Once the settings are configured, the policy will take effect at the next group policy interval.

 

Configuring Screen Saver Time and Require Password

1. To meet the security policy to require a password to wake a machine from sleep, enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to wake this computer from sleep or screen saver

 

Requirepasswordfromsleep.png


2. Set the time to require a password after the Mac goes to sleep or screen saver begins. Make sure this time is less than the display sleep time.
Enable and configure: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Desktop Settings > Set computer idle time for Starting screen saver

 

Screensavertime.png

 

3. Since this is a User Configuration, you may need to also apply the following group policy setting:
Computer Configuration > Policies > Administrative Tempaltes > System > Group Policy > Configure User Group Policy loopback processing mode

 

Loopback.png


Set the Mode to Merge.

 

LoopbackMerge.png


Once enabled, this group policy takes effect at next user logon.

A policy banner is a window that you can display before the login page that requires a user to acknowledge it before proceeding. The policy banner can display a longer message than the login banner on the login page to inform users of the usage policies, help deter unauthorized use, aid in the prosecution against attackers, and meet the requirement for CIS (Center for Internet Security) benchmark and other security standards.

 

PolicyBannerwindow.png

 

Step 1: Create a text document (using TextEdit) with the information you wish to display at the login window.
You can use either a Plain Text File (.txt) or Rich Text Format (.rtf)

 

Step 2: Save this file with the exact title ‘PolicyBanner’ to your Desktop. (The document MUST be titled exactly ‘PolicyBanner’ as one word, with a capital ‘P’ and ’B’ with NO space between the 2 words). For example PolicyBanner.txt or PolicyBanner.rtf.

 

Step 3: Copy the PolicyBanner file to SYSVOL > (yourdomain) directory on your domain controller.

 

SYSVOL policybanner.png

 

Step 4. Enable the group policy setting: Computer Configuration > Policies > Centrify Settings > Common UNIX Settings > Copy files

 

UNIX copy files.png

 

Step 5. Click Add, then Browse to the PolicyBanner file on your SYSVOL  > (your domain) directory. Enter "/Library/Security" without quotes into the Destination field, then click OK.

 

SYSVOL policbanner.png

 

The policy banner window will appear after the next group policy interval and logout.

 

Other settings to consider:

 

 

 

A login banner is a brief message that you can display on the Mac OS X login page to warn users of policies, help deter unauthorized users and meet the security requirement for CIS (Center for Internet Security) benchmark and other security standards.

 

Macloginscreenbanner.png

 

Follow these steps to enable a login banner through Centrify.

 

Step 1: Enable the setting: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

MacLoginbanner.png

 

Step 2: Enter your custom message into the Banner field and click OK. The policy will apply at the next group policy interval and log out.

 

Other settings to consider:

 

Showing results for 
Search instead for 
Do you mean 
Labels
Leaderboard

Community Control Panel