In OS X it is possible to set up a mobile user account that provides synchronized home folders, one on your Mac and one on the network account server. With Centrify, these "portable home directories" can leverage the user's existing Windows home directory to consolidate information. Centrify allows the use of AD Group Policy to manage Portable Home Directories.
Assuming you have a Centrified MacOS X system:
Planning
At a high level, these things need to be thought out:
- Windows home directories: There are countless resources on this topic. Home folders have to be created, and then assigned to users. Keep in mind permissioning as well.
- Understand the version(s) of OS X in your environment and the mobility settings behavior: Apple has modified the implementation of mobile accounts over several versions. The advantage is that Centrify provides a GPO that considers multiple versions of the OS:
- Correct GPO scoping: In this example we use loopback processing, however, based on your deployment, you may have multiple GPOs that apply to different AD principals.
Implementation
- Open GPMC and edit the Centrify GPO for OS X systems.
- On the left pane, navigate to "Computer Configuration > Policies > Centrify Settings > Adclient Settings" and in the right pane double click the "Enable Auto Zone user home directory (Mac OS X)" and enable it. This GPO modifies the auto.schema.use.adhomedir parameter in the /etc/centrifydc/centrifydc.conf file.
- Navigate to "User Configuration > Policies > Centrify Settings > OS X Settings > Mobility settings" and in the right pane double click the "Use version specific settings" GPO and enable it.
- Based on the version of OS X that you have (in my example Mavericks 10.9) go to the corresponding folder (e.g. Mac OS X 10.8/9 settings) and enable the "Configure mobile account creation" - set it to enabled and check the "Create mobile account when user logs into the network" check-box.
- To make sure the GPO is refreshed on the Mac OS X client, just run the adgpupdate command.
Verify
- On a Windows system with Active Directory Users and Computers (ADUC), open your test user account's properties and go to the Profile tab. Make sure the home folder is set up appropriately for your environment.
- Sign-in to your Centrified OS X system, you'll see the following:
Upon login, the user is prompted to create their portable home directory.
Adjustments will be based on your environment. Here are some general items:
- What happens when accounts expire? (should mobile home directories be deleted?)
- Home folders: what items will be skipped? What items will be explicitly synchronized?
- Synchronization settings: By default every 20 minutes automatically.
- Preference Sync rules, etc.
Lab Video
No comments:
Post a Comment