Centrify is 10 years old this month (You can read about our history and company milestones along the way http://www.centrify.com/aboutcentrify/overview.asp). I was thinking that it wasn’t that long ago when we first heard from customers who needed to integrate Macs into their business, which drove us to deliver our first Active Directory integration for the Mac running OS X 10.4 Tiger back in 2005 (http://www.centrify.com/news/release.asp?id=200506
Our first Mac customers were trying to find a way to support the few executives who brought in Macs and wanted IT to support their use within the business. Centrify solved this by integrating the Mac into Active Directory. We were also the first to extend Group Policy to the Mac OS X platform in 2006 (http://www.centrify.com/news/release.asp?id=200606
Centrify for Mac 2014 – New Features
We continuously work to improve the identity services and management of the Mac that Centrify has provided for years. And as usual, most of these features come directly from our customers who have requested the features. If you have an idea or something you need in our products, just ask, or open a support case, we listen.
Seamless migration to Centrify with Apple UID / GID Support
We’ve introduced support for Apple UID algorithm within Centrify for Mac to eliminate the need for any user migration from Apple to Centrify for Active Directory user login. We have seen a number of customers who tried the Apple AD Plugin but later wanted to migrate to Centrify for Mac in order to get centralized configuration management via Group Policy. However, since we use a different algorithm to auto-convert an AD user’s SID to the Unix UID that the Mac needs, we previously required a migration from the Apple UID to the Centrify UID.
This new feature in Centrify for Mac 2014 provides a new Computer Configuration Group Policy within “Centrify Settings” > “DirectControl Settings” > “Adclient Settings” > “Generate User ID in Apple way” and “Set user’s primary gid”. System Administrator can make sure users are assigned UIDs and GIDs in the exactly same way as Apple’s AD plugin would. This allows smooth transition from managing Mac systems with Apple’s AD plugin to using Centrify. When Mac is managed by AD plugin, each user is assigned a user ID (UID) and a group ID (GID) based on Apple’s algorithm. A user logging in with Centrify will be able to access all of his files that he had previously stored in his home directory on Mac or on a remote network file system.
Auto Enrollment for User Certificates
We have extended automatic enrollment of certificates to now support both computer and user certificates. When this new policy is turned on and an Active Directory user logs in, Centrify for Mac will automatically enroll the user with the on-premise Microsoft Certificate Authority and store the certificate along with its private key in the user’s Keychain, where the private key is so that it cannot be exported for security reasons. Once the certificate has been issued and stored in Keychain, other policies can then use that certificate for authentication to 802.1x wireless or wired networks or maybe for VPN or email purposes. Really any application that can leverage a user certificate stored in the user’s Keychain.
Printer Management via Group Policy
We have enhanced the printer management via Group Policy by enabling Administrators to define the printer model along with the device URI in order to ensure that the Mac will use the specified printer driver. If you do not specify the Printer Model, then the Mac will automatically select the default printer driver, which is normally the postscript driver. You can see this new setting in the “Printing Settings” policy under the User Configuration for Mac OS X Settings.
plist file Settings Management via Group Policy
Previously, Centrify enabled you to update a plist file by replacing the entire file using the file copy Group Policy, while this is still possible, we found many times that our customers really only wanted to update one or maybe a few settings within an existing plist file. This new Group Policy enables IT Admins to update an existing plist file with the changes specified within a plist file that the IT Admin specifies. So, if you want to add or change a setting within a larger plist file, just create a plist file with the specific setting that you want to change and Centrify will find the old setting and replace with the new one, or add the new setting to the existing file on the Mac.
We created two new policies to accomplish this since you may have plist setting that apply to all users which will be a computer configuration or a plist setting that applies to an individual user at login.
- In the Computer Configuration Policies under “Centrify Settings” > “Mac OS X Settings” > “Custom Settings” you will file the “Enable profile custom settings” Group Policy. This policy is able to configure all preference settings for a computer, similarly to Custom Settings in Apple’s Profile Manager.
- In the User Configuration Policies under “Centrify Settings” > “Mac OS X Settings” > “Import Settings” you will file the “Import MCX setting plist files” Group Policy. This policy will import plist configuration into a user’s MCX settings. It is able to configure all MCX settings, similar to Apple’s Workgroup Manager.
Avoid Restarting Security Agent after install
Previous Centrify for Mac installers restarted OS X’s Security Agent automatically after installation. Although this was a necessary step to complete Centrify installation, in some cases, e.g., installing Centrify together with software packages from other vendors, we found in many cases that you may not need to restart the Security Agent, so we added a configuration parameter in /etc/centrifydc/centrifydc.conf:
It will not restart Security Agent if this is set to false.
- When auto-enrolling computer and user certificates, the private keys associated with the certificates are now stored as non-exportable so that users cannot export the private key and share with their friends to enable access a secured WiFi network for example.
- We added a configuration option (secedit.system.access.lockout.allowofflinelogin in centrifydc.conf) to allow a user to log in to OS X, when it is disconnected from network, even if the account is locked. This option is useful in an environment where users are off network and are often locked out. The option is set to false (off) by default, as it has security implication.
Learn more about Centrify User Suite, Mac Edition or Centrify for Mac here: http://www.centrify.com/products/mac-edition.asp