The Salesforce Mobile App Configuration push deployment guide is a step by step guide on how to configure a mobile app configuration schema that pushes application settings for the Salesfore1 mobile application for iOS devices during installation. With the application configuration pushed to the mobile device the user can make use of zso without having to configure any settings on the Salesforce1 mobile app

Read more...

Configure SAML single sign-on login for Watchman Monitoring® with just-in-time account creation using Centrify. 

Read more...

Background

AWS WorkSpaces "allows customers to launch cloud-based desktops that allow end-users to access the documents, applic..." a cost effective way to manage these desktops is to use SimpleAD (an AWS-hosted Samba4-based directory that provides similar capabilities as Microsoft's Active Directory), this allows for centralized administration of users, policy enforcement, and Kerberos authentication.

 

Identity Assurance for Cloud-based Desktops

The goal of this article is to establish a lab to test MFA capabilities using Centrify technologies. 

As per the IAM model below, the first step is making sure that users accessing your AWS WorkSpaces are who they say they are, and with Centrify you can employ a variety of multi-factor or step-up methods.

 

model.png

 

With Centrify, organizations can secure Windows Systems by providing:

  • Access control using Centrify Zone technology
  • Strong Authentication with MFA at login, screen lockout or remote desktop
  • Privilege Elevation for application or administrative desktop

A complex requirement for some organizations is to run their own Active Directory Connector and RADIUS infrastructure (see details here) however, with the Centrify Agent for Windowsand the Endpoint capabilities of Identity Service, we can provide MFA at login and screen lockout while still using Simple AD.

 

In this lab, we'll use the Plan-Do-Check-Adjust methodology

 

Planning

Planning Topics

  • Define the Authentication Factors required for AWS WorkSpaces MFA
    These could be true 2FA (Push MFA, OATH OTP, RADIUS, etc), step-up (E-mail, Phone Factor, SMS) or Multi-Secret (security question);  this defines your authentication profiles.
  • Define the use cases that require MFA:
    • At login
    • At screen unlock  - will there be a grace period?  (e.g. do not require MFA if the screen is locked less than 10 minutes)
    • At privilege elevation (if the WorkSpace is being used as a management workstation)
  • Configure which users get challenged for MFA (e.g. will there be users excempt?)
  • Will offline passcodes codes be allowed (for requiring MFA if the WorkSpace can't connect to the Centrify service? What will be the behavior of the dialog box?
  • What is the Directory architecture?
    There are different approaches for AWS-hosted (Simple AD, Microsoft AD or even your own using EC2 instances)
    Expect this to be the most important planning topic
  • How many Centrify connectors and what services are required?

 What's required?

  • Knowledge of AWS concepts: VPCs, EC2 instaces, Security Groups, Directories and AWS WorkSpaces
  • Basic Knowledge of Centrify Identity or Privilege Service MFA
  • Identity Service or Privilege Service (SaaS) configured for MFA:
    • A Role with the Computer Login and Privilege Elevation (e.g. MFA Computers)
    • An authentication profile configured for Computer Login and Privilege Elevation
    • The AWS Workspace system has to trust the IWA root certificate for the tenant
    • A Centrify connector reachable by the AWS WorkSpace(s) VPC
  • AWS WorkSpace configured and running
    • A WorkSpaces Directory (Simple AD) and administrative credentials
      Note: any Active Directory or similar technology including Simple AD or any AWS or customer-managed Microsoft AD) will technically work as long as the communication requirements are met.
    • Your end-users must be populated in the directory with information for any MFA or step-up methods (e.g. telephone, mobile, e-mail, etc)
    • At least one Windows Server 2012 R2 and up EC2 instance in a security group that allows communication with the AWS WorkSpace Directory servers (HTTPS and TCP 8443 from the WorkSpaces systems outbound to the connector)
    • The connectors security group should have outbound HTTPS and Service Bus connectivity to the Centrify Identity or Privilege service instance.
  • Software Requirements:
    • Centrify Group Policy Extensions (available from the Server Suite installation bits)
    • Centrify Agent for Windows (tm) - available from the Server Suite installation files or the downloads section of the Admin portal for Identity Service or Privilege Service.  This post uses version 3.4.2.

In this lab, we'll run a Centrify Connector in a Windows Server joined to the AWS WorkSpaces directory, this EC2 instance is in a security group that allows IWA and AD communication with the directory service and members.  Alternatively, you could run the Centrify connector in a dedicated WorkSpace.

 

Implementation

Lab Overview

  1. Verify pre-requisites
  2. Launch an EC2 Windows Server instance, configure DNS and install Windows tools and features (RSAT-ADDS, GPMC)
  3. Join the system to the AWS WorkSpace directory and sign-in with an administrative user
  4. Create Structure in Active Directory (OUs, users)
  5. Install a Centrify connector the EC2 Instance and download the IWA Root Certificate
  6. Download and install the Centrify Windows Group Policy Extensions
  7. Configure PKI Trust and Centrify Agent Settings via Group Policy
  8. Launch an Amazon WorkSpace and download/install the WorkSpace client
  9. Configure the WorkSpace in the directory and authorize it for MFA
  10. Connect to the WorkSpace and Install  the Centrify Agent for Windows
  11. Test your configuration

 

Lab Diagram

aws-workspaces.png

Implementation

 

1. Verify Pre-Requisites

The most challenging part of this lab is to figure out the communication paths between the systems.  In this lab we are over-simplifying the process, but in a real deployment always use the minimum set of ports needed for functionality.

 

  • Communications between the AWS WorkSpace directory and your EC2 instances
    Go to AWS Console > Workspaces > Directories and expand your Directory, note the Directory ID and the IP Addresses (these are the IP addresses of your DCs and DNS servers)
    simplead1.JPG
    Go to AWS Console > EC2 > Instances > Security Group and select the Security Group designated for your EC2 Windows instances that will run the Centrify connector service (e.g. Connector group).
    simplead2.png
    Make sure that:
    - The connector group and the directory domain controllers can talk AD communications (DNS, Kerberos, LDAP, etc)
    - The members of the domain (including AWS WorkSpaces systems) and the connector  can talk over HTTPSgroup and TCP 8443.
    - The connector group has at least outbound HTTPS and Azure Service Bus connectivity with the Centrify Identity or Privilege Service tenant.

 

2. Launch an EC2 Windows Server instance, configure DNS and install Windows tools and features (RSAT-ADDS, GPMC)

  1. Log in to your EC2 console console.aws.amazon.com/ec2 and launch a current Windows Server instance in the security group designated for the connectors; this instance should have at least dual core processors and 8GB of RAM.  In addition it should have outbound internet connectivity  (direct or via proxy). 
  2. With the information collected about the AWS WorkSpace directory (the IP addresses of the directory servers), open the Network control panel (ncpa.cpl) and modify the TCP/IP properties of the network card.  In IPv4, add one of the IP addresses of the directory DCs as the primary and secondary DNS server entries for the EC2 Windows instance.
    ip-conn.JPG
    To verify connectivity, ping the domain, you should receive a response.  Note that this can be also accomplished with a VPC option set.
  3. Open an administrative PowerShell, and add the AD remote admin tools as well as GPMC.
    Install-WindowsFeature RSAT-ADDS, GPMC

3. Join the system to the AWS WorkSpace directory and sign-in with an administrative user

  1. Join Active Directory using the System Applet or PowerShell
  2. When prompted, provide administrative credentials to the AWS WorkSpaces directory.
  3. When prompted to reboot, select yes, and reconnect to your system
  4. Sign-in with a directory privileged user (e.g. administrator)
  5. Verify that you can open the domain administrative tools like Active Directory Users and Computers (dsa.msc) and GPMC.msc

4. Create Structure in Active Directory (OUs, Users)

Note:  These steps will be described at a high-level.

  1. Open ADUC (dsa.msc)
  2. Create 2 OUs, one for the WorkSpaces computers, the other for the test Users (e.g. Staff)
  3. In the Staff OU, create your test users.  Make sure you populate the information required for your MFA challenges (e.g. email and mobile number.  I created two users: Lisa and Diana.
    aduc.JPG
  4. Stay logged in as a domain administrator.

5. Install a Centrify connector the EC2 Instance and download the IWA Root Certificate
Note: for detailed steps to install a Centrify connector.  Check out this help article.

  1. Sign-in to your Centrify instance as a privileged user (e.g. https://example.my.centrify.com)
  2. Go to Admin Portal > Settings > Network and click Add Centrify Connector
  3. Click on 64 bit, this will start the Connector download.
  4. When downloaded, double-click and follow the wizard for setup (you don't need mobile tools), when finished the configuration wizard starts.
  5. Provide the Centrify tenant information and credentials, then follow the wizard (you don't need the activation or deleted items option).
  6. Verify that the Centrify applet displays a succesful connection.
    successful.JPG
  7. Go back to the Centrify Admin portal and under Settings > Network  >  Centrify iwaroot.pngConnector, press refresh on your browser.  You should see the newly-installed connector on the list, double click it and go to IWA Service, then click on the "Download IWA root CA Certificate" link, this will download the tenant's Integrated Windows Authentication certificate.  This is required for the client to communicate to the service.

6. Download and install the Centrify Agent and the  Centrify Windows Group Policy Extensions

  1. In the Centrify Identity or Privilege Service, go to the Admin Portal
  2. Click the administrator's name on the upper right corner and select Downloads and click Centrify Agents
  3. Download the Centrify Agent for Windows and the Centrify Windows Group Policy Extensions
  4. Double-click the Centrify Windows Group Policy Extensions and follow the wizard until the installation is complete.

7. Configure PKI Trust and Centrify Agent Settings via Group Policy

In this section, we'll distribute the IWA trust root certificate from the tenant using GPOs; we will import the GPO templates for the Centrify Agent for Windows.

 

  1. Open GPMC and expand your forest/domain
  2. Right click the WorkSpaces OU and select "Create a GPO in this domain and link it here" and give it a name
  3. Right-click the newly-created GPO and select Edit, this opens GP Editor.
  4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities and right click the white space in the right pane, select Import
  5. In the Wizard, press next and then press browse to the location of the IWA Trust certificate from the previous section.  Once completed, you'll have the certificate for the tenant in this store.
    root-gpo.JPG
  6. Now, navigate to the Configuration > Policies > Centrify Settings
  7. Right-click Centrify Settings and select Add Remove Templates, then press Add
  8. Select centrify_windows_settings, press Open, then Press OK.
  9. Expand Centrify Settings > Windows Settings , you should have 2 sections:  Common and MFA Settings
  10. Expand MFA Settings and on the right side, double-click "Specify credential providers to exclude from the logon screen" and enable the policy.  In the box, add this string:  {003D4E42-9B59-4818-9352-17B3F5D4ACAF}, to the beginning of the list (note the comma separator at the end).  This will exclude the credential provider installed with AWS WorkSpaces.
    gpo-ex-cred.png
    Note: this step alters the connectivity behavior of the AWS WorkSpaces under that OU.  This means that the Windows Credential provider will be displayed after connecting to the WorkSpace.
  11. Leave GP Editor open, we'll return to it to make some tweaks.

8. Launch an Amazon WorkSpace and Download/Install the AWS WorkSpaces client

  1. Go to your AWS Console > WorkSpaces > WorkSpaces > Launch WorkSpaces
  2. Select a Directory:  pick the directory you are working with and press Next Step.
  3. Identity Users > select search for users (e.g. Lisa or Diana), check the box and Press Next Step
    lisa.JPG
  4. Select your bundle > pick your product (e.g. Windows 10 Standard)
  5. WorkSpaces configuration > pick the options as needed, press Next Step
  6. Review and launch > review and press Launch.  You may have to wait up to 20 minutes at this step.
  7. In the meantime, you can download and install the WorkSpaces client.  You can obtain them from here:  https://clients.amazonworkspaces.com/
  8. Follow the instructions to install the WorkSpaces client in your platform.
  9. When the WorkSpace is available, note the registration information and register with the AWS WorkSpaces client, before connecting, continue to the next section.

9. Configure the WorkSpace in the directory and authorize it for MFA

  1. Monitor the WorkSpaces until the system is listed as available.
  2. In your connector Windows system, open ADUC (dsa.msc)
  3. Go to the computers container, you should have a new system aside from the connector (e.g. IP-C0A8F12F)
  4. Move the computer object to the WorkSpaces OU.  (Note, this can be automated)
    This will ensure that the GPO will apply to the WorkSpace.
  5. Now, sign-in to Identity or Privilege Service > Admin Portal > Core Services > Roles > [select your role; e.g. MFA Computers] > Members > Add > Check computers and search for the system name, when you find it check it and press Add, then Save.
    mfa-comp.JPG
    Now the system is authorized to do MFA requests.  The next step is to connect to our WorkSpace, and install the Centrify Agent for Windows.

 

10. Connect to the WorkSpace, Refresh GPOs, Restart and Install  the Centrify Agent for Windows

  1. Connect to your WorkSpace
  2. Since the Credential Provider is disabled, you may have to re-auth after connecting.
  3. Open a command window and type gpupdate /force, then reboot the system. 
  4. After reboot, reconnect to the system and log in as the test user
  5. Browse to the location of the installation bits for the Centrify Agent for Windows and shift+right click > Run as a different user > log in with a domain privileged user
    Welcome page > press Next
    EULA page > check the box and press Next
    Destination Folder > press Next
    Ready to install > press Install
    Completed page > press finish.  This will start the configuration wizard.
    Note:  the configuration steps below can be set via Group Policy.
  6. Press Add Service, at this point, depending on the information in AD, the services are visible
  7. Select 'Centrify Identity Services Platform'  and Press OK
    id-serv.JPG
  8. Select your tenant instance
    selinst.png
  9. Multi-factor authentication on Windows login > Enable > Press Add > select your test users (e.g. diana, lisa), press Next
    mfa-set.JPG
  10. The platform will attempt to enroll the system.  If the IWA Root Certificate for the Centrify tenant was installed succesfully via GPO refresh, this should be fine; if not, an error indicating this will be displayed.  You can, alternatively import the IWA root certificate manually into the trusted root certification authorities for the system.
  11. The installation will prompt to reboot.  Reconnect to start testing.

 

Checking Functionality (Testing)

Here's a quick test matrix:

  • Verify MFA at login
  • Verify MFA at screen unlock
    success.png
  • Verify no MFA challenge if screen unlock is under defined grace period
  • Verify MFA with offline code if connector(s) are not available

 

Adjusting (Improvements)

Here are the potential improvements for this setup:

  • Add additional Centrify Connectors for High-Availability
  • Use WorkSpaces Application Manager to deploy Centrify Agent for Windows (tm) automatically
  • Use Group Policy to define which users are required multifactor
  • Use Group Policy to define if MFA will be required during Windows unlock.

 

Video Playlist

 Other Resources

 

 

Step 1. Use Apple Configurator 2 to create the desired WiFi setting, then export the profile.

1. Launch Apple Configurator and select File > New Profile.

2. Enter a display name for the profile in General. 

3. In the left column, select WiFi, click the Configure button, then enter your WiFi settings.

4. Once you have completed your configuration, go to File > Save.

 

Step 2. Upload the saved mobileconfig profile into your domain controller: \\yourdomain\SYSVOL\yourdomain\mobileconfig Create this directory if it does not exist.

 

Step 3. Specify the profile in one of the following GPO settings to apply the WiFi settings:

  • Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles or
  • User Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles

installWiFimobileconfig.png

 

For more details on computer configuration or user configuration.

 

Other settings to consider:

 

 

Ever want to generate a report for the status of particular local accounts?  Need to know  when a password is due back from a CheckOut.  Here is a quick report to have in your back pocket.  Plus you will learn how easy it is to customize reports as well.

Read more...

This tech blog explains how an Administrator can extend Active Directory to include Exchange server specific Active Directory Attributes, to use some additional Exchange specific features with Office 365, even though Exchange server is not/was not installed on premise.

Read more...

Use case is to find out the most launched application ( last 30 days) and within that find the Person who used/launched  that application with existing tools. 

Prerequisites   :           

  1. Need to have Analytics Entitlement.
  1. If you do not see one please request one from your account representative.
Read more...

[HowTo] - ServiceNow for Automated DirectAuthorize Validation

By Centrify on ‎06-30-2017 02:05 AM - last edited ‎08-11-2017 06:47 AM

Background

 

This technical blog post [with Video] serves as a follow-up to a previous lab "Integrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator."

Read more...

Device is enrolled in External MDM 

Application's like  "ServiceNow" are managed by Centify Identity Service

Users want to use Native "Servicenow" application on their Mobile Devices and achieve SSO

Read more...

Centrify Privilege Service Deployment Checklist

By Centrify Contributor III on ‎06-29-2017 01:46 PM - last edited a week ago

Your Centrify Privilege Service (CPS) deployment could go a lot smoother with this checklist. This checklist is a high overview of the necesarry tasks to prepare, deploy, configure, and validate a CPS environment.

Read more...

This article explains how to log out of CIS using an API command. Additionally two ways are shown to meet this goal.

The first obtaining the content of the cookie of the internet browser and the second using the application Postman.

Read more...

Talking about our supported local clients for remote sessions, one of the quetions I often get back is, "What about PowerShell?".  In this post I will demonstrate how to launch PowerShell sessions from the Centrify cloud platform using PowerShell Web Access (PSWA).

 

pswa8.png

Read more...

You may be familliar with storing shared account passwords and how to retreive them via password checkouts using Centrify Privilege Service (CPS).  But did you know that in addition to storing passwords, you can now also store secrets such as API keys/tokens and encryption keys within CPS?  This short article will describe how you can store these secrets and make them available for use, while ensuring their security using role-based access control and multifactor authentication.secret1.jpg

 

 

 

 

Read more...

In this article, I'll discuss the methods that I use to capture and troubleshoot a new custom User-Name Password Application.

Read more...

How to deploy Safari extension to Mac using Centrify

By Centrify Advisor III on ‎06-14-2017 01:43 AM - last edited ‎06-14-2017 01:37 PM

**Disclaimer: The deployment will depend on the version of macOS/Mac OSX and safari and might not work in later version**

 

Please find the below steps in making use of Centrify Group policy and apple script (scripts are provided as a sample and you can modify it to fit your environment need):

 

1. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Copy Files” Group Policy to copy over the centrify.safariextz(at the time of written, it is of version 1.150.17052 and please replace the newest if there is any), safari-ext.sh and safari.scpt to the following location on Mac: /tmp/

 

2. Please set the file permissions to 0755 and the owner UID and GID to 0.

 

3. Please also check the box for “Copy as binary” in the GP.

Screen Shot 2017-06-14 at 4.22.56 PM.png

 

 

4. Use “Computer Configuration > Centrify Settings > Common UNIX Settings > Specify command to run” Group Policy in order to run the safari-ext.sh: “sudo /tmp/safari-ext.sh”, it is used to enable the GUI scripting for applescript.

Screen Shot 2017-06-14 at 4.24.53 PM.png

 

5. Use “Computer Configuration > Centrify Settings > Mac OS X Settings > Scripts(Login/Logout) > Specify multiple login scripts” Group Policy in machine level for the script safari-ext2.sh. It is used to run the applescript.

Screen Shot 2017-06-14 at 4.24.19 PM.png

 

6. Once done configuring the 3 GPs mentioned above, please run adgpupdate as the AD user, then the extension will be installed at next user login session.

How To: Configuring Confluence with a Custom SAML App

 

The following is a description on how to configure  Confluence (Cloud) with Centrify via SAML:

 

  • Centrify Configuration:
  • Confluence Configuration:
    • Navigate to the SAML configuration within Confluence, found under "User Management."
      • Choose "SAML single sign-on" Under "Authentication Method"
      • Under "Identity Provider Entity ID" copy and paste the "Issuer" URL from the Application Settings page in the App Config within The Centrify Identity Portal.
        • To get this value, navigate to To get the value, navigate to Admin Portal > Apps > Confluence SAML App > Application Settings, and copy the URL under "Issuer."
      • Under "Identity Provider SSO URL" copy and paste the "Identity Provider Sign-in URL" from the Application Settings page in the App Config within The Centrify Identity Portal.
        • To get the value, navigate to Admin Portal > Apps > Confluence SAML App > Application Settings > Identity Provider Info > and copy the "Identity Provider Sign-in URL"
      • Under the "Public x509 Certificate" copy/paste the value of the "Signing Certificate" from the Application Settings page in the App Config within The Centrify Identity Portal
        • To get the value, navigate to Admin Portal > Apps > Confluence SAML App > Application Settings > Identity Provider Info > "Download Signing Certificate".  After downloading the .cer file, open it up in a text editor application.  The certificate starts with ----BEGIN CERTIFICATE and ends with ----END CERTIFICATE----.  Copy all of the text in the file.

This completes the configuration of Confluence in both the Centrify Admin Portal, and the Confluence Portal.  After performing the steps above, you're ready to test your configuration.  Log into the user portal with a confluence user, and launch the app.  

 

For more information regarding the Confluence configuration, please see here:

 

https://confluence.atlassian.com/cloud/saml-single-sign-on-873871238.html#SAMLsinglesign-on-SetupSAM...

 

As always, let us know if you were successful in configuring Confluence for SAML by commenting below.

FileVault 2 allows encryption of an entire drive to keep data secure. The Centrify Identity Service, Mac Edition gives you the ability to enable FileVault 2. This feature is enabled in a policy for enrolled Mac OS X devices.

Enabling FileValut 2 encryption using a policy at the Admin portal does not require a user to manage the computer object in Active Directory. It also does not require a mobile account to be created.

 

The below steps will show you how to enable the FileVault encryption policy, enroll the Mac OS X device and locate the recovery key.

 

Enable the FileVault encryption policy

 

To enable the FileVault encryption policy, go to the Centrify Admin Portal > Policies > Default Policy

 Policies.png

 

In the Default Policy, go to Mobile Device Policies > OS X Settings > Security and privacy settings

 

Enable FileVault.png 

 

 

 

 

Note: If you select Permit one-time display of recovery key on user’s Mac device, admin users see their recovery key the first time they log in after you enable the FileVault encryption policy. This is the only time users see the recovery key. 

 

Save the changes.

 

Enroll the Mac OS X device

 

On the Mac OS device, log into the Centrify User Portal. You will be prompted to enroll the device

Enroll with Centrify.png

 

 

 

The download of the Centrify for Mac agent will begin

 

Download begins for Centrify Agent.png

 

 

 

On the Mac system, log in as the local admin and install the Centrify for Mac agent by double clicking on the .dmg file

 

Install begins of Centrify Agent.png

 

 

 

Double click on CIS-Mac-Agent.pkg file to open the installation package

 

 

Double click to open the package.png

 

A warning will appear regarding the software installation

 Install Centrify Agent.png

 

 

 

At the Welcome page, click on 'Continue' to begin the installation

 

Click here to begin installation.png

 

 

 

Click on Install to begin the installation

Click on Install.png

 

Enter username and password of the local admin account to install the software

 

Enter local admin password.png

 

 

The installation will complete. Click on 'Launch Centrify Agent' to begin the device enrollment.

 

 

Installation complete.png

 

 

A confirmation message will appear for the successful install

 

 

Installation confirmation.png

 

 

Enter the Centrify Directory Service or Active Directory username of the user that you would like to enroll the device for

 

Enter username to enroll.png

 

 

 

Enter the password of  Centrify Directory Service or Active Directory user

 

Enter password.png

 

 

 

Click Enroll to begin the device enrollment

 

Click on Enroll.png

 

 

Enter the username and password of the local admin account

 

Enter local admin password enrolling.png

 

The device enrollment will begin

 

Device enrolling.png

 

 

Configure Safari for Single-Sign On

 

Configure Safari.png

 

 

 

The Safari Single Sign-On configuration will show as completed

Configure Safari complete.png

 

 

 

 

 

FileVault encryption is applied to enrolled devices when an administrator logs in. Encryption begins when the device is reset following an administrator log in. Only OS X users with administrative privileges can encrypt an enrolled device.


Refer to https://support.apple.com/en-us/HT204837 for more information about FileVault.

 

 

3) Wait about 15 minutes and log out as the local admin. You will then receive a prompt to enter the FileVault password

 

Enter FileVault password.png

 

If you have enabled "Permit one-time display of recovery key on user’s Mac device", you will receive a prompt showing the recovery key

 

Filevault Key.png

 

After reaching the desktop as the local admin, go to Finder > System Preferences > Security & Privacy. Got to the FileVault tab and the FileVault encryption will show as encrypting

 

 

FileVault begin.png

 

 

When the encryption has ended, the status will show as finished

 

Encryption end.png

 

 

 

 

Locate the recovery key

 

After the FileVault encryption policy is pushed and an enrolled device’s FileVault is turned on, you can retrieve the recovery key by selecting Show FileVault Recovery Key from the device’s action menu in Admin Portal. Please allow up to 12 hours for the key to appear at the Admin Portal.

 

 

FileVault Key Admin Portal.png

 

 

 

 

The device details should will show that File Vault 2 is enabled

 

Device Details Enabled.png

 

 

This confirms FileVault 2 has been enabled using the Centirfy Identity Service Admin Portal on a Mac OS X device.

 

You can also enable FileVault 2 using Group Policies. Please see the below article:

 

http://community.centrify.com/t5/TechBlog/Using-Centrify-to-Implement-FileVault-2-Disk-Encryption-on...

This article is the first of a multipart series. Part I will cover the following:

  • The effect the current threat landscape is having on the business
  • Why access control is not enough
  • The benefit provided by active log monitoring solutions
  • How SIEMs help.
Read more...

This technical blog post [with Videos] is intended to highlight the Centrify Identity Platform REST API Framework and its capabilities, specifically as it relates to automating the management of privileged accounts...

Read more...

[How to] Manage access to Dropbox

By Centrify Advisor I ‎06-08-2017 03:18 PM

Ensure access to Dropbox and other Apps from managed devices only

Read more...

Thank you for choosing Centrify!

 

The following is a step-by-step guide designed to help walk you through an integration of AWS to Centrify Identity Service. 

 

Install time ~ 1-3 hours

 

Requirements

  • AWS account
  • Centrify Identity Service account
  • Active Directory, LDAP or Centrify Cloud Directory
  • Windows Server for Centrify Connector (requirements below)

 

 

How to use guide

This guide is broken into two parts: (1) integrating AWS using SAML for single sign-on (Steps 1-20) and (2) enabling auto-user provisioning (Steps 21-35). The steps are sequential and recommended for a successful integration. 

 

 

Let's get started

 

1) Log into your Centrify Identity Service tenant. 

 

Screenshot 2017-06-04 17.25.08.png

 

2) Install the Centrify Connector by following this guide:

http://community.centrify.com/t5/TechBlog/How-To-Installing-Centrify-Cloud-Connector/ba-p/27840

 

3) Next, we must create roles in Centrify to contain users of AWS. Roles can contain users in Active Directory, LDAP or Centrify's Cloud Directory; and is a logical way of organizing users from your source directory to roles you've defined in AWS. A minimum of one role must be used; for the purposes of this guide, we will create a Centrify role titled 'AWS-EC2-Admins'. This role will contain all AWS administrator users within your source directory. Additional roles that correspond to AWS roles can be created similar to the example role in this guide. To create a role, navigate to 'Roles' -> 'Add Role' to continue.

 

Screenshot 2017-06-04 17.26.01.png

 

4) Name the Centrify role ‘AWS-EC2-Admins'. You can create additional Centrify roles as needed. Click ‘Save’ to proceed.

 

Screenshot 2017-06-04 17.26.37.png

 

5) Click ‘Members’ then click ‘Add’ to begin adding the appropriate active directory users or security group that contains all AWS administrator users. 

 

Tip: It’s best practice to create a security group in your source directory that contains all users you assigned to a particular AWS role. For example, if there are 5 administrator users in AWS, the same 5 users must exist as memebers to the 'AWS-EC2-Admins' role in Centrify. A 1-to-1 mapping allows Centrify the ability to authenticate a user attempting to access AWS with their source directory username/password. It also enables the administrator to create/modify/disable users access from the source directory when it comes to provisioning and de-provisioning. 

 

Screenshot 2017-06-04 17.27.18.png

 

6) Once complete, navigate to 'Apps' -> 'Add Web Apps' and searching for AWS SAML + Provisioning template. 

 

 Screenshot 2017-06-04 17.29.41.png

 

7) When the AWS application template is added, you will arrive at the following screen. Add 'Your AWS Account ID' then click on the 'Download SAML Provider Metadata Document'. 

 

Screenshot 2017-06-04 17.30.19.png

 

8) Next, navigate to 'User Access' and choose the Centrify roles you've created. In this example, I've choosen two roles - 'AWS-EC2-Admin' and 'AWS-EC2-ReadOnly', of which I created in Step 4 above. 

 

Screenshot 2017-06-04 17.30.32.png

 

9) Next, login to your AWS console with an administrator account. Navigate to your the Identity and Access Management Dashboard, then click 'Create Provider'. 

 

Screenshot 2017-06-04 17.31.06.png

 

10) Choose 'SAML' as the 'Provider Type'. Type 'Centrify' as 'Provider Name' and then upload the metadata document from Step 7 (Centrify) to AWS in the 'Metadata Document' field. Click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.31.47.png

 

11) Verify the provider information, then click 'Create' to continue. 

 

Screenshot 2017-06-04 17.31.55.png

 

12) Next, navigate to 'Roles' then click 'Create new role'. The purpose of this step is to define access policies for the different roles of users that will be using the service. 

 

Screenshot 2017-06-04 17.32.10.png

 

13) Select 'Grant Web Single Sign-On (WebSSO) access to SAML providers' option. 

 

Screenshot 2017-06-04 17.32.27.png

 

14) Verify the SAML provider (Centrify), then click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.32.38.png

 

15) Review the Role Trust policy document, then click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.32.50.png

 

16) Choose the appropriate policy name for your role. In this example, I am choosing the 'AmazonEC2FullAccess' policy for my 'AWS-EC2-Admins' role. Once choosen, click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.33.14.png

 

17) Name the role to the corresponding role name you wish to map to in Centrify (See Step 4 above). Click 'Create role' to continue. 

 

Tip: The AWS role name must match a corresponding Centrify role name for authentication/authentication from Centrify to AWS console. 

 

Screenshot 2017-06-04 17.33.38.png

 

18) You've now successfully completed a SAML integration of AWS to Centrify. Navigate to your User Portal and verify that you are able to see the AWS tile in Centrify. Click on the tile to test access to AWS. 

 

Screenshot 2017-06-04 17.35.59.png

 

19) Choose the appropriate AWS role you have been granted and click 'Sign-in'. 

 

Screenshot 2017-06-04 17.36.13.png

 

20) Verify that you are able to log into the AWS console with the appropriate access that has been granted to you. 

 

Screenshot 2017-06-04 17.36.30.png

 

*** Step 20 completes the SAML only integration of AWS. Please review the steps below which walk through how to enable provisioning. ***

 

21) To enable provisioning in Centrify, navigate to the 'Provisioning' menu in Centrify and click on the 'Enable provisioning for this application'.

 

Tip: You have the option of enabling provisioning in 'Preview Mode' or 'Live Mode'. Preview mode is a non-production sync. It is recommended that you complete the initial provisioning setup using preview mode before committing the integration in production. 

 

Screenshot 2017-06-04 17.36.58.png

 

22) Add a AWS administrator's 'Access key' and 'Secret' to the fields in Centrify. To obtain the values, navigate to 'Delete your root access keys' field in AWS and click 'Manage Security Credentials'. 

 

Screenshot 2017-06-04 17.37.39.png

 

23) Next, click 'Continue to Security Credentials'. 

 

Screenshot 2017-06-04 17.37.47.png

 

24) If you don't already have an access key, click 'Create New Access Key'. 

 

Screenshot 2017-06-04 17.37.59.png

 

25) Copy the 'Access Key' and 'Secret' from AWS to Centrify. Once complete, click 'Verify' in Centrify to continue. 

 

Screenshot 2017-06-04 17.38.55.png 

 

26) If successful, additional provisioning configurations appear in Centrify. In this section, you can choose provisioning rules such as, a deletion of a user from the source directory will disable the user's account in AWS. 

 

Screenshot 2017-06-04 17.39.22.png

 

27) Next, we must create groups in AWS for Centrify to provision users into. In AWS, navigate to 'Groups' then click 'Create New Group' to continue. 

 

Screenshot 2017-06-04 17.39.56.png

 

28) Name the group to a corresponding role you have created in Centrify (See Step 4 above). Click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.40.26.png

 

29) Choose the appropriate policy for each role. Click 'Next Step' to continue. 

 

Screenshot 2017-06-04 17.40.41.png

 

30) Finalize by clicking 'Create Group'. Create an AWS group for each corresponding AWS role you've designed in Centrify. 

 

Screenshot 2017-06-04 17.40.52.png

 

31) In Centrify, under 'Role Mapping', click 'Add'. Select the AWS role under 'Role'. Map the role to the desgination group you've created in AWS (See Step 28 above). 

 

Screenshot 2017-06-04 17.41.57.png

 

32) Complete this mapping for all Centrify roles and AWS groups you've created. See below as an example of two Centrify roles mapped to two AWS groups. Click 'Save' to continue. 

 

Screenshot 2017-06-04 17.42.12.png

 

33) To finalize the integration, navigate to 'Settings' -> 'Users' -> 'Outbound Provisioning' -> 'AWS Web Services' application, then 'Start Sync'. 

 

Screenshot 2017-06-04 17.42.28.png

 

34) For the initial integration, click 'bypass caching and re-sync all objects' option, then 'Yes' to initiate the sync. 

 

Screenshot 2017-06-04 17.42.35.png

 

35) Switch to your 'User Portal' and verify that you can log into AWS by clicking on the tile and choosing the appropriate role. 

 

Screenshot 2017-06-04 17.35.59.png

 

 

We hope this installation guide was helpful. For all other questions on how Centrify can help you consolidate user identities and solve the #1 cause of all cyber attacks, please contact us athttps://www.centrify.com/about-us/contact/

 

Thank you for choosing Centrify!

 

The following is a step-by-step guide designed to walk you through an integration of Salesforce to Centrify. The integration will allow a central directory of your choosing (e.g. Active Directory, Centrify Cloud Directory, LDAP or Google Directory) as the authentication/authorization mechanism to Salesforce. End-users will enjoy the benefit of a single sign-on login experience while administrators take advange of a single user directory to manage the lifecycle of Salesforce users from. 

 

Install time ~ 1-3 hours

 

Requirements

1) Salesforce account

2) Centrify Identity Service account

3) Active Directory, LDAP or Centrify Cloud Directory

4) Windows server for Centrify Connector (requirements below)

 

 

How to use guide

This guide is broken into two parts: (1) integrating Salesforce using SAML for single sign-on (Steps 1-16) and (2) enabling auto-user provisioning (Steps 17-30). The steps are sequential and recommended for a successful integration. 

 

 

Let's get started

 

1) Log into your Centrify Identity Service tenant. 

 

Screenshot 2017-05-30 18.33.20.png

 

 

2) Install the Centrify Connector by following this guide:

http://community.centrify.com/t5/TechBlog/How-To-Installing-Centrify-Cloud-Connector/ba-p/27840

 

3) Next, we must create roles in Centrify to contain users of Salesforce. Roles can contain users in Active Directory, LDAP or Centrify's Cloud Directory; and is a logical way of organizing users from your source directory to roles you've defined in Salesforce. A minimum of one role must be used; for the purposes of this guide, we will create a Centrify role titled 'Information Technology'. This role will contain all Salesforce administrator users within your source directory. Additional roles that correspond to Salesforce roles can be created similar to the example role in this guide. To create a role, navigate to 'Roles' -> 'Add Role' to continue.

 

Screenshot 2017-05-30 18.38.02.png

 

 

4) Name the Centrify role ‘Information Technology'. Click ‘Save’ to proceed.

 

Screenshot 2017-05-30 18.38.14.png

 

5) Click ‘Members’ then click ‘Add’ to begin adding the appropriate active directory users or security group that contains all Salesforce administrator users. 

 

Tip: It’s best practice to create a security group in your source directory that contains all users you assigned to a particular Salesforce role. For example, if there are 5 administrator users in Salesforce, the same 5 users must exist as memebers to the 'Information Technology' role in Centrify. A 1-to-1 mapping allows Centrify the ability to authenticate a user attempting to access Salesforce with their source directory username/password. It also enables the administrator to create/modify/disable users access from the source directory when it comes to provisioning and de-provisioning. 

 

Screenshot 2017-05-30 18.38.32.png

 

6) Once complete, navigate to 'Apps' -> 'Add Web Apps' and searching for Salesforce SAML + Provisioning template. 

 

5) centrify - adding salesforce app.png

 

7) When the Salesforce application template is added, you will arrive at the following screen. Minimize the following screen and open a new browser tab to log into Salesforce. Log into Salesforce with an administrator account to enable Salesforce enable SAML and provisioning. 

 

6) centrify - salesforce app.png

 

8) In Salesforce, navigate to the 'Single Sign On Settings' menu and click 'Edit'. 

 

1) salesforce - sso config.png

 

9) Click the 'SAML Enabled' checkbox and click 'Save'. 

 

2) salesforce - enable SAML.png

 

10) Next, navigate to the 'SAML Single Sign-On Settings' section and click 'New'. 

3) salesforce enable SSO.png

 

11) When clicked, you will arrive at the following screen where you will exchange configurations between Centrify and Salesforce. 

 

4) salesforce - SAML config.png

 

12) To make the configuration easier, open the Centrify and Salesforce menus side-by-side as illustrated below. 

 

7) centrify and salesforce config pages.png

 

13) Start by creating a name for the 'SAML Single Sign-On Settings' integration to Centrify. Use the picture and summary below to help guide where configurations need to be made:

 

1) Name (Salesforce): Centrify.

2) API Name (Salesforce): Centrify.

3) Entity ID (Salesforce): https://saml.salesforce.com.

4) Issuer: Copy from Centrify to Salesforce.

5) Identity Provider Certificate: Download the signing certificate from Centrify and upload to Salesforce.

6) SAML Identity Type: Click 'Assertion contains the Federation ID from the User Object' option in Salesforce. (See Step 13.2).  

7) Identity Provider URL: Copy from Centrify to Salesforce.

8) Identity Provider Logout URL: Copy from Centrify to Salesforce.

9) Customer Error URL: Copy from Centrify to Salesforce.

10) User Provisioning Enabled: Click to enable in Salesforce (Follow Step 17-30 to complete provisioning).

11) Save (Salesforce): Click in Salesforce.

12) Save (Centrify): Click in Centrify.

 

8) centrify and salesforce configs completed.png

 

13.1) When Step 13 is completed, open the 'Centrify' SAML Single Sign-On Settings profile you just created, and copy the 'Salesforce Login URL' from Salesforce to the 'Assertion Consumer Service URL' field in Centrify. 

 

9) ACS URL After.png

 

13.2) If provisioning is enabled in Step 10 above, you must choose the 'Assertion contains the Federation ID from the User Object' (See Step 6 above) within the 'SAML Single Sign-On Settings' menu in Salesforce. In doing so, you must add a 'Federation ID' value for the administrator user performing the integration. The 'Federation ID' configuration is found by navigating to 'Administration' -> 'Users' -> current administrator user enabling SAML in Salesforce. The value of should be the email address of the administrator user. 

 

If you do not wish to enable provisioning at this time, leave the default option of 'Assertion contains the User's Salesforce username' in Salesforce (See Step 6 above) and disregard the step of adding a 'Federation ID' for the administrator user. The federation ID is only needed if provisioning is enabled in Salesforce. Follow steps 14-16 in this guide to complete a SAML only integration of Salesforce to Centrify. 

 

8.1) salesforce - federation ID.png

 

14) Next, naviagate to 'User Access' and choose the Centrify role 'Information Technology' created in Step 4. You can also add other Centrify roles you created for other roles in Salesforce within this menu. 

 

10) Centrify - role assignment.png

 

15) Next, navigate to the 'Account Mapping' menu in Centrify. Verify that the default value in the 'Directory Service field name' is 'mail'. As a default, Salesforce expects an email attribute from the source directory (i.e. Active Directory) within the SAML assertion sent to Salesforce. While other settings may be used, please review the options within Salesforce before leveraging other attributes in your SAML assertion. 

 

11) centrify - account mapping.png

 

16) Once the 'Account Mapping' value is reviewed, click 'Save' to complete the integration. Switch to your 'User Portal'. You will see the Salesforce tile appear within your portal if you have a valid account in your source directory (i.e. Active Directory) and Salesforce. Click on the Salesforce tile to confirm you are able to access Salesforce from the Centrify portal. 

 

12) centrify - app in portal.png

 

*** Step 16 completes the SAML only integration of Salesforce. Please review the steps below which walk through how to enable provisioning. ***

 

17) To enable provisioning in Centrify, navigate to the 'Provisioning' menu in Centrify and click on the 'Enable provisioning for this application'. Add a Salesforce administrator's 'Username' and 'Password' to the fields in Centrify, then navigate to Salesforce to continue. 

 

Tip: You have the option of enabling provisioning in 'Preview Mode' or 'Live Mode'. Preview mode is a non-production sync. It is recommended that you complete the initial provisioning setup using preview mode before committing the integration in production. 

 

 13) centrify - enable provisioning.png

 

18) To enable the user provisioning feature in Salesforce, click 'Enable' for item 10 in Step 13 above. Additionally, when provisioning is enabled in Salesforce, a Connected App must be created. Navigate to 'App Manager' -> 'Manage Connected Apps', then click 'New Connected App'. 

 

14) salesforce - create connected app.png

 

19) Complete the following information in Salesforce as outlined below. Once complete, click 'Save' to continue. 

 

1) Basic Information

  -> Connected App Name: Centrify

  -> API Name: Centrify

  -> Contact Email: Email address of Salesforce administrator user

    

2) Enable OAuth Settings: Enabled

 

3) Callback URL: Centrify Identity Service URL

 

4) Selected OAuth Scopes: Choose the minimum required options below. 

  -> Access and manage your Chatter data (chatter_api) 

  -> Access custom permissions (custom_permissions)

  -> Access your basic information (id, profile, email, address, phone)

  -> Full access (full)

  -> Perform requests on your behalf at any time (refresh_token, offline_access)

  -> Provide access to custom applications (visualforce)

  -> Provide access to your data via the Web (web)

 

5) Require Secret for Web Server Flow: Enabled

 

15) salesforce - configuring connected app.png

 

20) The Salesforce Connected App may take several minutes to complete. As the changes take affect, the 'Consumer Key' (Item 2) and 'Consumer Secret' (Item 3) will generate and become available for you to proceed to the next step. 

 

16) salesforce - completed connected app.png

 

21) With Centrify and Salesforce opened, copy the 'Consumer Key' in Salesforce to the 'Client ID' field in Centrify. Copy the 'Consumer Secret' in Salesforce to the 'Client Secret' field in Centrify. 

 

17) centrify - client id and secret.png

 

22) To obtain your 'Security Token' in Salesforce, Salesforce recommends a reset of the security token. Click on the 'Reset Security Token' button to obtain your new security token via email. 

 

18) salesforce - reset code.png

 

23) You will obtain your new Salesforce security token via email. Copy and add to Step 24 below. 

 

 19) email reset code.png

 

24) Add the Salesforce security token to the 'Security Token' field in Centrify. Once complete, click 'Verify' to complete this step. 

 

20) centrify - security token.png

 

25) If the provisioning integration between Centrify and Salesforce is successful, additional menus will populate as shown below. You may keep the default settings or modify based on your preference. 

 

21) centrify - provisioning options.png

 

26) Under the 'Role Mapping' section, click 'Add'. This step allows you to map a Centrify role (containing users in active directory) to a 'Salesforce License', 'Salesforce Role' and 'Salesforce Profile' you've setup in Salesforce. As an example, in Steps 4-5, we created a Centrify Role titled 'Information Technology'. The role contains the administrator users in the source directory (i.e. Active Directory) that are mapped to Salesforce. While this guide illustrates mapping a single Centrify role to Salesforce, utilize the same process for mapping other Centrify roles to existing Salesforce roles to complete your integration. 

 

22) centrify - role mapping.png

 

27) Click 'Save' to continue. 

 

23) centrify - completed role mapping.png

 

28) Next, navigate to 'Settings' -> 'Users' -> 'Outbound Provisioning' -> 'Salesforce' and click 'Start Sync'. An initial sync is required for any new application integrated with Centrify that is enabled with provisioning. 

 

24) centrify - start sync.png

 

29) Click 'bypass caching and re-sync all objects'. This setting allows for an immediate sync of Salesforce to Centrify versus waiting for a periodic sync that Centrify performs automatically. 

 

25) centrify - bypass sync.png

 

30) Switch to your 'User Portal' and verify that you can log into Salesforce when clicking on the Salesforce tile. 

 

26) centrify - app in portal.png

 

We hope this installation guide was helpful. For all other questions on how Centrify can help you consolidate user identities and solve the #1 cause of all cyber attacks, please contact us at https://www.centrify.com/about-us/contact/

A short step by step configuration guide on how to configure the Fortinet FW with Centrify for SSO using RADIUS

Read more...

We heard from some customers that would like to use AD credentials to authenticate to IBM Sterling Connect:Direct. IBM Sterling Connect:Direct provides security-rich, point-to-point file transfers to lessen dependency on unreliable File Transfer Protocol (FTP) transfers.

 

Continue reading...

Read more...

This blog will show you how to join a Mac OS X computer to a domain and enroll it in the Centrify Identity Service platform at the same time. Typically, an Active Directory administrator performs this procedure, but during the enrollment steps, assigns the computer to a different Active Directory user account.

The assigned user is added to the identity platform as the device owner and is able to view and manage the enrolled computer through the Centrify user portal. An identity platform administrator can assign the user to one or more roles that determine the applications, permissions, and policies that apply to the user on this computer.

Here is how to use Centrify Join Assistant to join a computer to a domain and enroll it in the identity platform:

 

1. First you will need the following accounts:

a. Active Directory account that can join a computer to a domain

 

AD Admin.png


b. Administrator that has System Administrator or Device Management permissions to the Admin Portal.

Cloud Admin.png

 


c. Active Directory user account.

Jane Doe.png

 

2. Download the Centrify DirectControl agent onto the Mac system at the Support Portal Download Center.



3. Install the Centrify DirectControl agent

 

CDC Downloads folder.pngInstall CDC.pngClick Continue.pngClik Continue - 2.pngAgree to license.pngCDC Install.png

Agree to license.png

Clik Continue - 2.png

Enter local admin password.png

Install begin.png

Select Join Assistant.png

4. After installation, go to Finder > System Preferences > Centrify > Centrify Join Assistant

Join Assistant.png

At the Welcome page, click on Continue

 

Begin Join Assistant.png

Enter the local admin password

 

Enter Admin- JA.png

Enter domain you would like to join the Mac system to and enter the username and password of the Active Directory account that has permissions to join to a domain.

 

Enter AD Creds.png

Click Continue.

 

Decide if you are using Auto Zone or Zone for the user and computer objects. Select the option "Enroll with Centrify Cloud Service to enable remote management". Enter the Container DN you would like to place the computer object.

 

License Mode page.png


Click Join and the Mac will being to join to the domain

 

Joining Mac.png

After the join to the domain is completed, you will be prompted to enter the Identity Service URL and the username of the user would like to enroll the device for

jane.doe.png

The enrollment of the device will then begin

Loading to the cloud.png

When the enrollment has completed, you will receive a confirmation that the enrollment for the user is successful

jane joined succes.png

When the user logs into the Centrify User Portal, they will see the device listed under the Device section

jane device.pngjane device.png

 

What will you do if someone checks out the root password and then creates SSH keys so that they can go around your password vault anytime they want?

Read more...

Organizations may need to configure the screen saver start time for security or compliance. This article will show you how to use Active Directory group policies to prevent users from changing the screen saver start time. 

 

screensavertimelocked.png

 

Step 1. On a Mac, create a custom profile with Apple Configurator 2

1. Launch Apple Configurator 2. You can also create this with Profile Manager.

2. Go to File > New Profile.

3. Enter a profile name in the Name field.

profile-name.png

 

4. Then go to Passcode on the left column and set a time for Maximum Auto-Lock.

profile-lock-time.png

5. Go to File > Save

 

Step 2. Upload the profile to SYSVOL

1. Go to \\<domain>\SYSVOL\<domain> and create a mobileconfig folder if it does not exist.

2. Upload the profile to the mobileconfig folder.

3. In the Group Policy for your Macs, enable Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles.

Installmobileconfig.png

4. Click on the Add button, enter the name of your profile, then click OK.

5. Click OK.

 

The policy will apply at the next group policy interval, or you can launch Terminal ont he Mac and run adgpupdate to apply immediately.

Showing results for 
Search instead for 
Do you mean 
Labels
Leaderboard

Community Control Panel