POLICY GUIDE

Manage Your Mac with Active Directory Group Policies How to secure Mac OS X systems with your Active Directory infrastructure

WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Contents Overview 3

Active Directory Policy List 4

Conclusion 16

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

RightScale is a registered trademark of RightScale, Inc.; ServerTemplates and RightScripts are trademarks of RightScale, Inc.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Front cover photo: Stefano Tinti / Shutterstock.com

2 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE

Overview

With Centrify Identity Service Mac Edition (“Centrify for Mac”), you can use Active Directory to centrally manage authentication, policy enforcement, single sign-on (SSO) and user self-service for popular endpoint devices running Mac OS X, iOS and Android. By leveraging your existing identity infrastructure, processes and trained IT staff, you can reduce costs and improve operational efficiency. The following Group Policies are a representative list of what is available to manage Mac OS X systems as of the Centrify for Mac product release that came out in February 2015.

Active Directory-based Group Policy enforcement of centrally defined security policies enables IT to meet compliance requirements. Policies are enforced using a combination of approaches to update plist files and standard config files, to enforce MCX settings and even to create profiles for local enforcement. Additionally, the Centrify Identity Service can enforce several security policies and configure access to company resources through delivery of profiles to remote Mac OS X and mobile devices, empowering IT to embrace “bring-your-own-device” initiatives. Centrify provides a complete set of policy and configuration settings to enable Windows-centric admin staff to manage all aspects of the Mac as well as mobile devices leveraging the processes and skills of a familiar infrastructure, Group Policy.

3 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Active Directory Policy List Mac On-Prem Policies → Centrify Computer Policies → 802.1x Settings • Enable Machine Ethernet Profile

• Enable Machine Wi-Fi Profile

• Enable User Ethernet Profile

• Enable User Wi-Fi Profile

• Specify Login Window Profiles

• Specify System Profile

Mac On-Prem Policies → Centrify Computer Policies → Accounts • Map zone groups to local admin group

• Map zone groups to local group

• Set login window settings

Mac On-Prem Policies → Centrify Computer Policies → App Store Settings • Prohibit access to App Store

Mac On-Prem Policies → Centrify Computer Policies → Custom Settings • Enable profile custom settings

• Install MobileConfig Profiles

Mac On-Prem Policies → Centrify Computer Policies → Energy Saver → On AC Power • Allow power button to sleep the computer

• Enable Power Nap while plugged into a power adapter

• Put the hard disk(s) to sleep when possible

• Restart automatically after a power failure

• Set computer sleep time

• Set display sleep time

• Wake for Ethernet network administrator access

• Wake when the modem detects a ring

Mac On-Prem Policies → Centrify Computer Policies → Energy Saver → On Battery • Allow power button to sleep the computer

• Enable Power Nap while on battery power

• Put the hard disk(s) to sleep when possible

• Restart automatically after a power failure

• Set computer sleep time

• Set display sleep time

• Slightly dim the display while on battery power

• Wake for Ethernet network administrator access

• Wake when the modem detects a ring

4 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE

Mac On-Prem Policies → Centrify Computer Policies → Energy Saver → Scheduled Events • Set machine sleep/shutdown time

• Set machine startup time

Mac On-Prem Policies → Centrify Computer Policies → Firewall • Block UDP traffic

• Enable firewall

• Enable firewall logging

• Enable iChat

• Enable iPhoto sharing

• Enable iTunes sharing

• Enable network time

• Enable stealth mode

Mac On-Prem Policies → Centrify Computer Policies → Internet Sharing • Disallow all Internet sharing

Mac On-Prem Policies → Centrify Computer Policies → Network • Adjust multicast DNS timeout for .local domain

Mac On-Prem Policies → Centrify Computer Policies → Network → Legacy Location Settings • Adjust list of DNS servers

• Adjust list of searched domains

Mac On-Prem Policies → Centrify Computer Policies → Network → Legacy Location Settings → Configure Proxies • Bypass proxy settings for these hosts & domains

• Exclude simple hostnames

• Use passive FTP mode (PASV)

Mac On-Prem Policies → Centrify Computer Policies → Network → Legacy Location Settings → Configure Proxies→ Enable Proxies • Configure proxies using a PAC file

• Enable auto proxy discovery

• Enable FTP proxy

• Enable Gopher proxy

• Enable secure Web proxy (HTTPS)

• Enable SOCKS proxy

• Enable streaming proxy (RTSP)

• Enable Web proxy (HTTP)

5 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Mac On-Prem Policies → Centrify Computer Policies → Network → Location 1 • Adjust list of DNS servers

• Adjust list of searched domains

• Enable network location

Mac On-Prem Policies → Centrify Computer Policies → Network → Location 1 → Configure Proxies • Bypass proxy settings for these hosts & domains

• Exclude simple hostnames

• Use passive FTP mode (PASV)

Mac On-Prem Policies → Centrify Computer Policies → Network → Location 1 → Configure Proxies→ Enable Proxies • Configure proxies using a PAC file

• Enable auto proxy discovery

• Enable FTP proxy

• Enable Gopher proxy

• Enable secure Web proxy (HTTPS)

• Enable SOCKS proxy

• Enable streaming proxy (RTSP)

• Enable Web proxy (HTTP)

Mac On-Prem Policies → Centrify Computer Policies → Network → Location 2 • Adjust list of DNS servers

• Adjust list of searched domains

• Enable network location

Mac On-Prem Policies → Centrify Computer Policies → Network → Location 2 → Configure Proxies • Bypass proxy settings for these hosts & domains

• Exclude simple hostnames

• Use passive FTP mode (PASV)

Mac On-Prem Policies → Centrify Computer Policies → Network → Location 2 → Configure Proxies→ Enable Proxies • Configure proxies using a PAC file

• Enable auto proxy discovery

• Enable FTP proxy

• Enable Gopher proxy

• Enable secure Web proxy (HTTPS)

• Enable SOCKS proxy

• Enable streaming proxy (RTSP)

• Enable Web proxy (HTTP)

6 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE

Mac On-Prem Policies → Centrify Computer Policies → Remote Management • Enable administrator access group

Mac On-Prem Policies → Centrify Computer Policies → Scripts (Login / Logout) • Specify multiple login scripts

Mac On-Prem Policies → Centrify Computer Policies → Security and Privacy • Certificate validation method

• Disable automatic login

• Disable Location Services

• Enable Gatekeeper

• Enable smart card support

• Log out after number of minutes of inactivity

• Require password to unlock each secure system preference

• Require smart card login

• Use secure virtual memory

Mac On-Prem Policies → Centrify Computer Policies → Security and Privacy → FileVault 2 • Disable automatic login

• Enable FileVault 2

Mac On-Prem Policies → Centrify Computer Policies → Security and Privacy → Public Key Policies • Do not allow private key to be extractable

• Store private and public key in only

Mac On-Prem Policies → Centrify Computer Policies → Services • Enable Apple Remote Desktop

• Enable FTP access

• Enable personal file sharing

• Enable personal Web sharing

• Enable printer sharing

• Enable remote Apple events

• Enable remote login

• Enable Windows sharing

• Enable

Mac On-Prem Policies → Centrify Computer Policies → Software Update Settings • Automatically check for software updates

Mac On-Prem Policies → Centrify Computer Policies → Software Update Settings → SW update Server Settings • Use version specific settings

7 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Mac OS X 10.5 Settings → Specify software update server

Mac OS X 10.6 Settings → Specify software update server

Mac OS X 10.7 Settings → Specify software update server

Mac OS X 10.8 Settings → Specify software update server

Mac OS X 10.9 Settings → Specify software update server

Mac OS X 10.10 Settings → Specify software update server

Centrify Mac On-Prem Policies → Centrify User Policies → 802.1x Settings • Specify User Profiles

Centrify Mac On-Prem Policies → Centrify User Policies → Application Access Settings • Permit/prohibit access to application list: AppleScript

• Permit/prohibit access to application list: Applications

• Permit/prohibit access to application list: Server

• Permit/prohibit access to application list: Utilities

• Permit/prohibit access to applications

• Permit/prohibit access to the user-specific applications

Centrify Mac On-Prem Policies → Centrify User Policies → Automount Settings • Automount network shares

• Automount user’s Windows home

• Create instead of symbolic link (for agent 5.2.2 and below)

Centrify Mac On-Prem Policies → Centrify User Policies → Desktop Settings • Set computer idle time for starting screen saver

Centrify Mac On-Prem Policies → Centrify User Policies → Dock Settings • Add other folders to Dock

• Adjust the Dock’s icon size

• Adjust the Dock’s magnified icon size

• Adjust the Dock’s position on the screen

• Adjust the effect shown when minimizing the Dock

• Animate opening applications

• Automatically hide and show the Dock

• Lock the Dock

• Merge with user’s Dock

• Place Applications in Dock

• Place Documents and Folders in Dock

8 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM WP-US-001-0814-EN POLICY GUIDE

Centrify Mac On-Prem Policies → Centrify User Policies → Settings • Configure Finder commands

• Configure Finder preferences

• Configure Finder views

Centrify Mac On-Prem Policies → Centrify User Policies → Folder Redirection → Actions at Login time • Delete path

• Delete symbolic link, and restore

• Delete, and create symbolic link

• Rename, and create symbolic link

Centrify Mac On-Prem Policies → Centrify User Policies → Folder Redirection → Actions at Logout time • Delete path

• Delete symbolic link, and restore

• Delete, and create symbolic link

• Rename, and create symbolic link

Centrify Mac On-Prem Policies → Centrify User Policies → Import Settings • Import MCX setting plist files

• Import plist files

Centrify Mac On-Prem Policies → Centrify User Policies → Login Settings • Enable Login times

Centrify Mac On-Prem Policies → Centrify User Policies → Media Access Settings • Eject all removable media at logout

• Permit/prohibit access: CDs & CD-ROMs

• Permit/prohibit access: DVDs

• Permit/prohibit access: External Disks

• Permit/prohibit access: Internal Disks

• Permit/prohibit access: Recordable Discs

Centrify Mac On-Prem Policies → Centrify User Policies → Custom Settings • Install MobileConfig Profiles

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings • Use version specific settings

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings • Enable/disable synchronization

9 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Background Sync • Adjust list of items synchronized in the background

• Enable/disable background synchronization rules

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Background Sync → Skip these items • Skip items that end with

• Skip items that start with

• Skip items whose full path is

• Skip items whose name contains

• Skip items whose name is

• Skip items whose partial path matches

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Login & Logout Sync • Adjust list of items synchronized at login and logout

• Enable/disable login & logout synchronization rules

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Login & Logout Sync → Skip these items • Skip items that end with

• Skip items that start with

• Skip items whose full path is

• Skip items whose name contains

• Skip items whose name is

• Skip items whose partial path matches

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Options • Manually/automatically synchronize background folders

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 /6 /7 /8 or above Settings • Configure mobile account creation

• Configure mobile account options

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 /6 /7 /8 or above Settings → Account Expiry • Delete mobile accounts automatically

10 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Background Sync • Enable background sync rules

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Background Sync → Skip items • Skip items that end with

• Skip items that start with

• Skip items whose full path matches

• Skip items whose name contains

• Skip items whose name is

• Skip items whose partial path matches

• Skip items whose RegEx name is

• Skip items whose RegEx path is

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Background Sync → Synchronize items • Sync in the background

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Login & Logout Sync • Enable login & logout sync rules

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Login & Logout Sync → Skip items • Skip items that end with

• Skip items that start with

• Skip items whose full path matches

• Skip items whose name contains

• Skip items whose name is

• Skip items whose partial path matches

• Skip items whose RegEx name is

• Skip items whose RegEx path is

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Login & Logout Sync → Synchronize items • Sync at login and logout

11 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Options • Manually/automatically sync in the background

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Home Sync • Enable home sync rules

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Home Sync → Skip Items • Skip items that end with

• Skip items that start with

• Skip items whose full path matches

• Skip items whose name contains

• Skip items whose name is

• Skip items whose partial path matches

• Skip items whose RegEx name is

• Skip items whose RegEx path is

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Home Sync → Synchronize items • Synchronize home sync items

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Options • Manually/automatically sync in the background

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Preference Sync • Enable preference sync rules

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Preference Sync → Skip Items • Skip items that end with

• Skip items that start with

• Skip items whose full path matches

• Skip items whose name contains

• Skip items whose name is

• Skip items whose partial path matches

• Skip items whose RegEx name is

• Skip items whose RegEx path is

12 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE

Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 /9 → Settings → Synchronization Rules → Preference Sync → Synchronize Items • Synchronize preference sync items

Centrify Mac On-Prem Policies → Centrify User Policies → Printing Settings • Specify printer list

• Specify printer list (with Model)

Centrify Mac On-Prem Policies → Centrify User Policies → Scripts (Login/Logout) • Specify login script

• Specify logout script

• Specify multiple login scripts

Centrify Mac On-Prem Policies → Centrify User Policies → Security & Privacy • Allow DoD Encryption Wizard to use smart card

• Allow NSSDB based applications to use smart card

• Disable Dictation

• Lock Smart Card screen

• NSSDB based applications allowed to use smart card

• Prohibit authentication with expired password

• Require password to wake this computer from sleep or screen saver

Centrify Mac On-Prem Policies → Centrify User Policies →Security & Privacy → Public Key Policies • Do not allow private key to be extractable

Centrify Mac On-Prem Policies → Centrify User Policies → Settings • Use version specific settings

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings • Limit items shown in System Preferences

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Hardware • Enable Bluetooth

• Enable CDs & DVDs

• Enable Displays

• Enable Energy Saver

• Enable Ink

• Enable Keyboard & Mouse (Keyboard)

• Enable Mouse

• Enable Print & FAX

• Enable Sound

• Enable Trackpad

13 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Internet & Network • Enable Fibre Channel

• Enable MobileMe

• Enable Network

• Enable QuickTime

• Enable Sharing

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Other Preferences Panes • Enable other preferences panes

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Personal • Enable Appearance

• Enable Dashboard & Exposé

• Enable Desktop & Screen Saver

• Enable Dock

• Enable International (Language & Text)

• Enable Security

• Enable

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: System • Enable Accounts

• Enable Classic

• Enable Date & Time

• Enable Parental Controls

• Enable Software Update

• Enable Speech

• Enable Startup Disk

• Enable Time Machine

• Enable Universal Access

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Mac OS X 10.5/6/7/8/9 /10 Settings • Limit items shown in System Preferences

Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Mac OS X 10.5/6/7/8/9 /10 Settings → Enable System Preferences Panes • Enable built-in System Preferences panes

• Enable other System Preferences panes

14 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE

Centrify Mac On-Prem Policies → Centrify User Policies → Adclient Settings (Mac) • Auto Zone remote file service (Mac OS X)

• Enable Auto Zone user home directory (Mac OS X)

• Generate new uid/gid using Apple scheme in Auto Zone

• Map /home to /Users (Mac OS X)

• Set user’s primary gid in Auto Zone

Centrify Mac On-Prem Policies → Centrify User Policies → Computer Configuration→ Administrative Templates → System → Group Policy • Turn off background refresh of Group Policy

• Group Policy refresh interval for computers

• User Group Policy loopback processing mode

Centrify Mac On-Prem Policies → Centrify User Policies → Computer Configuration→ Administrative Templates → System → Windows Time Service → Time Providers • Global Configuration Settings - MaxPollinterval

• Enable Windows NTP Client

Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Local Policies → Security Options • Interactive logon: Prompt user to change password before expiration

Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Account Polices → Password Policy • Enforce password history

• Maximum password age

• Minimum password age

• Minimum password length

• Password must meet complexity requirements

• Store passwords using reversible encryption

Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Account Polices → Account Lockout Policy • Account lockout duration

• Account lockout threshold

• Reset account lockout counter after

Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Account Polices → Kerberos Policy • Enforce user logon restrictions

• Maximum lifetime for service ticket

• Maximum lifetime for user ticket

• Maximum lifetime for user ticket renewal

• Maximum tolerance for computer clock synchronization

15 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies

Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Public Key Polices • Certificate Services Client - Auto-Enrollment Settings

• Trusted Root Certification Authorities

Centrify Mac On-Prem Policies → Centrify User Policies → User Configuration→ Administrative Template → System → Group Policy • Group Policy refresh interval for users

Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Public Key Policy • Certificate Services Client - Auto-Enrollment Settings

Centrify Cloud Management Settings → Common Mobile Settings • Wi-Fi Settings

Centrify Cloud Management Settings → Common Mobile Settings → Passcode Settings • Auto-Lock (minutes)

• Grace period for device lock

• Maximum number of failed attempts

• Maximum passcode age (days)

• Minimum number of complex characters

• Minimum passcode length

• Passcode history

• Permit simple value

• Require alphanumeric value

• Require passcode on device

Centrify Cloud Management Settings → Common Mobile Settings → OS X and iOS Settings • Settings

Settings

• LDAP Settings

• Mail Settings

• Security and privacy settings

• VPN Settings

Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings • Custom settings

• Open application when user logs in

• Open authenticated network mounts when user logs in

• Open files, folders and items when user logs in

• Open network mounts when user logs in

• Permit shift key to skip opening items when user log in

• Security and privacy settings

16 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM WHP000103en-02042015 POLICY GUIDE

Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings • Restrict applications

• Restrict preferences

Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings → Applications • Allow folders

• Disallow folders

Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings → Media • Allow access to AirDrop

• Allow access to CDs & CD-ROMs

• Allow access to disk images

• Allow access to DVD-RAM

• Allow access to DVDs

• Allow access to external disks

• Allow access to internal disks

• Allow access to Recordable Discs

• Eject all removable media at logout

Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings → Preferences • Allow built-in System Preferences

• Allow other System Preferences

17 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE Conclusion

Centrify Identity Service Mac Edition, enables Active Directory-based authentication and access control for both Mac OS X systems providing the industry’s most comprehensive set of policy-based controls for configuring and securing Mac systems, whether they are managed locally on-premises or remotely via the Centrify Identity Service. By leveraging your existing identity infrastructure, processes and trained IT staff, you can reduce costs and improve operational efficiency.

• Comprehensive Group Policy-based management automates computer and user configuration and policy enforcement.

• Automated certificate management provides strong authentication to wired and wireless networks.

• Automated FileVault 2 configuration protects data at rest through full-disk encryption supporting institution recovery.

• Comprehensive enterprise system configuration controls: Services Firewall Internet sharing Network configuration for DNS, proxies Login scripts Automount configuration to simplify user access to network shares

• Robust classroom configuration and policy enforcement Desktop lockdown with controls for Finder, storage media, preferences and applications Network home directories on AFP, SMB or NFS shares Seamless enterprise access to file servers, printers and applications

• Centrify Cloud Service extends management for updating of security policies as well as lock or wipe Macs and mobile devices

• Use familiar Windows tools such as Group Policy to centrally manage access to services and enforce security policies

• Mac OS X systems transparently connect to network file shares hosted on Microsoft Distributed File System (DFS) volumes

• Instead of configuring endpoint devices one by one, you can centrally enforce the industry’s broadest set of policies across workstations, laptops and mobile devices

• Non-intrusive solution deploys without installing software on domain controllers or requiring any changes to the Active Directory schema

• Automate device configuration for remote access, including Wi-Fi and VPN access

• PKI auto-issuance and auto-renewal

• Enable authorized user accounts to unlock and access encrypted disks through Apple’s FileVault 2 Full Disk Encryption

• Inventory devices and applications across your entire enterprise, organized by user, group or device, to easily track and enforce the status of both company-owned and user-owned devices

Centrify provides unified identity management across data center, cloud SANTA CLARA, CALIFORNIA +1 (669) 444-5200 and mobile environments that result in single sign-on (SSO) for users and EMEA +44 (0) 1344 317950 a simplified identity infrastructure for IT. Centrify’s unified identity ASIA PACIFIC +61 1300 795 789 management software and cloud-based Identity-as-a-Service (IDaaS) BRAZIL +55 11-3958 4876 solutions leverage an organization’s existing identity infrastructure to enable LATIN AMERICA +1 305 900 5354 single sign-on, multi-factor authentication, privileged identity management, EMAIL [email protected] www.centrify.com auditing for compliance and enterprise mobility management. WEB

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. WWW.CENTRIFY.COM +1 (669) 444-5200