Centrify - Securing the Cross Platform Data Center
Showing results for 
Search instead for 
Do you mean 

[Archive] The Centrify Apple Guys

[Admin Edit: for updated Mac blog articles, please visit our new TechBlog area and filter by the "Mac" label"



Moved to the tech blog for better exposure

Our first Mac customers were trying to find a way to support the few executives who brought in Macs and wanted IT to support their use within the business. Centrify solved this by integrating the Mac into Active Directory.  Centrify has been supporting Macs in Business for nearly 9 years now and we continue to focus on our customers as we release new capabilities within our products, many of the features in this release were directly requested by our customers. 


About Centrify and PIV Certificate Problem

By Nao on ‎02-14-2014 06:01 PM - last edited ‎09-10-2014 02:19 PM

Update: Sept 2014


  • The issue below has now been fixed in version 5.2.0 of Centrify Express for Smart Card (Centrify Suite 2014.1).
  • If you are one of the affected users and have been swapping your tokends around like crazy, please update to the latest version today.
  • If you run into any further issues, or just want to praise the talents of our amazing developers, please let us know in the Centrify Express for Smart Card Forums.

  • Note:
    As of version 5.2.0, the last supported version of OS X with Centrify Express is 10.7 Lion. 
    OS X 10.6 is no longer supported, however version 5.1.0 of Centrify Express for Smart Card (which still works with 10.6) will still be made available for download here.






 Happy Valentine's Day!


We received a report about a login problem on a military web site, using a Dual Persona card and Centrify product.  In the interests of simplicity, I’m going to break this blog into several separate sections beginning with the customers’ environment.


The Customer’s Environment


- User has a Dual Persona card (also known as CACNG or Dual-Identity)

- User wants to log in to a web site that is protected by PIV Authorization certificate, e.g., web.mail.mil

- User has installed either Centrify Express for Smart Card, or Centrify for Mac. 


Steps to Reproduce


1. Install Centrify Express for Smart Card or Centrify for Mac. 

2. Install necessary certificate chain, e.g., DOD Root and Corresponding CA certificates.

3. Insert the Dual Persona smart card into the smart card reader. 

4. Go to a military web site that requires PIV certificate, e.g., web.mail.mil


Expected Result


User logs in successfully to web.mail.mil using PIV certificate. 


Actual Result


User is denied login.


The Root Cause


Our Centrify product ships with four tokend (smart card drivers) - CAC, CACNG, PIV, and BELPIC.  When the Dual Persona card is inserted, CACNG tokend is assigned as the card's driver.  The CACNG tokend has a problem using the PIV certificate for digital signature and as such, a web login is impossible.


Proposed Workaround


Luckily for everyone, Centrify ships another tokend with our Mac product, the PIV.tokend. This driver is capable of the digital signature operation with Dual Persona PIV certificate.


To use this workaround, you must force the Mac to choose PIV.tokend.  This is done by removing CACNG tokend from OS X's tokend folder. 


1. Open Terminal

2. cd /System/Library/Security/tokend/

3. sudo mkdir tmp

4. sudo mv CAC* tmp/

5. Remove and insert your card again

6. Open Keychain Access.  Make sure the card appears as "PIV-*" in the top left hand corner of the Keychain Access App

7. Try going to web.mail.mil web site. (If you are using Safari, and you have the credential association to web.mail.mil, you may have to remove it so that you can select the right certificate.)


This workaround may cause a problem if you try to use a different certificate on the Dual Persona card, for a different purpose.  If you observe this problem, you can undo the changes to tokend:


1. cd /System/Library/Security/tokend/

2. sudo mv tmp/CAC* .


Centrify’s Long Term Fix


We have confirmed the problem in Centrify and the tokend driver, and are working on the fix.  Our plan is to have this done in the next release of Centrify for Mac, and Centrify Express for Smart Card.


If you have any questions or concerns, please comment on this blog, or please contact our Support at support@centrify.com.


Thank you very much for using Centrify product!

With the announcement of the release of OS X 10.9 Mavericks by Apple today, an updated version of the Centrify Mac agent is also available for those will undoubtedly want to have Apple's latest and greatest immediately.


This DirectControl for Mac OS X 10.9 release is a required update for anyone wanting to run Mavericks on a Centrify-managed system.


In addition to bringing support for OS X 10.9, additional key updates for this release include:

  • Bugfixes for issues affecting offline logins
  • Support for remote silent installation via Apple Remote Desktop and other deployment solutions.
  • GUI enhancements for more informative descriptions of the various functions available in the agent.
  • Support for DirectControl for Mac OS X 10.6 has been discontinued with this release.

Read this first!

It is strongly recommended to upgrade the Centrify DirectControl agent in Connected mode first, before updating to Mavericks.


Here are the recommended steps:


  1. Login to the Mac as an AD user with Local Admin privileges, or with the Local Admin account.

  2. Download the latest version of the Centrify Mac agent.

    NOTE: If updating from an earlier version of Centrify, look in: System Preferences > Centrify > "CentrifyDC mode" and make sure it shows Connected


  3. Install/Update the Centrify Mac agent

    NOTE: If updating from an earlier version of Centrify and cached logins are used. Then a Connected login will need to be performed at least once to update the cache schema. The easiest way to do this is with the following steps:

    --a. Double-check the Connected status again and make sure CentrifyDC mode is still connected.
    --b. Open the Terminal and run:

    login ad_username

    (Where “ad_username” is the username of the AD user. When the command-line login completes, the credentials will have been re-cached)


  4. With the Centrify agent updated and AD credentials re-cached, the Mac system is now ready to be updated to OS X 10.9

  5. Update to Mavericks a-go-go!




Deployment Manager Notes:

For those deploying this update via Centrify Deployment Manager, when downloading the agent software in Step 2 – the "Show only the latest software" checkbox will need to be CLEARED to display the latest Mac agent for 10.9.

DM 10.9.png

This is because the Mac agent for 10.9 was branched off especially for Mavericks, so is considered a separate branch from the main Centrify Suite 2013.3.

The Deployment Manager "latest software" filter only looks at the full Suite versions and so won't initially show the Mac agent for 10.9 in the list.

Don't worry though - everything will go back to normal when it all gets bundled back together come the next Suite iteration.



-- Happy updating!

Introducing Mac Cloud Service

By Nao ‎08-29-2013 10:29 PM

Today, we are excited to launch Industry's First Unified Identity Solution for Security and Management of Mac Users and their Mobile Devices. [1] [2]  


In addition to our on-premise Mac Centrify Direct Control offering, it is now possible to enroll Mac's to Centrify Cloud Service, and control them from anywhere. 


Why Mac Cloud Service?


Mac Cloud solves new problems that arise from today’s Mac workforce users, who are now more mobile than ever: employees with personal home machines, employees who BYOM (Bring Your Own Mac), and road warriors who rarely login to the corporate environment.  All of them need a measure of integration with the corporate office.


For example, one major problem with roving corporate user populations is, “what happens if Jennifer, the star Sales Engineer, who just downloaded the Super Confidential Firmware, suddenly realizes that her Mac is missing, either by theft or misplacement?"


YIKES!, what if that firmware fell into the wrong hands?  Imagine the fear going through Jennifer’s head when she has to tell the boss that she, not only needs a new Mac, but also a Mac, with the company’s trade secrets, is floating around out there, essentially unprotected.  With Centrify Cloud Service, locking or wiping the Mac is an Active Directory command away.  Her Mac can be locked or be wiped, as soon as it connects to the Internet, even if it is outside of corporate network.  Peace of mind returns to Jennifer at once, knowing her data are protected by Centrify’s Mac Cloud Service.


Centrify for Mac also can enforce FileVault2 full-disk encryption on Mac's.  This further strengthens protection of Jennifer's data.


Centrify Cloud Service provides a unified platform to manage various types of mobile devices - These include Mac, iPhone, iPad, and Android devices.  


Great!  How Can I Use It?


Let's walk through how you can take advantage of this service. 


1. Install and set up Proxy Server


The Proxy is a server that runs on Windows, and is a bridge between Active Directory Domain Controller and Centrify Cloud.  This also adds Group Policy integration and Active Directory Users and Computers add-ins.


IT Administrator can install Proxy with familiar Windows installer UI. 




2. Register Proxy to Centrify Cloud


Administrator registers the installed Proxy against Centrify Cloud with familiar Windows UI.  This allows the communication to happen between your corporate LAN and Centrify Cloud.




3. Create and upload APNS certificate


Centrify Cloud uses Apple Push Notification Service to communicate with Mac's and iOS devices.


Administrator creates APNS certificate and uploads it to Centrify Cloud Manager.  This browser based UI shows the steps for Administrator. 




4. Join Mac via User Portal


Users can now enroll their Mac's and other mobile devices to Centrify Cloud.


User can go to User Portal, select MyDevices, click on AddDevices, select device type (e.g. Mac OS X) and click on Enroll. 


Alternatively, user can go to enrollment page, e.g., https://cloud.centrify.com/enroll directly. 





As a result of enrollment, Mobile Device Management (MDM) profile is installed on the Mac. 





5. Wipe and Lock


Now, let’s go back to the example with Jennifer above.  Once she loses her Mac, an IT administrator will login to Cloud Manager, and send a wipe/lock command to Jennifer’s Mac, which will render her machine useless to anyone who may be interested in that new Secret Firmware.




Alternatively, Jennifer can log in to User Portal and lock or wipe the Mac herself.


6. Install Profile


In addition to Lock and Wipe, Mac Cloud offers many other settings that corporate users will certainly appreciate.  Settings such as, Restrictions, WiFi and VPN to name a few. 


Administrator can use familiar Group Policy Console to configure the settings.  This displays VPN example. .  




Mac's System Preferences UI shows installed VPN profile. 


We are very excited here at Centrify with this newest Cloud based offering.  It offers some very powerful features, not currently available to many corporate users who are remote, or roaming.  It adds a level of safety not present on many of today’s mobile devices.


[1] http://www.centrify.com/news/release.asp?id=2013082701

[2] http://www.centrify.com/blogs/tomkemp/managing_macs_via_the_cloud.asp

If you have Common Access Card (CAC), and a smart card reader, you can start using them on Mac OS X. 


Smart Card Applications


By installing Centrify Express for Smart Card, you can start using smart card with applications, such as Safari browser, Mail.app or Outlook.  This allows you to enter a CAC protected web site, sign and encrypt e-mail.  You can also use in-house or third party applications that access smart card through Tokend interface, as Express for Smart Card provides Tokend (smart card drivers) for CAC, PIV and CACNG cards.  


You can download Express for Smart Card here:




Smart Card Login


By installing Centrify DirectControl (CDC) for Mac, you can do all of the above, plus control login to MacOS X.  You can use smart card to log in and unlock screen of Mac.  System Administrator can require users to use smart card to log in by setting a Group Policy.  


You can request free trial of DirectControl for Mac here:




We are excited about the upcoming release of Centrify Suite 2013.2.  


In particular, I would like to discuss DirectControl for Mac, and smart card support in DirectControl for Red Hat.  Our team's focus in this release is to enhance the security of end points (Mac and Red Hat Enterprise Linux) further with Centrify DirectControl (CDC).  


As my colleague Brian says, without further ado .. 


FileVault2GroupPolicy (for Mac)


File Vault 2 (FV2) is a MacOS feature to encrypt Mac's entire hard disk (or Solid State Drive).  We provide a feature in DirectControl to control FV2 centrally.  Using a Group Policy, a system administrator can turn on FV2 on Macs she manages. 





PKI 802.1x Network Group Policy (for Mac) 


Many system administrators want to secure their networks using strong PKI credentials (i.e. certificates).  Using a Group Policy, a system administrator can implement the whole process:


  • Mac enrolls a computer certificate with Certificate Authority.
  • Mac downloads necessary certificate chain from Certificate Authority.
  • Mac configures Network profile to use certificate for authentication. 
  • Mac authenticates itself to network using certificate, via 802.1x protocol. 

This feature supports both WiFi and Ethernet configurations.  





Smart Card Name Mapping, a.k.a. Alternate Identity Smart Card (for Mac and RHEL)


As I discussed in my previous blog post, "alternate identity" is a way to map different user privileges to one smart card certificate.

CDC now supports this type of smart card for authentication, screen lock, and so on, on Mac and Red Hat Enterprise Linux. 

On login and screen unlock window, if you have this type of card (i.e. no UPN on certificate), you will be presented a username and password window.  User can specify the user he wants to log in as, and enter the PIN (although the field asks for "password").  





  • Add "Enable License Features" button back to AD Join UI (for Mac)
  • Fix limitation of AD Join UI about using special characters in password (for Mac)
  • Address login and screen unlock instability problem (for Mac)
  • … And more, smaller enhancements and fixes.