IT Configuration Guide for Your Mac Evaluation

SAMPLE PAGES

IT Configuration Guide For Your Mac Evaluation

(Version 4.0) IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES Table of Contents

Introduction ...... 1 1 Imaging ...... 2 1.1 Imaging Mac Computers ...... 2 1.2 Creating Packages ...... 3 1.2.1 Creating Packages with PackageMaker ...... 4 1.2.1.1 Creating a Snapshot Package with PackageMaker ...... 8 1.2.2 Creating Packages with Third-Party Utilities ...... 15 1.3 Creating Images with System Image Utility ...... 16 1.3.1 NetInstall from Installer ...... 17 1.3.2 NetRestore from Installer ...... 20 1.3.3 Using NetRestore from a Prepared Volume ...... 23 1.3.4 Creating NetRestore NetBoot Sets ...... 26 1.3.5 Automations with System Image Utility ...... 29 1.3.5.1 Creating an Installation DVD ...... 36 1.3.5.2 Adding Patches and Upgrades ...... 38 1.3.5.3 Adding Post-Install Scripts ...... 39 1.3.5.4 Adding Additional Software ...... 40 1.3.5.5 Adding Configuration Profiles ...... 41 1.3.5.6 Additional System Image Utility Preferences ...... 42 1.4 Creating an Image via a Configured Mac ...... 43 1.4.1 Preparing a System for Imaging ...... 44 1.4.1.1 Removing Unneeded LKDC Information ...... 45 1.4.1.2 Removing .DS_Store Files ...... 47 1.4.1.3 Removing Other System Files ...... 48 1.4.2 Customizing the Default User Template ...... 49 1.4.3 Self-Removing Scripts ...... 50 1.5 Creating Images with Disk Utility ...... 52 1.5.1 Creating a Disk Image from the Command Line ...... 56 2 Deployment ...... 57 2.1 Local Deployment ...... 58 2.1.1 Creating a Bootable Disk or Volume Using NetInstall ...... 59 2.1.2 Deploying with Disk Utility ...... 61 2.2 NetInstall Image Creation ...... 62 2.2.1 Configuring a NetBoot Server ...... 65 2.2.2 Custom Source NetRestore ...... 68 2.2.3 Unicast Apple Software Restore (ASR) ...... 70 2.2.4 Multicast Apple Software Restore (mASR) ...... 71 2.2.5 Third-Party Deployment Solutions ...... 73 2.2.6 Setting Clients to NetBoot Using the Bless Command ...... 74 2.2.7 Using NetBoot DHCP Helpers ...... 75 2.2.8 bootpd Relay ...... 76 2.3 Minimal Touch Deployments ...... 77 3 Support and Maintenance ...... 78 3.1 Asset Tags ...... 79

ii IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 3.2 Apple Remote Desktop ...... 80 3.2.1 Apple Remote Desktop and Computer Lists ...... 81 3.2.2 Deploying Applications ...... 85 3.2.3 Inventory Tools ...... 88 3.2.4 Apple Remote Desktop Task Server ...... 90 3.3 Software Update Policy ...... 91 3.4 OS X Lion Server Software Update Service ...... 92 3.4.1 Configuring Software Update Server Clients ...... 95 3.4.2 Cascading Software Update Service ...... 97 3.5 Third-Party Software Update Service ...... 99 3.6 Client Management Suites ...... 100 4 Directory Services ...... 101 4.1 Local Directory Services ...... 102 4.1.1. Creating Local Administrative Accounts ...... 104 4.1.1.1 Creating a Local Administrative Account Using System Preferences ...... 105 4.1.1.2 Creating a Local Administrative Account Using the Command Line ...... 107 4.1.1.3 Hiding a Local Account ...... 109 4.1.1.4 Making Changes to the Local Administrative Account ...... 110 4.1.2 Nesting Network Admins in a Local Administrative Group ...... 111 4.1.3 Creating a Local Administrative Account with a Package or Script .113 4.2 Open Directory ...... 114 4.2.1 Setting Up an Open Directory Master ...... 115 4.2.2 Preparing for Binding to Open Directory ...... 121 4.2.2.1 Binding to Open Directory Using the Users & Groups Pane in System Preferences ...... 123 4.2.2.2 Custom Binding Operations ...... 127 4.2.3 Binding to Open Directory Using the Command Line ...... 134 4.2.4 Binding to Open Directory Using a Post-Installation Script ...... 136 4.2.5 Using Workgroup Manager to Create New Users ...... 137 4.2.6 Setting Up an Open Directory Replica ...... 142 4.3 Active Directory ...... 145 4.3.1 Binding to Active Directory ...... 146 4.3.1.1 Binding to Active Directory Using Directory Utility ...... 147 4.3.1.2 Testing and Verifying Active Directory Binding Information ...... 151 4.3.1.3 Binding to Active Directory from the Command Line ...... 155 4.3.1.4 Binding to Active Directory Using a Script ...... 158 4.3.1.5 Binding to Active Directory Using a Post-Install Script ...... 159 4.3.1.6 Active Directory Plug-in Troubleshooting Commands ...... 160 4.3.2 Mapping the UID and GID with Directory Utility ...... 164 4.3.2.1 Mapping UID, User GID, and Group GID Using dsconfigad ...... 168 4.3.3 Setting a User Home Directory ...... 169 4.3.4 Namespace Support Using dsconfigad ...... 174 4.3.5 Active Directory Packet Encryption Options ...... 175 4.3.6 SSL Binding Instructions ...... 176 4.3.7 Managing Certificates from the Command Line ...... 177 4.3.8 Active Directory Computer Password Changes ...... 178 4.4 Third-Party Active Directory Plug-Ins ...... 179

iii IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.5 LDAP ...... 180 4.5.1 Binding to LDAP...... 181 4.5.1.1 Simple Binding ...... 182 4.5.1.2 Trusted Binding ...... 185 4.5.2 Mapping LDAP Attributes ...... 189 4.6 NIS ...... 194 4.7 Kerberos ...... 197 4.8 Dual Directory Configuration ...... 198 4.8.1 Setting Up Dual Directory ...... 199 4.8.2 Nesting Active Directory Groups in Open Directory ...... 211 4.9 Distributed File Sharing ...... 214 4.9.1 Connecting to DFS Shares ...... 215 4.9.2 Viewing DFS with smbutil ...... 216 4.9.3 Third-Party DFS Solutions ...... 218 5 Policy Management ...... 219 5.1 Setting Up a Profile Server ...... 220 5.1.1 Configuring Network Settings ...... 221 5.1.2 Configuring Users ...... 223 5.1.3 Adding Users ...... 226 5.1.4 Reviewing Certificates ...... 229 5.1.5 Acquiring Apple Push Notification Certificates ...... 232 5.1.6 Enabling Profile Manager ...... 235 5.1.7 Automatic Push Versus Manual Download Profiles ...... 239 5.1.8 Editing Management Profiles ...... 240 5.1.9 Creating Device Groups ...... 244 5.1.10 Using Device Placeholders ...... 247 5.1.11 Enrolling Devices Running OS X Lion ...... 249 5.1.12 Locking a Device via the User Portal ...... 251 5.1.13 Wiping a Device via the User Portal ...... 253 5.1.14 Locking a Device Using Profile Manager ...... 254 5.1.15 Wiping a Device Using Profile Manager ...... 256 5.1.16 Removing a Mac from Management via the User Portal ...... 258 5.1.17 Removing Management Using Profile Manager ...... 259 5.1.18 Profile System Preferences ...... 261 5.1.19 Forcing Management Profiles ...... 263 5.1.20 The profiles Command ...... 265 5.2 Managed Preferences ...... 266 5.2.1 Obtaining Effective Managed Preferences ...... 267 5.2.2 Refreshing Policy Data ...... 269 5.2.3 Graphical User Interface Managed Preferences Reporting ...... 270 5.2.4 Importing Managed Preferences Manifests ...... 272 5.2.5 Importing Application Preferences ...... 277 5.3 Local Policy ...... 282 5.3.1 Creating a Local Computer Account with dscl ...... 283 5.3.2 Managed Preferences dscl Extensions ...... 285 5.3.3 Importing and Exporting Managed Preferences Using dscl ...... 287 5.4 Directory Policy ...... 288 5.4.1 Open Directory ...... 289 5.4.1.1 Managed Preferences Using Workgroup Manager ...... 290

iv IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 5.4.1.2 Using Workgroup Manager to Whitelist Windows Servers ...... 293 5.4.2 Active Directory ...... 295 5.4.2.1 Extending the Active Directory Schema on Windows Servers ...... 296 5.4.2.2 Managed Preferences Using Dual Directory ...... 308 5.4.3 LDAP ...... 312 5.4.3.1 Adding Apple Schema to Third-Party OpenLDAP ...... 313 5.4.3.2 Integrating a Third-Party Schema into Open Directory ...... 314 6 Security ...... 316 6.1 Security Resources ...... 316 6.2 Application Restrictions ...... 317 6.3 Password Policies ...... 320 6.3.1 Auditing Local Password Policies ...... 324 6.3.2 Setting Local Password Policies ...... 327 6.4 Setting an Open Firmware Password ...... 328 6.5 SSH Access ...... 329 6.5.1 Key-Based SSH Access ...... 330 6.5.2 SSH Tunnel ...... 332 6.6 FileVault 2 Full Disk Encryption ...... 333 6.6.1 Migrating from FileVault to FileVault 2 ...... 343 6.6.2 FileVault 2 FDE Master Passwords ...... 345 6.7 Third-Party Full Disk Encryption ...... 347 6.8 Host-Based Intrusion Detection System ...... 348 6.9 Network Firewall ...... 351 6.9.1 Application Layer Firewall ...... 352 6.9.1.1 Configuring the Application Layer Firewall ...... 353 6.9.1.2 Managing the Application Layer Firewall from Terminal ...... 357 6.9.2 ipfw ...... 359 6.10 Keychain Usage and Management ...... 361 6.10.1 Accessing and Viewing Keychain Contents ...... 363 6.10.2 Selecting Specific Categories of Keychain Items ...... 365 6.10.3 Enabling MobileMe and Directory Services Searching for Certificates ...... 366 6.10.4 Enabling Certificate Revocation Checking ...... 367 6.10.5 Importing Items into a Keychain via the GUI ...... 368 6.10.6 Importing Items into a Keychain from within Keychain Access ...... 369 6.10.7 Exporting Items from a Keychain ...... 371 6.10.8 Exporting Items from a Keychain via the GUI ...... 373 6.11 Encrypted Time Machine Backups ...... 374 6.12 Third-Party Smart Card Service Options ...... 379 7 Networking/Wireless ...... 380 7.1 IPv4 Networking...... 381 7.2 IPv6 Networking...... 389 7.3 Network Setup Assistant for Wired and Wireless ...... 392 7.4 Network Diagnostics for Wired and Wireless ...... 396 7.5 VLAN Wired Network Deployment ...... 399 7.6 Networking Command Line Interface ...... 403 7.7 Virtual Private Network ...... 406 7.8 Network Security Overview ...... 416

v IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 7.8.1 WPA/TKIP—PSK ...... 417 7.8.2 WPA2/AES—PSK...... 419 7.8.3 WPA2/AES 802.1X—PEAP/MSCHAPv2 ...... 421 7.8.4 WPA2/AES 802.1X—EAP/TLS ...... 427 7.8.5 WPA2/AES 802.1X—TTLS ...... 434 7.8.6 WPA2/AES 802.1X — EAP/FAST ...... 441 7.9 Importing and Exporting 802.1X Profiles ...... 449 7.10 Using 802.1X ...... 452 7.11 Securing a Certificate from a Windows CA ...... 454 7.12 Trusting Certificates from the Command Line ...... 457 8 Collaboration ...... 458 8.1 Microsoft Exchange Integration ...... 459 8.1.1 Using Mail, iChat, and Address Book with Exchange ...... 460 8.1.2 Enabling S/MIME in Mail ...... 465 8.1.3 Enabling Out-of-Office in Mail ...... 466 8.2 Connecting to and Troubleshooting Mail, iCal, and Address Book with Microsoft Exchange ...... 468 8.2.1 DNS ...... 469 8.2.2 Improper Redirects/Certificate Errors ...... 470 8.2.3 Limits on Message Size ...... 471 8.2.4 Additional Troubleshooting Resources ...... 473 8.3 Troubleshooting Microsoft Outlook 2011 ...... 474 8.3.1 Additional Microsoft Outlook 2011 Information ...... 475 8.4 Connecting to Microsoft SharePoint ...... 476 8.4.1 Additional Microsoft SharePoint Information ...... 478 8.5 Instant Messaging ...... 479 8.5.1 iChat and FaceTime ...... 480 8.5.2 Microsoft Office Communications Servers ...... 483 8.6 AirDrop ...... 486 8.6.1 Deactivating AirDrop ...... 487 8.6.2 Debugging AirDrop ...... 490 8.6.3 Additional AirDrop Information ...... 491

Apple, the Apple logo, AirPort, AirPort Extreme, AppleScript, Bonjour, FileVault, Finder, FireWire, iCal, Mac, MacBook, MacBook Air, Mac OS, QuickTime, Safari, Spotlight, Time Machine, and Xcode are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop is a trademarks of Apple Inc. Mac App Store is a service mark of Apple Inc. Intel is a trademark of Intel Corp. in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group. OS X version 10.7 Lion is an Open Brand UNIX 03 Registered Product. Other product and company names mentioned herein may be trademarks of their respective companies. Product specifications are subject to change without notice. This material is provided for information purposes only; Apple assumes no liability related to its use.

vi SAMPLE PAGES Introduction

This configuration guide is designed to help IT professionals who are evaluating and deploying OS X Lion on Mac computers in medium to large organizations. Each section contains multiple modules that cover different topics with step-by-step instructions. Using this guide, organizations can accelerate testing and planning to begin a proof of concept, or broader end- user test, of Mac computers. Not all modules within this guide require extensive review for a single Mac deployment plan, as many are mutually exclusive. For example, this guide includes Directory Services modules that cover Open Directory, Active Directory, Lightweight Directory Access Protocol (LDAP),, and other techniques. Most organizations will choose the one that best meets their needs. Before using this guide, consult with your Apple sales representative or Apple Authorized Reseller for assistance in determining the right modules for your environment. This guide covers a wide range of topics critical to successfully deploying Mac computers in large commercial and government organizations including: • Imaging • Deployment • Support and Maintenance • Directory Services • Policy Management • Security • Networking/Wireless • Collaboration For more information, contact your Apple Authorized Reseller or Apple account team.

Active Directory is Microsoft’s directory services solution. Active Directory provides information on users, groups, and computers (information stored in LDAP), password management and encryption (using Kerberos ), and the ability to find objects on a network. Information in Active Directory is used to manage users, computers, groups, printers, and other resources. Administrators can also assign policies to Windows computers using Group Policy Objects. Active Directory deployments vary from smaller environments with a few hundred objects to larger environments with thousands (or millions) of users and systems distributed across a number of sites. Mac computers can be manually bound to Active Directory through the Active Directory Service plug-in in Directory Utility. From the command line, use dsconfigad to bind and specify Active Directory-specific options. Active Directory provides policies to Windows computers and the schema can be extended to include policies for other operating systems, including OS X Lion. A number of environments cannot extend their AD schemas and so third- party vendors can provide policies to Mac computers without extending the schema. In this section, we explore administrative tasks surrounding managing OS X Lion using Active Directory.

© 2011 Apple Inc. 145 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.3.1 Binding to Active Directory OS X Lion can be bound to Active Directory from the Users & Groups pane in System Preferences, through Directory Utility (located in /System/Library/ CoreServices/Directory Utility), or using the command line utility dsconfigad. While dsconfigad does contain some additional options, the majority of functionality is available through Directory Utility.

Active Directory Validation Prior to binding, it is important to verify some connectivity with Active Directory. Because Active Directory clients use DNS service records to locate Active Directory service, it is important to verify that DNS is working properly. 1. Open Terminal from /Applications/Utilities. Enter the following command to do a lookup on the service record to locate the global catalog: dig -t SRV _gc._tcp.pretendco.com ; <<>> DiG 9.4.1-P1 <<>> -t SRV _gc._tcp.pretendco.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34512 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION: ;_gc._tcp.pretendco.com. IN SRV

;; ANSWER SECTION: _gc._tcp.pretendco.com. 600 IN SRV 0 100 3268 dc.pretendco.com.

;; ADDITIONAL SECTION: dc.pretendco.com. 3600 IN A 192.168.55.47

;; Query time: 83 msec ;; SERVER: 192.168.1.6#53(192.168.55.47) ;; WHEN: Thu Jul 31 14:09:32 2008 ;; MSG SIZE rcvd: 92 2. If your response does not include an answer section with the name of a domain controller, check to make sure the OS X Lion network settings are correct and that the DNS specified is one that will return service record information for your Active Directory forest. 3. To bind OS X Lion to Active Directory, you need credentials as a local administrator on the Mac as well as an Active Directory user who has the authority to join computers into the Organizational Unit (OU) that you will be leveraging in Active Directory. Once you have bound the Mac to Active Directory, you can set up the client to allow Active Directory administrators (or any Active Directory user you choose) to be local administrators on the local Mac client. However, during initial setup, you will need the local administrative user name and password for the Mac. This user is the first user set up during Setup Assistant after installation.

To bind to Active Directory using Directory Utility: 1. Choose System Preferences from the Apple menu. 2. Open the Users & Groups pane.

Figure 4.3.1.1_1 3. Click Login Options.

Figure 4.3.1.1_2

Figure 4.3.1.1_3 5. Enter the name of the domain in the Server field. The dialog expands for credentials and Computer ID (which is already entered).

Figure 4.3.1.1_4 6. Once joined, you can go back and look at the binding information and provide more details, if needed. You can also get to the Active Directory options in Directory Utility to bind if more information is required at the bind screen. To open Directory Utility, click the Edit button in the Users & Groups pane in System Preferences (or if the initial attempt at binding failed, click Join).

Figure 4.3.1.1_5 8. Double-click Active Directory (or click Active Directory and then click the pencil icon).

Figure 4.3.1.1_6 9. Enter the Active Directory domain name you wish to join (if you have not yet bound).

Figure 4.3.1.1_7 11. If binding, enter the Active Directory user that has the delegated authority to bind a machine to the OU you specify for Computer OU. Enter the Active Directory user’s password, then click OK. 12. In the Users & Groups pane you will now see a green light next to the domain if provided network accounts are accessible.

Figure 4.3.1.1_8

© 2011 Apple Inc. 150 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.3.1.2 Testing and Verifying Active Directory Binding Information Prior to logging out and attempting to log in with an Active Directory user, it is advisable to verify that OS X Lion is getting the requisite information from Active Directory. This section shows how to verify that OS X Lion is able to get information about an Active Directory user, browse information within Active Directory, and authenticate users.

To verify that the Mac can get information about an Active Director user: For OS X Lion to work correctly, it needs to be able to look up information such as the user’s numerical ID (UID), primary group ID (GID), and group membership. 1. To test this lookup capability, open Terminal from /Applications/Utilities, and enter the following:

id Sample:

Client-1:~ admin$ id jfoster uid=818406992(jfoster) gid=1450179434(PRETENDCO\domain users) groups=1450179434(PRETENDCO\domain users) 2. If the id command does not return information about an Active Directory user, open Directory Utility and verify that OS X Lion is bound to Active Directory and that Active Directory is listed under Search Path (the listing is created automatically when the client is bound). Also verify network connectivity between OS X Lion and the domain controller, and check firewall settings on the network.

To browse the Active Directory network node: 1. Open Terminal from /Applications/Utilities, and enter the following:

Client-1:~ admin$ dscl localhost > 2. You are now in interactive mode and can browse network nodes. Type the following:

> ls One of the listed nodes should be Active Directory (if not, Active Directory is not enabled/checked in Directory Utility).

Active Directory BSD Local

Search Contact

© 2011 Apple Inc. 151 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 3. Navigate into the Active Directory node by using cd and perform another ls to show the contents of the node. > cd 'Active Directory' /Active Directory > ls All Domains 4. Navigate into the All Domains node by using cd and perform another ls to show the contents of the node. The node should contain the Users node.

/Active Directory > cd 'All Domains' /Active Directory/All Domains > ls CertificateAuthorities Computers FileMakerServers Groups Mounts People Printers Users 5. Navigate into the Users node by using cd and performing another ls to show the contents of the node. The node should contain all of the users in the forest. If you have a large number of users, do not enter ls to list the contents of this node, but rather use read to read the attributes of that user:

/Active Directory/All Domains > cd Users /Active Directory/All Domains/Users > read jfoster dsAttrTypeNative:accountExpires: 9223372036854775807 dsAttrTypeNative:ADDomain: pretendco.com dsAttrTypeNative:badPasswordTime: 0 dsAttrTypeNative:badPwdCount: 0 dsAttrTypeNative:cn: Tim Lee dsAttrTypeNative:codePage: 0 dsAttrTypeNative:countryCode: 0 dsAttrTypeNative:displayName: Tim Lee dsAttrTypeNative:distinguishedName: CN=Jimmy Foster,CN=Users,DC=pretendco,DC=com more...

© 2011 Apple Inc. 152 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 6. If you are not able to read the attributes of a user, check access controls in Active Directory and verify that you have bound to the correct OU. 7. You can now exit out of dscl.

/Active Directory/All Domains/Users > exit Goodbye

To verify the user password: Up to this point, the Mac can get information about users, but you need to verify that users can be authenticated. 1. Open Terminal from /Applications/Utilities and enter the following:

>su Sample:

Client-1:~ Admin$ su jfoster Password: 2. Enter the Active Directory user’s password. If successful, you should now be in a Terminal session as that user. To verify, use the whoami command. >whoami Sample: bash-3.2$ whoami jfoster Note: If warnings appear about not having a home directory, disregard them at this point. The home directory will be created on initial login. If this does not work, verify that there are not multiple users with the same short name in your Active Directory forest. If there are multiple users with the same short name, you must enable namespace support via dsconfigad. For this testing, enter a user name that has a unique short name forest- wide.

To log in at the login window: You could log out by choosing Log Out [user name] from the Apple menu, but it is more convenient to use Fast User Switching to test the login window. 1. To enable Fast User Switching, choose System Preferences from the Apple menu, and click Users & Groups. 2. In the Users & Groups pane, make sure the lock in the lower-left corner is unlocked. 3. If the pane is locked, click the lock icon and authenticate to unlock. 4. Click Login Options from the list on the left.

Figure 4.3.1.2_1 A user name will appear in the menu bar in the upper-right corner of your screen.

Figure 4.3.1.2_2 6. Select the user name and choose Login Window. A cube effect appears and the login window appears. The currently logged in user session stays active; to return to it either select the original user in the Fast User Switching menu or at the login window. 7. Click Other, and enter the Active Directory user name and password. Either use the short name or the UPN name (for example, jfoster, PRETENDCO \jfoster, or [email protected]). You should now be logged in as the Active Directory user. 8. If the login window “shakes” when authenticating, confirm that you have gone through the verify setting section above and validate the password. Also, try a different Active Directory user account. 9. If you receive a warning about not finding your home directory, open Directory Utility and look at the settings for your Active Directory configuration. If you have not selected “Force local home directory on startup disk,” there is an issue mounting your network home directory. For this module, make sure the “Force local home directory on startup disk” option is selected.

6.1 Security Resources

Security Configuration Guides The Apple website offers a section dedicated to the security of Apple products. The Apple Product Security page can be found at http://www.apple.com/ support/security, with a link to the security configuration guides at http://www.apple.com/support/security/guides. Apple has posted the security configuration guides to aid administrators of OS X and OS X Server for v10.3, v10.4, v10.5, and v10.6. Guides include checklists, scripts, and in-depth analysis on the security architecture and components. The security configuration guides provide best practices and are the byproduct of collaborative review and vetting with the National Security Agency. These guides can also be found at: http://www.nsa.gov/ia/guidance/security_configuration_guides/ operating_systems.shtml#AppleMac

Security Updates Each Apple security update is posted on the Apple Support website at http://support.apple.com/kb/HT1222. Click the link for each update to view a description and corresponding CVE IDs referencing any vulnerabilities patched with each update.

OS X Lion can restrict access to applications using Managed Preferences by whitelisting applications that have been signed or directories that contain applications (or both). In this module, we will do so using the Workgroup Manager, although this can also be achieved with Profile Manager (as outlined in Module 5.4.1.2). For the purposes of this example, we recommend using Workgroup Manager on a client computer that has all of the applications installed that a normal user would have. The restrictions can be configured for a local (non-administrative) account or for an account in a valid Open Directory domain.

To use Workgroup Manager to limit users to opening only specifically allowed applications: 1. Open Workgroup Manager from /Applications/Server. 2. Click the test user account.

Figure 6.2_1

Figure 6.2_2 4. Click the icon for Applications in the list of Managed Preferences. 5. Click the Applications button. 6. Change the Manage option to Always. 7. The “Restrict which applications are allowed to launch” checkbox is already selected. Use the Add (+) button to add applications to the list of allowed applications. 8. Add each application that a user should be allowed access to. Note: You can select multiple applications concurrently by holding down the command key when clicking them. In the following example, the user will be logged into a web kiosk workstation and will only be allowed to access the Safari application.

Figure 6.2_3

© 2011 Apple Inc. 318 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 9. Once Managed Preferences are configured appropriately, click the Apply Now button. 10. Log in as the test user and verify that Managed Preferences are applied correctly. 11. To further restrict applications to specific folders, click the Folders button. 12. Navigate to and select each directory that users should be able to access. 13. Assuming the users are not administrators of the local computers, they will only be able to open applications that are in the directories you have included in the list. Click Apply to commit these changes to the directory service. Note: To restrict access to a specific software title, run Workgroup Manager on a system that has that application installed. Workgroup Manager can be copied to a USB drive and run from the drive to facilitate managing preferences from client systems.

A variety of password policies are available to clients running in an Open Directory environment. These should conform to the requirements set forth by your organization’s security policy. In this example, configure Open Directory password policies globally and then specifically for the user Jimmy Foster. You can use a different account for testing if you choose to do so.

To set up Open Directory password policies for a user: 1. Open Server Admin. 2. Click Open Directory in the Servers list.

Figure 6.3_1 3. Click Settings for the Open Directory service in the Server Admin toolbar.

Figure 6.3_2

© 2011 Apple Inc. 320 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4. Click the Policies button. Configure the global password policies for the Open Directory Service. These policies are used to control login for accounts and set controls on passwords for all users in the directory service.

Figure 6.3_3 5. Once satisfied with the password policies, click Binding. These options only apply to Mac computers using Open Directory, such as clients in a dual directory scenario.

Figure 6.3_4 6. Once satisfied with the password policies, click the Authentication button.

© 2011 Apple Inc. 321 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 7. Choose the hash method(s) to store passwords on the OS X Lion Server that hosts the Open Directory environment.

Figure 6.3_5 8. To add other settings for specific users, open Workgroup Manager and authenticate to Open Directory. 9. Click the user in question (or select multiple users). 10. Click the Advanced button. 11. Click the Options button in the password section (located below the User Password Type menu).

Figure 6.3_6

12. Configure more granular settings for each user (or users). This includes controlling when to disable accounts and when to require users to change passwords.

Figure 6.3_7 13. Once finished managing these settings, click OK. Note: When using Active Directory, the AD password policies are respected by OS X Lion. Clients are notified of expiring passwords and users can change their passwords in OS X Lion.

AirDrop is the Apple implementation of the Wi-Fi Direct protocol. AirDrop enables users to find other nearby users (via Bonjour, Apple’s multicast DNS implementation) and transfer files directly to other client computers.

To activate AirDrop on a supported Mac: 1. Click the AirDrop icon in the Finder sidebar. 2. If a nearby colleague wishes to exchange files, they click the AirDrop icon in their Finder sidebar. You will now see one another’s machines listed in the AirDrop window. 3. To transfer a file, drag and drop the file on the other person’s AirDrop icon. They will be prompted to accept the file. Transfer progress is indicated by the colored circle in their icon. 4. To deactivate AirDrop, simply close that Finder window, or click on another sidebar item. The intentional nature of activating AirDrop, coupled with the “accept” dialog, provides a strong measure of security and prevention from hijacking. Additional deliberate steps are required to accept transfers.

© 2011 Apple Inc. 486 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 8.6.1 Deactivating AirDrop While AirDrop is a great feature for many environments, some organizations may wish to deactivate the AirDrop feature in OS X Lion to meet their information assurance guidelines. To deactivate AirDrop, enter the following command in Terminal. sudo defaults write /Library/Preferences/ com.apple.NetworkBrowser DisableAirDrop -bool YES To reenable AirDrop, simply send the same command with a boolean payload of NO: sudo defaults write /Library/Preferences/ com.apple.NetworkBrowser DisableAirDrop -bool NO To see AirDrop disappear, either restart the system or restart the Finder by running the following command. sudo killall Finder Default domains can be changed using Mobile Configuration (.mobileconfig) files. Environments running OS X Lion Server or a third-party Mobile Device Management (MDM) solution can use the Custom Settings feature to assign a value to the com.apple.NetworkBrowser defaults domain.

To use the Custom Setting feature, follow these steps: 1. Open the Server application from an OS X Lion Server. 2. Click the Profile Manager service. 3. Click Open Profile Manager. 4. Authenticate when prompted.

Figure 8.6.1_1

Figure 8.6.1_2 6. Click Edit.

Figure 8.6.1_3 7. Click Custom Settings. 8. Enter com.apple.NetworkBrowser into the Preference Domain field. 9. Rename the initial key DisableAirDrop. 10. Choose Boolean from the Type menu.

Figure 8.6.1_4 12. Click OK. 13. Send the profile to the Mac running OS X Lion. Restart the Mac, and verify that the key is enforced.