Enabling mobile accounts on Mac OS X is required if you want to:

 

Some common reasons why Mobility Settings are not applying

 

MobileAcct.png

 

If your user does not have the word "Mobile" under their name in System Preferences > Users & Groups, the group policy for Mobility Settings is not being applied possibly because of these common mistakes:

1. The user object is not in the OU that the GPO is linked to. To apply User Configurations in a Group Policy Object, you may need to do one of the three options:

    a) Link the GPO to the OU that the user objects (not groups) are located in. Inheritance will work. 

    b) If you are using security filtering, you may need to include the computer object to the security filter

    c) If you are only applying the GPO to the computer objects OU, then you need to enable loopback processing mode: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

2. Most group policy settings for Macs can be enabled with just a checkbox or populating a field, but Mobility Settings require multiple of settings in order to be enabled. Review each step to identify if any setting was missed.

 A common setting that is missed is User Configurartion > Policies > Centrify Settings > Mac OS X Settings > Mobility Settings > Use version specific settings

 

 Mobility Use version specific.png

 

This setting is commonly missed and users skip directly to the OS version level settings.

 

3. Check if Block Inheritance is enabled on the OU that your GPO is linked to. When Block Inheritance is enabled, user settings and security filtering may not be applied, especially if your user objects are not in the OU that the GPO is linked to. Blobk Inheritance can be identified by the blue circle with an exclamation mark on the OU icon. 

 

Block inheritance.png

 

 

 Problem

Adding an application to the Dock with Centrify Mac group policies shows up as a question mark. Whenever a Dock item appears as a question mark in the Dock, it means the link is incorrect and the location does not exist.

 

Dockquestionmark.png

 

Cause

Getting the location path from the Get Info window may not be accurate or complete.

 

ApplicationGetInfo.png aliasgetinfo.png

 

Notice the difference is the text is red below.

 

The window on the left is the Get Info window for the application file. The path is:

/Applications/Xcode/Contents/Developer/Applications/Simulator.app

 

The windows on the right is the Get Info window for the alias to the same application file. The path is:

/Applications/Xcode.app/Contents/Developer/Applications/Simulator.app 

This is the correct URL that will map to the file correctly.

 

Solution

OS X application bundles are directory hierarchies, with the top-level directory having a name that ends with a .app extension. When mapping to a file inside an application bundle, make sure you include the ".app" extension in the path.

 

How to customize the Mac OS X Dock with Centrify

In case you don't know how to add an app to the Dock through Centrify group policies for Mac,

1. Launch Group Policy Manager on the member machine you installed Centrify tools on and create or edit the Group Policy Object applied to your Macs or user objects. 

2. Enable: User Configuration > Poliices > Centrify Settings > Mac OS X Settings > Dock Settings > Place Applications in Dock.

 

Dock policy.png

 

3. Click Add then enter the path of the applicaiton that you want to add to the Dock. 

Centrify has the ability to block users from launching Mac OS X applications, such as OS X updates, built-in applications, and third-party apps, through Group Policies. The policies are located in User Configuration > Centrify Settings > Mac OS X Settings > Application Access Settings

 

app restrictions.png

 

To block third-party applications, you will need to enter the CFBundleIdentifier for the application you want to block into the "Permit/prohibit access to the user-specific applications" policy. 

 

thirdpartyapps.png

 

To find the CFBundleIdentifier for an app

1. Locate the .app file you want to block.

2. Control-click on the .app file and select Show Package Contents from the contextual menu.

3. In the Contents directory, open the Info.plist file with a plist or xml editor like TextWrangler.

 

contents directory.png

 

4.Search for CFBundleIdentifier and add the string value to the Centrify group policy.

 

 plistfile.png

 

If you are looking for the Mac OS X KeRanger ransomware CFBundleIdentifier, but afraid to install it on your Mac, it's org.m0k.transmission according to VirusTotal.

 

Demo Video of Joining Centrify Mac agent to AD using Auto Zone and Smart Card

By Centrify Contributor I on ‎03-17-2016 10:57 AM - last edited ‎03-17-2016 01:09 PM

Introducing Centrify Express

By Community Manager Community Manager ‎01-30-2015 04:48 PM

 

Centrify Express is Centrify's free solution for Active Directory-based authentication and single sign-on to cross-platform systems. This chalktalk introduces the Centrify Suite's basic components, their features, and what makes them unique among other Active Directory integration solutions.

 

Running Time: 17:03 minutes

 

Speaker
Corey Williams, Director, Product Management

 

Moderator
Frank Cabri, Vice President, Marketing & Business Development

 

Topics Covered

  • DirectControl Express and its ability to join non-Windows systems to Active Directory
  • DirectManage Express and its ability to automate the deployment of DirectControl Express throughout your network
  • How Centrify Express compares to operating system vendor plugins and other integration toolkits
  • How Centrify Express users can get peer support and other resources through the Centrify Community forums
  • How to choose between Centrify Express and other editions of the Centrify Suite

 

As Mac OS X becomes an increasingly popular workstation choice inside enterprises, corporate IT departments and helpdesk personnel are looking for tools to enforce the same types of configuration and security settings on Macs that are already available for Windows systems. In this video chalktalk you'll discover how Centrify addresses this need by extending Windows Group Policy services to Mac systems using Centrify's Active Directory integration solution for Mac OS X.

 

Running Time: 29 minutes

 

Speaker
David McNeely, Director, Product Management

 

Moderator
Tom Kemp, Chief Executive Officer

 

Topics Covered

  • An overview of Windows Group Policy, including computer and user policies
  • Why "desktop lockdown" is a key requirement for managing a user's workstation from a security and compliance perspective
  • An architectural overview that shows how Group Policies can be centrally edited and then globally distributed to Mac systems
  • How Centrify maintains a "virtual registry" to hold Group Policy Objects on a Mac system
  • How Windows Group Policy's grouping and filtering features provide more granular policy enforcement over alternative methods
  • The advantages of using familiar Windows management tools for Mac management
  • Example policies, such as: disabling access to removable devices like CD/DVD drives and USB drives: locking the screen after a period of inactivity; and configuring portable home directories
  • How advanced features such as loop-back processing can apply different user settings in different contexts
  • Policies that address specific federal security requirements, including those in the Federal Information Systems Management Act
  • Controlling application settings globally by using Group Policy for bulk distribution of plist settings
  • How Centrify works with other vendors in the Enterprise Desktop Alliance to define a standard set of solutions for managing Mac OS X systems within Windows-centric enterprises

 

Apple provides a basic smart card architecture that Centrify has leveraged to provide stronger, Active Directory-based authentication and transparent single sign-on to applications. In this chalktalk, Centrify CTO Paul Moore proves an overview of the Apple smart card architecture and details how Centrify DirectControl integrates it with Active Directory's authentication services. This is part 2 of a two-part series; also see Smart Card for Mac Part 1: Introduction to Active Directory Integration.

 

Running Time: 31 minutes

 

Speaker
Paul Moore, Chief Technical Officer

 

Moderator
David McNeely, Director, Product Management

 

Topics Covered

  • Basic smart card infrastructure provided by Apple and how authentication data stored on smart cards is read and distributed to the Mac's internal security API
  • How DirectControl interacts with the Mac's keychain API and security API to support a wide variety of TokenD-based cards, including CAC and PIV cards
  • How DirectControl expands on the digital-signing service that was the focus of the Apple smart card support to provide stronger forms of authentication
  • The authentication steps that take place as data is read from the smart card and the user is authenticated through the Active Directory KDC and directory servies
  • How the user receives a Kerberos ticket to ensure transparent sign-on to other applications such as email
  • How DirectControl enables secure, smart card-based login when the Mac is not on the network
  • The role of trusted roots in securely enabling cards issued by a certificate authority other than Active Directory

 

Smart cards are the solution of choice for organizations that need two-factor authentication to further secure sensitive systems. In Windows-centric environments where Mac users need to be authenticated against Active Directory, setting up smart cards has involved some compromises in usability and security. In this Centrify video chalktalk, Centrify Product Manager David McNeely explains the basics of smart card authentication and describes how Centrify DirectControl for Mac OS X addresses these challenges. 

 

Running Time: 21 minutes

 

Speaker
David McNeely, Director, Product Management

 

Moderator
Tom Kemp, Chief Executive Officer

 

Topics Covered

  • What are smart cards, and how they are used to strengthen security
  • How Centrify DirectControl can enable IT administrators to adopt Active Directory-authenticated smart cards that work for Mac users as well as Windows users
  • Protocols supported by DirectControl for Mac OS X: CAC, PIV and other cards that use a TokenD interface
  • How DirectControl's Kerberos-integrated smart card functionality compares with Apple's smart card feature
  • Federal compliance regulations that drive the use of smart card
  • Diagramming the solution architecture to understand how smart cards are provisioned and how authentication works against Active Directory
  • How smart cards can be terminated to ensure revoked cards can't be used
  • How Centrify's advanced Group Policy functionality for Mac can be used to configure and manage smart card usage
  • How other industries, such as power and utility companies, use smart cards

 

Describes Centrify's industry-leading Active Directory integration for Mac OS X, including its unique Group Policy support.

 

Running Time: 26 minutes

 

Speaker
David McNeely, Director, Product Management

 

Moderator
Tom Kemp, Chief Executive Officer

Showing results for 
Search instead for 
Do you mean 
Labels
Leaderboard

Community Control Panel