Do you want to give an individual remote access without giving it to all users then this blog is for you!

Read more...

I've been asked from potential customers, Does our Centrify Cloud Platform integrate with Apple's OpenDirectory LDAP server?  Or more specifically, can I authenticate users from my OpenDirectory Server into the Centrify Cloud Portal and assign those users to roles, apps, MFA, etc.

 

Answer: Yes you can !

 

What does this all mean then ?  Well, you can execute self-service password resets for your user accounts, portal password changes, MFA for user and application SSO access; in short, all the benefits you might get from an Active Directory integration.  You lose nothing by integrating with a directory like Apple's OpenDirectory, and that's the beauty of our Centrify Identity Platform.  

 

To be able to authenticate and utilize users from your OpenDirectory server into the Centrify Cloud Platform is the purpose of this guide.

 

A little history first...

OpenDirectory has been around since MacOS 10.2.  It was introduced as part of Apple's attempt to provide it's Enterprise customers with a network-visible NetInfo directory domain with a corresponding authentication manager service for storing passwords outside of the directory.  To sum that technical sentence up, It's basically an OpenLDAP-based LDAPv3 (lightweight directory access protocol) server. Which is more common than you think in many corporate environments.  Many Law offices and Educational institutions are OpenDirectory shops, since lawyers and students are very common Mac customers and users.  

 

To start, a very convenient tool to use for this process is a tool that runs on Windows called Softerra LDAP Browser.  You can download a free browser version from Softerra's website here: http://www.ldapadministrator.com/download.htm .  Not the administration software, but the browser.

 

We will use this tool to do look-ups of the common name of our server baseDN, and some of it's corresponding user object attributes.  It just makes our lives easier, and I'll be using it in some of the pictures for the setup and configuration.

 

This guide assumes that you have setup an OpenDirectory Server already

 

This guide will not go into the setup and creation of the OpenDirectory Server.  It's assumed that you know the hostname of your server, that if it's a public facing directory, that all the relevant host records have been created and are currently working.  This also assumes that you have a valid host certificate from the OpenDirectory domain and that you can communicate over secure LDAP.  A server certificate is not required for the setup, but it will make the connection between your cloud and OpenDirectory server secure.

 

  1. Let's open up the Centrify Administrator Console, login with an administrator for your Centrify Cloud Platform
  2. Navigate to Settings > Users > Directory Services.  You should see this:

    Screenshot -20180122_014353.pngAdmin Console - Settings > Users > Directory Services
  3. Click on Add LDAP Directory, and you should see this dialogue:

     Screenshot -20180122_014614.pngAdd LDAP Directory Server
  4. Let's give it a name like "Apple OpenDirectory Server"
  5. Let's give it a description, "Apple's OpenDirectory for the Law Office.."
  6. Add the hostname of your OpenDirectory server, in the case of my OpenDirectory server, it was macserver.test, but this will be whatever you have setup in your OpenDirectory hostname, as seen here:

              Screenshot -20180122_015214.pngMac Server hostname
  7. Let's get the baseDN from the server. This is where having an LDAP Browser comes in real handy.  I will be using this tool to show you how to get this value
    1. Open up your LDAP Directory Browser Tool (you don't need this if you're savvy enough to get this from the Directory Utility in MacOS Server, or another way)
    2. Add the Server connection to your LDAP Browser
    3. Navigate to the root of your Mac OpenDirectory Server as seen here:

      Screenshot -20180122_015655.pngbaseDN from LDAP browser
  8. Type in your baseDN in the baseDN field, in my case "DC=macserver, DC=test"
  9. Type in your hostname for the suffix for the users that will be provisioned under, in my case "macserver.test"
  10. For the bindDN, you will need the administrator account you setup initially when you created your OpenDirectory user.  THIS IS NOT the local admin user on the Mac OpenDirectory Server.  It's the user that you created when you setup the OpenDirectory. It's normally called "diradmin" or whatever you might have chosen. You can find it by using your LDAP browser and selecting users, here you will see a list of LDAP users that are part of OpenDirectory.  Make sure you note the DN for the user and enter it here.  
    1. For example, it might be diradmin, in this case the Common Name would be "uid=diradmin,cn=users,dc=macserver,dc=test" . This tells our platform the UID, and the location of the user.  here is a picture from the LDAP browser (right click on the user object in the navigation tree and select properties):

       Screenshot -20180122_020638.pngCommon name
  11. Type in the password for the user in the form
  12. UN-CLICK the Verify Server Certificate selector.  We will go back and test secure communication later on, but for now, you can just test the connection.
  13. If all went well, you should have a Connection Successful and a Green Check-mark:

     Screenshot -20180122_020824.pngSuccess!
  14. If not, go back and check the data entries and make sure you follow exactly what was written down here and that the cloud can see the Mac OpenDirectory Server.  Again, it's assumed that you can see the server either privately inside your Corporate subnet, or publicly.  
  15. If the name cannot be resolved, try to enter the name in the hosts table or use the IP address of the machine.
  16. If the latter, you will likely need to un-check Verify Server Certificate on the Add LDAP Directory page.
  17. If the server is NOT listening on port 636, append the port to the DNS hostname; for example: <dns hostname>:3269 Note: We only support LDAP over SSL.
  18. We do not support clear LDAP.  If we can communicate over this port and can resolve the hostname, we will be able to verify the server certificate. 
  19. One last piece is to choose a connector that the OpenDirectory Server can talk to and has communciation with.  Click on the Connectors menu item in the "add LDAP directory" dialogue: 

    Screenshot -20180122_040820.pngConnectors
  20. Make sure you select a connector that your OpenDirectory server will and can talk to on an ongoing basis and retest your connection.
  21. Once you've integrated the OpenDirectory Server, there are a few oddities that need to be discussed.
  22. OpenDirectory does not natively support Phone Number, Mobile Phone, and other attributes that are crucial to the Centrify Platform and MFA.  Without these attributes, it will be impossible to authenticate the OpenDirectory Users using MFA.  If you're only using passwords, then this will be easy, but most organizations do not rely on passwords alone, and it's not a good security principle.
  23. To fix this problem, we can add attributes to the user accounts via Apple's Directory Utility. 
  24. To do this, go back to your Apple Server with OpenDirectory and open up the Directory Utility, which can be opened and found via Spotlight.
  25. Once open, click on Directory Editor
  26. Select the correct Directory to edit from the drop-down, usually /LDAPv3/127.0.0.1 for example, this will be your main directory.  It might not be, but make sure when you select the proper node that a list of users is presented when you select the users drop-down in the editor, like this:

    Screenshot -20180122_023418.pngDirectory Utility
  27. Authenticate as the diradmin by clicking the lock icon at the top
  28. Once authenticated, you can begin to admen the user objects and add important attributes to the user object.
  29. There are ways you can have these added by default, but this guide is not designed to show you how to amend your LDAP directory structure.  However, it is possible to do this, such that phone numbers, mobile numbers, and other Centrify Cloud platform attributes are default inside the user objects
  30. Click the "+" sign and search for MobileNumber or PhoneNumber and then enter in the value you want reflected in the field
  31. Once you add these attributes, they will automagically show up in the user object in the Centrify Platform after you reload the user object.  You can refresh the user object in the Centrify Portal by select the user in the admin portal, and then from the action menu selecting "reload" and the user object will populate with the data you added in the directory utility on the MacOS server: 

            Untitled 2.pngReload a User Object
  32. Keep in mind, we can use our LDAP browser to connect to an Active Directory domain and view the various user attributes in AD that are stored for the user and add those same attributes to the users in OpenDirectory. It's not a hard process, the trick is to configure OpenDirectory to have those fields in the user creation process, which can be difficult to do.  That said, the attributes are all common to all LDAP directories, as such, you can add these to the Mac OpenDirectory Server user object and have them reflected in the user object in the cloud.

This concludes the OpenDirectory Integration guide for the Centrify Identity Platform.  We try to make our solution open to all sources of truth, and many companies use OpenDirectory as their directory of choice. Good luck and thanks for reading.

Step 1. Use Apple Configurator 2 to create the desired WiFi setting, then export the profile.

1. Launch Apple Configurator and select File > New Profile.

2. Enter a display name for the profile in General. 

3. In the left column, select WiFi, click the Configure button, then enter your WiFi settings.

4. Once you have completed your configuration, go to File > Save.

 

Step 2. Upload the saved mobileconfig profile into your domain controller: \\yourdomain\SYSVOL\yourdomain\mobileconfig Create this directory if it does not exist.

 

Step 3. Specify the profile in one of the following GPO settings to apply the WiFi settings:

  • Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles or
  • User Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles

installWiFimobileconfig.png

 

For more details on computer configuration or user configuration.

 

Other settings to consider:

 

 

How to deploy Safari extension to Mac using Centrify

By Centrify Advisor IV on ‎06-14-2017 01:43 AM - last edited ‎06-14-2017 01:37 PM

**Disclaimer: The deployment will depend on the version of macOS/Mac OSX and safari and might not work in later version**

 

Please find the below steps in making use of Centrify Group policy and apple script (scripts are provided as a sample and you can modify it to fit your environment need):

 

1. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Copy Files” Group Policy to copy over the centrify.safariextz(at the time of written, it is of version 1.150.17052 and please replace the newest if there is any), safari-ext.sh and safari.scpt to the following location on Mac: /tmp/

 

2. Please set the file permissions to 0755 and the owner UID and GID to 0.

 

3. Please also check the box for “Copy as binary” in the GP.

Screen Shot 2017-06-14 at 4.22.56 PM.png

 

 

4. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Specify command to run” Group Policy in order to run the safari-ext.sh: “sudo /tmp/safari-ext.sh”, it is used to enable the GUI scripting for applescript.

Screen Shot 2017-06-14 at 4.24.53 PM.png

 

5. Use “Computer Configuration > Centrify Settings > Mac OS X Settings > Scripts(Login/Logout) > Specify multiple login scripts” Group Policy in machine level for the script safari-ext2.sh. It is used to run the applescript.

Screen Shot 2017-06-14 at 4.24.19 PM.png

 

6. Once done configuring the 3 GPs mentioned above, please run adgpupdate as the AD user, then the extension will be installed at next user login session.

[How to] Manage access to Dropbox

By Centrify Advisor I ‎06-08-2017 03:18 PM

Ensure access to Dropbox and other Apps from managed devices only

Read more...

This blog will show you how to join a Mac OS X computer to a domain and enroll it in the Centrify Identity Service platform at the same time. Typically, an Active Directory administrator performs this procedure, but during the enrollment steps, assigns the computer to a different Active Directory user account.

The assigned user is added to the identity platform as the device owner and is able to view and manage the enrolled computer through the Centrify user portal. An identity platform administrator can assign the user to one or more roles that determine the applications, permissions, and policies that apply to the user on this computer.

Here is how to use Centrify Join Assistant to join a computer to a domain and enroll it in the identity platform:

 

1. First you will need the following accounts:

a. Active Directory account that can join a computer to a domain

 

AD Admin.png


b. Administrator that has System Administrator or Device Management permissions to the Admin Portal.

Cloud Admin.png

 


c. Active Directory user account.

Jane Doe.png

 

2. Download the Centrify DirectControl agent onto the Mac system at the Support Portal Download Center.



3. Install the Centrify DirectControl agent

 

CDC Downloads folder.pngInstall CDC.pngClick Continue.pngClik Continue - 2.pngAgree to license.pngCDC Install.png

Agree to license.png

Clik Continue - 2.png

Enter local admin password.png

Install begin.png

Select Join Assistant.png

4. After installation, go to Finder > System Preferences > Centrify > Centrify Join Assistant

Join Assistant.png

At the Welcome page, click on Continue

 

Begin Join Assistant.png

Enter the local admin password

 

Enter Admin- JA.png

Enter domain you would like to join the Mac system to and enter the username and password of the Active Directory account that has permissions to join to a domain.

 

Enter AD Creds.png

Click Continue.

 

Decide if you are using Auto Zone or Zone for the user and computer objects. Select the option "Enroll with Centrify Cloud Service to enable remote management". Enter the Container DN you would like to place the computer object.

 

License Mode page.png


Click Join and the Mac will being to join to the domain

 

Joining Mac.png

After the join to the domain is completed, you will be prompted to enter the Identity Service URL and the username of the user would like to enroll the device for

jane.doe.png

The enrollment of the device will then begin

Loading to the cloud.png

When the enrollment has completed, you will receive a confirmation that the enrollment for the user is successful

jane joined succes.png

When the user logs into the Centrify User Portal, they will see the device listed under the Device section

jane device.pngjane device.png

 

Organizations may need to configure the screen saver start time for security or compliance. This article will show you how to use Active Directory group policies to prevent users from changing the screen saver start time. 

 

screensavertimelocked.png

 

Step 1. On a Mac, create a custom profile with Apple Configurator 2

1. Launch Apple Configurator 2. You can also create this with Profile Manager.

2. Go to File > New Profile.

3. Enter a profile name in the Name field.

profile-name.png

 

4. Then go to Passcode on the left column and set a time for Maximum Auto-Lock.

profile-lock-time.png

5. Go to File > Save

 

Step 2. Upload the profile to SYSVOL

1. Go to \\<domain>\SYSVOL\<domain> and create a mobileconfig folder if it does not exist.

2. Upload the profile to the mobileconfig folder.

3. In the Group Policy for your Macs, enable Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles.

Installmobileconfig.png

4. Click on the Add button, enter the name of your profile, then click OK.

5. Click OK.

 

The policy will apply at the next group policy interval, or you can launch Terminal ont he Mac and run adgpupdate to apply immediately.

This Cheat Sheet should be used with Centrify Mac Agent version 5.2.4 and higher.

 

The Centrify Mac Diagnostic Tool location:
/Library/Application Support/Centrify/MacDiagnosticTool.app

  

 

Centrify Agent

 

To join the domain in Auto Zone:
sudo /usr/local/sbin/adjoin --user domain_admin_username --workstation domain.com

 

To join the domain in Zone mode:
sudo /usr/local/sbin/adjoin --user domain_admin_username --zone zonename domain.com

 

To leave the domain and disable the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username 

 

To leave the domain and remove the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove

 

To leave the domain and leave the computer object untouched in Active Directory:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove

 

To print information for the domain:
/usr/local/bin/adinfo

 

To print network diagnostic information for the domain:
sudo /usr/local/bin/adinfo --diag

 

To view licensing mode:

/usr/local/sbin/adlicense

 

To enable licensed features:

sudo /usr/local/sbin/adlicense --licensed

 

To look up an Active Directory user's information:

/usr/local/bin/adquery user -A username

 

To look up an Active Directory computer's information:

/usr/local/bin/adquery user -A computername$

 

To look up an Active Directory computer's Manager (managedBy attribute used with FileVault policy):

 

/usr/local/bin/adquery user -b managedBy computername$

 

To look up an Active Directory group's information:

/usr/local/bin/adquery group -A groupname

 

To change the currently logged in user's Active Directory password:

/usr/local/bin/adpasswd

 

To change an Active Directory user's password:

/usr/local/bin/adpasswd --adminuser domain_admin_username username@domain.com

 

To flush the Mac agent cache (Active Directory users will need to login again to cache their credentials after this is ran):

sudo /usr/local/sbin/adflush

 

The location of the Centrify configuration file:
/etc/centrifydc/centrifydc.conf

 

The location of Centrify Kerberos tools:
/usr/local/share/centrifydc/kerberos/bin/

 

To restart the Mac agent:
sudo /usr/local/share/centrifydc/bin/centrifydc restart 


 

To turn on logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug on

 

To turn off logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug off 

 

To clear out the current log file:

sudo/usr/local/share/centrifydc/bin/addebug clear


Log file location:
/var/log/centrifydc.log

 

To uninstall the Mac agent:
sudo /usr/local/share/centrifydc/bin/uninstall.sh

 

To uninstall silently:
sudo /usr/local/share/centrifydc/bin/uninstall.sh --std-suite

 

 

Group Policy

 

To force group policy updates for both user and machine policies:
/usr/local/bin/adgpupdate

 

To update group policy for user policies only:
/usr/local/bin/adgpupdate --target User

 

To update group policy for machine policies only:
/usr/local/bin/adgpupdate --target Computer

 

To view the curent set group policies:

/usr/local/bin/adgpresult

 

To view the curent set user group policies:

/usr/local/bin/adgpresult --user username

 

To view the curent set machine group policies:

/usr/local/bin/adgpresult --machine

 

The location of computer group policy reports:
/var/centrifydc/reg/machine/gp.report 

 

The location of the user group policy reports:
/var/centrifydc/reg/user/username/gp.report  

 

The location of login scripts:
/var/centrifydc/loginscripts/machine
/var/centrifydc/loginscripts/user/username

/var/centrifydc/scripts/additional/login
/var/centrifydc/scripts/additional/logout

 

To retrieve machine certificates:
sudo /usr/local/share/centrifydc/sbin/adcert --machine --keychain

 

To retrieve user certificates:
/usr/local/share/centrifydc/sbin/adcert --user --keychain

 

The location of machine certificates:
/var/centrify/net/certs

 

The location of user certificates:
~/.centrify

/Users/username/.centrify

 

 

Directory Services

 

To see if the machine is joined to the domain using the Apple plugin:
/usr/sbin/dsconfigad –show

 

To unbind from the domain using the Apple plugin:

sudo /usr/sbin/dsconfigad –remove -username domain_admin_username

 

To list all of the users in the Directory Service and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Users

 

To list only the Active Directory users enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Users

 

To display detailed information about the specified Active Directory user:
/usr/bin/dscl /CentrifyDC -read /Users/username

 

To list all of the groups in the DirectoryService and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Groups


 

To list only the Active Directory groups enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Groups

 

Command to display detailed informationa bout the specified Active Directory group name:
/usr/bin/dscl /CentrifyDC -read /Groups/groupname

  

 

FileVault

 

To see if FileVault is enabled:

/usr/bin/fdesetup status

 

To list FileVault enabled users:

/usr/bin/fdesetup list

 

To disable FileVault:

sudo /usr/bin/fdesetup disable

 

To add a local or mobile account to the FileVault user list:

sudo /usr/bin/fdesetup add -usertoadd username

 

 

Smart Card

 

To see if smart card support is enabled: 
/usr/local/bin/sctool --status

 

To enable smart card support: 
/usr/local/bin/sctool --enable

 

To disable smart card support: 
/usr/local/bin/sctool --disable

 

To dump out all the certificates and Active Directory information present on the smart card:

/usr/local/bin/sctool --dump

 

To get a new kerberos ticket: 

/usr/local/bin/sctool --pkinit

 

Related Articles:

 

A Centrify Server Suite Cheat Sheet

Centrify provides an account migration tool that simplifies the process of converting a local account's home directory into the Active Directory account. Migrating the account helps to save the user's files, application settings, and browser bookmarks.

Read more...

Centrify Identity Service now includes a turnkey Munki solution for application management for managed Macs delivering a best in class user experience without any setup or configuration hassle.

Read more...

 

This article will show you how to secure the access to a web application by only allowing access from a device that has been enrolled into Centrify's MDM or prompt for multi-factor authentication when accessing from a non-managed device. 

 

Enroll your device into Centrify MDM

 

Configure policies

1. Log into the Centrify Admin Portal.

 

2. On the left, navigate to Core Services > Policies, then edit an existing policy by clicking on the name of the policy or create a new one by clicking Add Policy Set.

 

Select policy set.png

 

3. In the policy, go to Login Policies > Centrify Portal. Scroll down to the section called Other Settings.

 

ZSO settings.png

   a) Uncheck "Allow IWA connections (bypasses authentication rules and default profile)"

   b) Place a check next to the following two check boxes:

     - Use certificates for authentication (bypasses authentication and default profile.)

     - Connections using certificate authentication satisfy all MFA mechanisms

   c) Press Save.

 

4. Edit your web application and select Policy from the left column, then click Add Rule.

 

Add policy.png 

 

5. When a new window appears, click Add Filter.

 

 add filter.png

 

 

6. Select Managed Device and desired condition, then click Add.

 

filter condition policy.png

 

 

7. Select a Authentication Profile such as - Not Allowed -  or a predefined authentication profile to perform multi-factor authentication to access the web application.

 

filter authentication profile.png 

 

8. Select a Default Profile to - Always Allow - or a predefined authentication profile to perform multi-factor authentication for Managed Device users.

9. Press Save when your configuration is complete.

 

Other settings to consider:

Using local MacOS administrator accounts can lead to security and compliance issues such as unauthorized sharing of the administrator password with non-administrators or remote access by a former employee. The secure approach is to grant Active Directory users Mac administrator rights to minimize risk and meet regulatory compliance. This article will show you how to grant Mac administrator rights to Active Directory users through Centrify's Active Directory group policy settings.

 

 1. In Group Policy Management, create a GPO and enable: Computer Settings > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone groups to local admin group

 

mapADgroupMacAdmin.png

 

   a) Click on the Add... button. A new window will appear.

 

ClickAddgroup.png

 

   b) Click on the Browse button. A new window will appear. You can enter manually enter a group name in this window but it is better to browse and select the group to ensure the proper group name is entered.

 

 

Selecting Group.png

 

   c) Enter a keyword into the Name field for the Active Directory group that you want to add, then click on Find Now. Make sure you add IT/helpdesk team and any user that needs admin rights on the Mac.

 

type group name.png

 

   d) Select the desired group name and click OK.

 

Select desired group.png

 

The setting will apply when the user logs out and logs back in.

 

If your Mac is using Zone mode, use the following article: https://centrify.force.com/support/Article/KB-3049-How-to-use-the-Map-zone-groups-to-local-admin-gro...

 

 

Prevent unauthorized access and minimize risk by restricting MacOS login access to specific Active Directory users or groups. 

Read more...

How to retaining the user's Mac home directory, when a user wants to change their name after marriage or divorce.

Read more...

Want to configure wireless settings for your users without having to manually touch each device? With the Centrify Identity Service, WiFi settings can be pushed to Mac, iOS, and Android mobile devices using policy.

Read more...

Quick Mac Troubleshooting Tip/Tool

By Centrify Contributor III on ‎12-23-2016 12:23 PM

A Little Mac Testing Help

 

When I am testing new group policy configurations for the Mac, I like to have the Centrify Mac Diagnostic tool at the ready. Here are the steps that I use to put the Diagnostic tool on the Dock. The MacDiagnosticTool allows the tester to quickly see via a graphical interface the following:

 

  • AD Connectivity and Network Information for the Machine
  • Group Policy Settings that are being applied to the machine
  • User Information such as their UID, AD Group Membership etc.
  • Centrify Debug Information
  • And contact information for Centrify Support.

 

 

 

Read more...

The attached script can be used with the Deployment Manager to unbind a Mac that is bound to Active Directory via the Apple Directory Services plugin. This will allow mass deployments of the Centrify agent with binding to Active Directory using the Centrify Directory Services plugin.

Read more...

Center for Internet Security (CIS) Security Benchmarks are consensus-based security configuration guides both developed and accepted by government, business, industry, and academia. The benchmarks are used by organizations worldwide to help meet compliance requirements for FISMA, PCI, HIPAA and more. The CIS Apple OSX 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple OSX 10.11. Centrify enables the ability to manage these security settings on the Mac through Active Directory Group Policies

 

Note: Be sure to test and review the settings before deploying into production. Some settings may interfere with normal operations.

 

1.2 Enable Auto Update

See instructions 

 

1.3 Enable app update installs

See instructions

 

1.4 Enable system data files and security update install

See instructions

 

1.5 Enable OS X update installs

See instructions

 

2.2.1 Enable "Set time and date automatically"

Centrify will automatically configure the Mac to use your domain controller for the NTP service when the Mac is bound to AD through the Centrify agent.

 

2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver

See instructions

 

2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver

See instructions

 

2.4.1 Disable Remote Apple Events

See instructions

 

2.4.2 Disable Internet Sharing

See instructions

 

2.4.4 Disable Printer Sharing

See instructions

 

2.4.5 Disable Remote Login

See instructions

 

2.4.8 Disable File Sharing

See instructions

 

2.4.9 Disable Remote Management

See instructions

 

2.5.1 Disable "Wake for network access"

See instructions

 

2.5.2 Disable sleeping the computer when connected to power

See instructions

 

2.6.1 Enable FileVault

See instructions

 

2.6.2 Enable Gatekeeper

See instructions

 

2.6.3 Enable Firewall

See instructions

 

2.6.4 Enable Firewall Stealth Mode

See instructions

 

2.7.1 iCloud configuration

See instructions

 

2.7.2 iCloud keychain

See instructions

 

2.7.3 iCloud Drive

See instructions

 

4.3 Create network specific locations

See instructions

 

4.4 Ensure http server is not running

See instructions

 

4.5 Ensure ftp server is not running

See instructions

 

5.2.1 Configure account lockout threshold

The domain account lockout threshold policy will apply when the Mac is bound to Active Directory.

 

5.2.2 Set a minimum password length

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.3 Complex passwords must contain an Alphabetic Character

Domain password policies will apply when the Mac is bound to Active Directory. 

 

5.2.4 Complex passwords must contain a Numeric Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.5 Complex passwords must contain a Special Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.6 Complex passwords must uppercase and lowercase letters

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.7 Password Age

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.8 Password History

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.6 Enable OCSP and CRL certificate checking

See instructions

 

5.8 Disable automatic login

See instructions

 

5.9 Require a password to wake the computer from sleep or screen saver

See instructions

 

5.10 Require an administrator password to access system-wide preferences

See instructions

 

5.12 Create a custom message for the Login Screen

See instructions

 

5.13 Create a Login window banner

See instructions

 

5.14 Do not enter a password-related hint

See instructions

 

5.15 Disable Fast User Switching

Fast User Switching is disabled by default, but the setting can be managed by Centrify through group policy. To learn more see instructions.

 

5.16 Secure individual keychains and items

See instructions

 

5.19 Install an approved TokenD for smartcard authentication

A TokenD module is automatically installed with the Centrify Mac Agent. See instructions for configuring smart card authentication.

 

6.1.1 Display login window as name and password

See instructions

 

6.1.2 Disable "Show password hints"

See instructions

A security researcher from Segment has discovered a vulnerability in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine. The advisory indicates the affected versions are 8.0.36 and "probably prior". Until Microsoft provides a patch, a suggested mitigation is to temporarily disable Microsoft Remote Desktop Client for Mac. 

 

Using Centrify, enable the following group policy settings to block Microsoft Remote Desktop from being launched on the Mac.

 

Step 1. Enable: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Application Access Settings > Permit/prohibit access to applications. For Access mode, select User can open all Applications except these.

 

Prohibit applications.png

 

 

Step 3. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Application Access Settings > Permit/prohibit access to the user-specific applications.

 

User-specific applications.png

 

Click Add and enter com.microsoft.rdc.mac.

 

The policy will apply the next time the user logs out and logs back in. When the user attempts to launch Microsoft Remote Desktop the following dialog boxes wll appear.

 

RDP restricted.png 

 

How to get the CFBundleIdentifier for othe Mac applications you want to block.

Restricting access to the USB port can help protect Macs against some USB attacks and help prevent data from being copied to external USB drives. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Media Access Settings > Permit/prohibit access: External Disks and select the desired access setting.

 

USB port policy.png

 

For more details regarding this setting and other media access settings, see documentation on Media Access Settings.

Many federal IT departments are being told to provide 2-factor authentication not only for all logins, but also for all privilege elevations, including the launching of critical applications. Here’s how Centrify can help.

Read more...

Requiring an administrator password to access system-wide preferences prevent users from changing locked system preferences without an administrator’s password. This setting helps to improve data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies.

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to unlock each secure system preference

 

RequirePasswordSysPref.png

 

 The policy will apply after the next group policy interval.

 

If you want to block access to certain System Preferences panes from administrators read the article

Restricting System Preferences access

[Mac] Enable Gatekeeper

By Centrify Advisor IV on ‎11-04-2016 09:44 AM

Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. Enabling Gatekeeper improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable Gatekeeper

 

 

EnableGatekeeper.png

 

Step 2. Select the desired Gatekeeper setting

 

GatekeeperOptions.png

 

The policy will apply after the next group policy interval.

 


 

[Mac] Disable automatic login

By Centrify Advisor IV ‎11-03-2016 10:03 AM

The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically logs in at startup or after entering the credentials to unlock FileVault at the EFI login screen. Disabling automatic login improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Disable automatic login

 

DisableAutomaticLogin.png

 

The policy will apply after the next group policy interval and logout.

passwordhint.png

 

Disabling "Show password hints" improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user or gathered through social engineering. Centrify enables the ability to manage this settings on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Confiugration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

Showpasswordhints.png

 

Step 2. Make sure "Show password hints" is unchecked.

 

The policy will apply after the next group policy interval and logout.

nameandpasswordlogin.png Listofusers.png

 

Displaying the Mac login page with the name and password fields instead of the list of local Mac accounts improves data and device security and complies with the security requirement for CIS (Center for Internet Security) benchmark and other security standards. For hackers, knowing the login name is half the battle. Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes. Centrify enables the ability to manage this setting on the Mac through Active Directory Group Policies. 

 

Step 1. Enable: Computer Confiugration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Set login window settings

 

Name and Password.png

 

Step 2. Select "Name and password" from pulldown list for Display login window as.

 

The policy will apply after the next group policy interval and logout.

Restricting users from making changes in System Preferences can help improve security, lower support tickets, and prevent users from reversing settings required for maintaining compliance. Centrify can block users from access System Preferences even if they have administrative rights on the Mac. The restriction is applied at the user level so users such as IT can be excluded.

 

Step 1. Since this setting is user-based, you will need to enable loopback processing mode: Computer Configuration > Policies > Administrative templates > System > Group Policy > Configure User Group Policy loopback processing mode.

 

Loopback.png

 

Set the policy to Enabled and the mode to Merge.

 

LoopbackMerge.png

 

Step 2. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Use version specific settings

 

SystemPreferencesVersionSpecific.png

 

Step 3. Enable:  User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Mac OS X 10.10 or above Settings > Limit items usage on System Preferences

 

LimitItemUsageSysPref.png

 

Step 4. Enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > System Preferences Settings > Mac OS X 10.10 or above Settings > Enable System Preferences Panes > Enable built-in System Preferences panes

 

DisableSystemPreferencesPane.png

 

Step 5. Deselect the System Preferences pane you want to block users from accessing.

 

PreferencePaneList.png 

 

The policy will take effect when the user logs off and logs back in. When the policy is in effect, the disabled System Preferences pane(s) will be greyed out and not accessible even by domain users with Mac admin rights.

 

GreyedOutSystemPref.png

 

 

Other articles of interest:

Remote Apple Events enables your Mac to accept Apple events from apps running on other computers. An Apple event is a task being performed on a Mac, such as “open this document” or “print.” With remote Apple events turned on, an AppleScript program running on another Mac can interact with your Mac. Disabling remote Apple Events is recommended for hardening your Macs from network attacks and a requirement for the CIS (Center for Internet Security) benchmark.

 

Step 1: Configure the follow group policy setting and set to Disabled: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Services > Enable remote Apple events

 

Remote Apple Events.png

 

Once the setting is configured, the policy will take effect at the next group policy interval.

Setting the inactivity time to trigger display sleep to a value larger than the inactivity time to trigger the screen saver is a recommendation by the CIS (Center for Internet Security) benchmark. If the display goes to sleep before your screen saver is triggered, users can mistakenly assume their computer is protected and walk away. 

 

Using Centrify, you can push out group policy settings to configure both the display sleep time and screen saver time to meet the security settings.

 

Configuring Display Sleep Time 

When configuring the display sleep time, be sure to configure both On AC power and On battery power settings.

 

1. Enable and configure: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Energy Saver > On AC power > Set display sleep time Make sure the time is set longer than your screen saver time.

 

OnACpower.png

 

2. Enable and configure: Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Energy Saver > On battery power > Set display sleep time Make sure the time is set longer than your screen saver time.

 

OnBatterypower.png

 

Once the settings are configured, the policy will take effect at the next group policy interval.

 

Configuring Screen Saver Time and Require Password

1. To meet the security policy to require a password to wake a machine from sleep, enable: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require password to wake this computer from sleep or screen saver

 

Requirepasswordfromsleep.png


2. Set the time to require a password after the Mac goes to sleep or screen saver begins. Make sure this time is less than the display sleep time.
Enable and configure: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Desktop Settings > Set computer idle time for Starting screen saver

 

Screensavertime.png

 

3. Since this is a User Configuration, you may need to also apply the following group policy setting:
Computer Configuration > Policies > Administrative Tempaltes > System > Group Policy > Configure User Group Policy loopback processing mode

 

Loopback.png


Set the Mode to Merge.

 

LoopbackMerge.png


Once enabled, this group policy takes effect at next user logon.

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel