Centrify for Mac 2014 – Continuous improvement in centralized management for Macs in Business

Centrify is 10 years old this month (You can read about our history and company milestones along the way http://www.centrify.com/aboutcentrify/overview.asp). I was thinking that it wasn’t that long ago when we first heard from customers who needed to integrate Macs into their business, which drove us to deliver our first Active Directory integration for the Mac running OS X 10.4 Tiger back in 2005 (http://www.centrify.com/news/release.asp?id=2005060602). This was way before Macs were even using Intel processors. Remember the Power PC processor?

Our first Mac customers were trying to find a way to support the few executives who brought in Macs and wanted IT to support their use within the business. Centrify solved this by integrating the Mac into Active Directory.  We were also the first to extend Group Policy to the Mac OS X platform in 2006 (http://www.centrify.com/news/release.asp?id=2006061201), and also introduced support for Mac on Intel.  Since then Macs have really taken off in businesses around the world challenging a predominantly Windows centric IT staff to understand how to manage the Macs that increasingly find their way into the business. Evolving from our early days where we typically found the Macs in the marketing department or a few in the executive offices, we are now finding many more organizations going as far as adding the Mac to their standard supported platform list, offering their users a choice between a Windows or Mac workstation.  Most of the time these are laptops and not desktops, given users’ desire to be able to take their computer with them and work from anywhere. These users also tend to have an iPhone or iPad, maybe both. So, last year we introduced our cloud-based management support for Macs and mobile devices with Centrify User Suite (http://www.centrify.com/news/release.asp?id=2013082701) so that IT can manage policies such as enforcement of FileVault (for full disk encryption with automated support for institution recovery key) and other policies on Macs, as well as support remote lock or wipe for a Mac that happens to get lost or stolen, all in an effort to protect the business information stored on these Macs. We’ve also built out a full Identity as a Service (IDaaS) offering into the cloud service (http://www.centrify.com/saas/saas-single-sign-on.asp) in order to simplify identity and access management for hosted applications, and to provide users with single sign-on from their desktop login through the Centrify User Portal. This solution is combined into a single solution to make it easier for IT to manage mobile devices, Macs and the SaaS applications that users access from those devices or from any other system with just a browser.

Centrify for Mac 2014 – New Features

We continuously work to improve the identity services and management of the Mac that Centrify has provided for years. And as usual, most of these features come directly from our customers who have requested the features. If you have an idea or something you need in our products, just ask, or open a support case, we listen.

Seamless migration to Centrify with Apple UID / GID Support

We’ve introduced support for Apple UID algorithm within Centrify for Mac to eliminate the need for any user migration from Apple to Centrify for Active Directory user login. We have seen a number of customers who tried the Apple AD Plugin but later wanted to migrate to Centrify for Mac in order to get centralized configuration management via Group Policy. However, since we use a different algorithm to auto-convert an AD user’s SID to the Unix UID that the Mac needs, we previously required a migration from the Apple UID to the Centrify UID.

This new feature in Centrify for Mac 2014 provides a new Computer Configuration Group Policy within “Centrify Settings” > “DirectControl Settings” > “Adclient Settings” > “Generate User ID in Apple way” and “Set user’s primary gid”. System Administrator can make sure users are assigned UIDs and GIDs in the exactly same way as Apple’s AD plugin would. This allows smooth transition from managing Mac systems with Apple’s AD plugin to using Centrify.  When Mac is managed by AD plugin, each user is assigned a user ID (UID) and a group ID (GID) based on Apple’s algorithm.  A user logging in with Centrify will be able to access all of his files that he had previously stored in his home directory on Mac or on a remote network file system.

Group Policy Management Editor
Group Policy Management Editor

Auto Enrollment for User Certificates

We have extended automatic enrollment of certificates to now support both computer and user certificates. When this new policy is turned on and an Active Directory user logs in, Centrify for Mac will automatically enroll the user with the on-premise Microsoft Certificate Authority and store the certificate along with its private key in the user’s Keychain, where the private key is so that it cannot be exported for security reasons. Once the certificate has been issued and stored in Keychain, other policies can then use that certificate for authentication to 802.1x wireless or wired networks or maybe for VPN or email purposes. Really any application that can leverage a user certificate stored in the user’s Keychain.

Printer Management via Group Policy

We have enhanced the printer management via Group Policy by enabling Administrators to define the printer model along with the device URI in order to ensure that the Mac will use the specified printer driver. If you do not specify the Printer Model, then the Mac will automatically select the default printer driver, which is normally the postscript driver. You can see this new setting in the “Printing Settings” policy under the User Configuration for Mac OS X Settings.


plist file Settings Management via Group Policy

Previously, Centrify enabled you to update a plist file by replacing the entire file using the file copy Group Policy, while this is still possible, we found many times that our customers really only wanted to update one or maybe a few settings within an existing plist file. This new Group Policy enables IT Admins to update an existing plist file with the changes specified within a plist file that the IT Admin specifies. So, if you want to add or change a setting within a larger plist file, just create a plist file with the specific setting that you want to change and Centrify will find the old setting and replace with the new one, or add the new setting to the existing file on the Mac.

We created two new policies to accomplish this since you may have plist setting that apply to all users which will be a computer configuration or a plist setting that applies to an individual user at login.

  • In the Computer Configuration Policies under “Centrify Settings” > “Mac OS X Settings” > “Custom Settings” you will file the “Enable profile custom settings” Group Policy. This policy is able to configure all preference settings for a computer, similarly to Custom Settings in Apple’s Profile Manager.
  • In the User Configuration Policies under “Centrify Settings” > “Mac OS X Settings” > “Import Settings” you will file the “Import MCX setting plist files” Group Policy. This policy will import plist configuration into a user’s MCX settings.  It is able to configure all MCX settings, similar to Apple’s Workgroup Manager.

Avoid Restarting Security Agent after install

Previous Centrify for Mac installers restarted OS X’s Security Agent automatically after installation.  Although this was a necessary step to complete Centrify installation, in some cases, e.g., installing Centrify together with software packages from other vendors, we found in many cases that you may not need to restart the Security Agent, so we added a configuration parameter in /etc/centrifydc/centrifydc.conf:

adclient.autoedit.centrifypam.restart.securityagent: (default value is true)

It will not restart Security Agent if this is set to false.

Other Improvements

  • When auto-enrolling computer and user certificates, the private keys associated with the certificates are now stored as non-exportable so that users cannot export the private key and share with their friends to enable access a secured WiFi network for example.
  • We added a configuration option (secedit.system.access.lockout.allowofflinelogin in centrifydc.conf) to allow a user to log in to OS X, when it is disconnected from network, even if the account is locked.  This option is useful in an environment where users are off network and are often locked out.  The option is set to false (off) by default, as it has security implication.

Learn more about Centrify User Suite, Mac Edition or Centrify for Mac here: http://www.centrify.com/products/mac-edition.asp