Tuesday, April 22, 2014

Enter the Mac - Extending the 2014 Scenario with Mac OS X

In a previous post, we discussed a UNIX/Linux scenario with Centrify Enterprise Edition; in this post and in an upcoming playlist, we'll be integrating a couple of Mac OS X systems.  On-premise (or Enterprise) systems tend to have different requirements from BYOD (Bring Your Own Device) Macs.

Requirements for On-Premise Mac Systems

AD Integration


  • Allows all Domain Users to access Mac OS clients with their AD Credentials
  • Leverages AD natively, no schema extensions or software in domain controllers
  • Solution does not synchronize identities or passwords
  • Mac users can be controlled from AD  (enabling/disabling, logon hours, etc.)
  • AD Security policy is enforced Mac Platforms
  • Kerberos SSO Access to Domain protected resources (directory, shares, printers, etc)
  • High-availability:  Users should have access if AD is not available

Security Configuration Items


  • Governance:  Mac Administrators shall add/move/remove Mac Computers 
  • The practice of sharing a "mac administrative account" (shared account) should be eliminated
  • The Password policy defined in AD shall be enforced in all Macs
  • All users shall have a screen saver enabled within 10 minutes of inactivity
  • Users shall not be able to launch the Terminal Utility
  • Logon Banner aligned with corporate requirements
  • Users shall not be able to launch the iCloud System Preference
  • The firewall should be always on
  • iChat and iTunes Music Sharing shall be disabled
  • FileVault2 Encryption shall be enforced centrally
  • Access to external drives shall be password protected
  • Macs should be able to leverage GPOs and the Microsoft CA to auto-enroll Computer Certificates.

Computer Configuration Items


  • Domain Suffix and DNS Settings should be configured centrally
  • ARD, FTP, Web Services and SSH access should be configured centrally
  • Fast User Switching disabled.

User Configuration Items


  • Users home directories should be mapped/mounted automatically on Macs
  • The shared network folder should be mapped/mounted automatically
  • The dock should be placed on the left of the screen by default
  • The network printer should be provisioned automatically

Modified Scenario Diagram


Centrify Suite 2014 Mac Integration Playlist

This playlist (47 minutes total) covers the requirements for the Mac OS Scenario outlined in the previous post.

No comments:

Post a Comment