POLICY GUIDE
Manage Your Mac with Active Directory Group Policies How to secure Mac OS X systems with your Active Directory infrastructure
WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Contents Overview 3
Active Directory Policy List 4
Conclusion 16
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
RightScale is a registered trademark of RightScale, Inc.; ServerTemplates and RightScripts are trademarks of RightScale, Inc.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Front cover photo: Stefano Tinti / Shutterstock.com
2 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE
Overview
With Centrify Identity Service Mac Edition (“Centrify for Mac”), you can use Active Directory to centrally manage authentication, policy enforcement, single sign-on (SSO) and user self-service for popular endpoint devices running Mac OS X, iOS and Android. By leveraging your existing identity infrastructure, processes and trained IT staff, you can reduce costs and improve operational efficiency. The following Group Policies are a representative list of what is available to manage Mac OS X systems as of the Centrify for Mac product release that came out in February 2015.
Active Directory-based Group Policy enforcement of centrally defined security policies enables IT to meet compliance requirements. Policies are enforced using a combination of approaches to update plist files and standard config files, to enforce MCX settings and even to create profiles for local enforcement. Additionally, the Centrify Identity Service can enforce several security policies and configure access to company resources through delivery of profiles to remote Mac OS X and mobile devices, empowering IT to embrace “bring-your-own-device” initiatives. Centrify provides a complete set of policy and configuration settings to enable Windows-centric admin staff to manage all aspects of the Mac as well as mobile devices leveraging the processes and skills of a familiar infrastructure, Group Policy.
3 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Active Directory Policy List Mac On-Prem Policies → Centrify Computer Policies → 802.1x Settings • Enable Machine Ethernet Profile
• Enable Machine Wi-Fi Profile
• Enable User Ethernet Profile
• Enable User Wi-Fi Profile
• Specify Login Window Profiles
• Specify System Profile
Mac On-Prem Policies → Centrify Computer Policies → Accounts • Map zone groups to local admin group
• Map zone groups to local group
• Set login window settings
Mac On-Prem Policies → Centrify Computer Policies → App Store Settings • Prohibit access to App Store
Mac On-Prem Policies → Centrify Computer Policies → Custom Settings • Enable profile custom settings
• Install MobileConfig Profiles
Mac On-Prem Policies → Centrify Computer Policies → Energy Saver → On AC Power • Allow power button to sleep the computer
• Enable Power Nap while plugged into a power adapter
• Put the hard disk(s) to sleep when possible
• Restart automatically after a power failure
• Set computer sleep time
• Set display sleep time
• Wake for Ethernet network administrator access
• Wake when the modem detects a ring
Mac On-Prem Policies → Centrify Computer Policies → Energy Saver → On Battery • Allow power button to sleep the computer
• Enable Power Nap while on battery power
• Put the hard disk(s) to sleep when possible
• Restart automatically after a power failure
• Set computer sleep time
• Set display sleep time
• Slightly dim the display while on battery power
• Wake for Ethernet network administrator access
• Wake when the modem detects a ring
4 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE
Mac On-Prem Policies → Centrify Computer Policies → Energy Saver → Scheduled Events • Set machine sleep/shutdown time
• Set machine startup time
Mac On-Prem Policies → Centrify Computer Policies → Firewall • Block UDP traffic
• Enable firewall
• Enable firewall logging
• Enable iChat
• Enable iPhoto sharing
• Enable iTunes music sharing
• Enable network time
• Enable stealth mode
Mac On-Prem Policies → Centrify Computer Policies → Internet Sharing • Disallow all Internet sharing
Mac On-Prem Policies → Centrify Computer Policies → Network • Adjust multicast DNS timeout for .local domain
Mac On-Prem Policies → Centrify Computer Policies → Network → Legacy Location Settings • Adjust list of DNS servers
• Adjust list of searched domains
Mac On-Prem Policies → Centrify Computer Policies → Network → Legacy Location Settings → Configure Proxies • Bypass proxy settings for these hosts & domains
• Exclude simple hostnames
• Use passive FTP mode (PASV)
Mac On-Prem Policies → Centrify Computer Policies → Network → Legacy Location Settings → Configure Proxies→ Enable Proxies • Configure proxies using a PAC file
• Enable auto proxy discovery
• Enable FTP proxy
• Enable Gopher proxy
• Enable secure Web proxy (HTTPS)
• Enable SOCKS proxy
• Enable streaming proxy (RTSP)
• Enable Web proxy (HTTP)
5 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Mac On-Prem Policies → Centrify Computer Policies → Network → Location 1 • Adjust list of DNS servers
• Adjust list of searched domains
• Enable network location
Mac On-Prem Policies → Centrify Computer Policies → Network → Location 1 → Configure Proxies • Bypass proxy settings for these hosts & domains
• Exclude simple hostnames
• Use passive FTP mode (PASV)
Mac On-Prem Policies → Centrify Computer Policies → Network → Location 1 → Configure Proxies→ Enable Proxies • Configure proxies using a PAC file
• Enable auto proxy discovery
• Enable FTP proxy
• Enable Gopher proxy
• Enable secure Web proxy (HTTPS)
• Enable SOCKS proxy
• Enable streaming proxy (RTSP)
• Enable Web proxy (HTTP)
Mac On-Prem Policies → Centrify Computer Policies → Network → Location 2 • Adjust list of DNS servers
• Adjust list of searched domains
• Enable network location
Mac On-Prem Policies → Centrify Computer Policies → Network → Location 2 → Configure Proxies • Bypass proxy settings for these hosts & domains
• Exclude simple hostnames
• Use passive FTP mode (PASV)
Mac On-Prem Policies → Centrify Computer Policies → Network → Location 2 → Configure Proxies→ Enable Proxies • Configure proxies using a PAC file
• Enable auto proxy discovery
• Enable FTP proxy
• Enable Gopher proxy
• Enable secure Web proxy (HTTPS)
• Enable SOCKS proxy
• Enable streaming proxy (RTSP)
• Enable Web proxy (HTTP)
6 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE
Mac On-Prem Policies → Centrify Computer Policies → Remote Management • Enable administrator access group
Mac On-Prem Policies → Centrify Computer Policies → Scripts (Login / Logout) • Specify multiple login scripts
Mac On-Prem Policies → Centrify Computer Policies → Security and Privacy • Certificate validation method
• Disable automatic login
• Disable Location Services
• Enable Gatekeeper
• Enable smart card support
• Log out after number of minutes of inactivity
• Require password to unlock each secure system preference
• Require smart card login
• Use secure virtual memory
Mac On-Prem Policies → Centrify Computer Policies → Security and Privacy → FileVault 2 • Disable automatic login
• Enable FileVault 2
Mac On-Prem Policies → Centrify Computer Policies → Security and Privacy → Public Key Policies • Do not allow private key to be extractable
• Store private and public key in Keychain only
Mac On-Prem Policies → Centrify Computer Policies → Services • Enable Apple Remote Desktop
• Enable FTP access
• Enable personal file sharing
• Enable personal Web sharing
• Enable printer sharing
• Enable remote Apple events
• Enable remote login
• Enable Windows sharing
• Enable Xgrid
Mac On-Prem Policies → Centrify Computer Policies → Software Update Settings • Automatically check for software updates
Mac On-Prem Policies → Centrify Computer Policies → Software Update Settings → SW update Server Settings • Use version specific settings
7 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Mac OS X 10.5 Settings → Specify software update server
Mac OS X 10.6 Settings → Specify software update server
Mac OS X 10.7 Settings → Specify software update server
Mac OS X 10.8 Settings → Specify software update server
Mac OS X 10.9 Settings → Specify software update server
Mac OS X 10.10 Settings → Specify software update server
Centrify Mac On-Prem Policies → Centrify User Policies → 802.1x Settings • Specify User Profiles
Centrify Mac On-Prem Policies → Centrify User Policies → Application Access Settings • Permit/prohibit access to application list: AppleScript
• Permit/prohibit access to application list: Applications
• Permit/prohibit access to application list: Server
• Permit/prohibit access to application list: Utilities
• Permit/prohibit access to applications
• Permit/prohibit access to the user-specific applications
Centrify Mac On-Prem Policies → Centrify User Policies → Automount Settings • Automount network shares
• Automount user’s Windows home
• Create alias instead of symbolic link (for agent 5.2.2 and below)
Centrify Mac On-Prem Policies → Centrify User Policies → Desktop Settings • Set computer idle time for starting screen saver
Centrify Mac On-Prem Policies → Centrify User Policies → Dock Settings • Add other folders to Dock
• Adjust the Dock’s icon size
• Adjust the Dock’s magnified icon size
• Adjust the Dock’s position on the screen
• Adjust the effect shown when minimizing the Dock
• Animate opening applications
• Automatically hide and show the Dock
• Lock the Dock
• Merge with user’s Dock
• Place Applications in Dock
• Place Documents and Folders in Dock
8 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM WP-US-001-0814-EN POLICY GUIDE
Centrify Mac On-Prem Policies → Centrify User Policies → Finder Settings • Configure Finder commands
• Configure Finder preferences
• Configure Finder views
Centrify Mac On-Prem Policies → Centrify User Policies → Folder Redirection → Actions at Login time • Delete path
• Delete symbolic link, and restore
• Delete, and create symbolic link
• Rename, and create symbolic link
Centrify Mac On-Prem Policies → Centrify User Policies → Folder Redirection → Actions at Logout time • Delete path
• Delete symbolic link, and restore
• Delete, and create symbolic link
• Rename, and create symbolic link
Centrify Mac On-Prem Policies → Centrify User Policies → Import Settings • Import MCX setting plist files
• Import plist files
Centrify Mac On-Prem Policies → Centrify User Policies → Login Settings • Enable Login times
Centrify Mac On-Prem Policies → Centrify User Policies → Media Access Settings • Eject all removable media at logout
• Permit/prohibit access: CDs & CD-ROMs
• Permit/prohibit access: DVDs
• Permit/prohibit access: External Disks
• Permit/prohibit access: Internal Disks
• Permit/prohibit access: Recordable Discs
Centrify Mac On-Prem Policies → Centrify User Policies → Custom Settings • Install MobileConfig Profiles
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings • Use version specific settings
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings • Enable/disable synchronization
9 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Background Sync • Adjust list of items synchronized in the background
• Enable/disable background synchronization rules
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Background Sync → Skip these items • Skip items that end with
• Skip items that start with
• Skip items whose full path is
• Skip items whose name contains
• Skip items whose name is
• Skip items whose partial path matches
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Login & Logout Sync • Adjust list of items synchronized at login and logout
• Enable/disable login & logout synchronization rules
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Login & Logout Sync → Skip these items • Skip items that end with
• Skip items that start with
• Skip items whose full path is
• Skip items whose name contains
• Skip items whose name is
• Skip items whose partial path matches
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Legacy Settings → Synchronization Rules: Options • Manually/automatically synchronize background folders
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 /6 /7 /8 or above Settings • Configure mobile account creation
• Configure mobile account options
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 /6 /7 /8 or above Settings → Account Expiry • Delete mobile accounts automatically
10 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Background Sync • Enable background sync rules
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Background Sync → Skip items • Skip items that end with
• Skip items that start with
• Skip items whose full path matches
• Skip items whose name contains
• Skip items whose name is
• Skip items whose partial path matches
• Skip items whose RegEx name is
• Skip items whose RegEx path is
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Background Sync → Synchronize items • Sync in the background
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Login & Logout Sync • Enable login & logout sync rules
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Login & Logout Sync → Skip items • Skip items that end with
• Skip items that start with
• Skip items whose full path matches
• Skip items whose name contains
• Skip items whose name is
• Skip items whose partial path matches
• Skip items whose RegEx name is
• Skip items whose RegEx path is
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Login & Logout Sync → Synchronize items • Sync at login and logout
11 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.5 Settings → Synchronization Rules → Options • Manually/automatically sync in the background
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Home Sync • Enable home sync rules
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Home Sync → Skip Items • Skip items that end with
• Skip items that start with
• Skip items whose full path matches
• Skip items whose name contains
• Skip items whose name is
• Skip items whose partial path matches
• Skip items whose RegEx name is
• Skip items whose RegEx path is
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Home Sync → Synchronize items • Synchronize home sync items
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Options • Manually/automatically sync in the background
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Preference Sync • Enable preference sync rules
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 or above Settings → Synchronization Rules → Preference Sync → Skip Items • Skip items that end with
• Skip items that start with
• Skip items whose full path matches
• Skip items whose name contains
• Skip items whose name is
• Skip items whose partial path matches
• Skip items whose RegEx name is
• Skip items whose RegEx path is
12 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE
Centrify Mac On-Prem Policies → Centrify User Policies → Mobility Settings → Mac OS X 10.6 /7 /8 /9 → Settings → Synchronization Rules → Preference Sync → Synchronize Items • Synchronize preference sync items
Centrify Mac On-Prem Policies → Centrify User Policies → Printing Settings • Specify printer list
• Specify printer list (with Model)
Centrify Mac On-Prem Policies → Centrify User Policies → Scripts (Login/Logout) • Specify login script
• Specify logout script
• Specify multiple login scripts
Centrify Mac On-Prem Policies → Centrify User Policies → Security & Privacy • Allow DoD Encryption Wizard to use smart card
• Allow NSSDB based applications to use smart card
• Disable Dictation
• Lock Smart Card screen
• NSSDB based applications allowed to use smart card
• Prohibit authentication with expired password
• Require password to wake this computer from sleep or screen saver
Centrify Mac On-Prem Policies → Centrify User Policies →Security & Privacy → Public Key Policies • Do not allow private key to be extractable
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings • Use version specific settings
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings • Limit items shown in System Preferences
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Hardware • Enable Bluetooth
• Enable CDs & DVDs
• Enable Displays
• Enable Energy Saver
• Enable Ink
• Enable Keyboard & Mouse (Keyboard)
• Enable Mouse
• Enable Print & FAX
• Enable Sound
• Enable Trackpad
13 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Internet & Network • Enable Fibre Channel
• Enable MobileMe
• Enable Network
• Enable QuickTime
• Enable Sharing
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Other Preferences Panes • Enable other preferences panes
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: Personal • Enable Appearance
• Enable Dashboard & Exposé
• Enable Desktop & Screen Saver
• Enable Dock
• Enable International (Language & Text)
• Enable Security
• Enable Spotlight
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Legacy Settings → Enable System Preferences Pane: System • Enable Accounts
• Enable Classic
• Enable Date & Time
• Enable Parental Controls
• Enable Software Update
• Enable Speech
• Enable Startup Disk
• Enable Time Machine
• Enable Universal Access
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Mac OS X 10.5/6/7/8/9 /10 Settings • Limit items shown in System Preferences
Centrify Mac On-Prem Policies → Centrify User Policies → System Preferences Settings → Mac OS X 10.5/6/7/8/9 /10 Settings → Enable System Preferences Panes • Enable built-in System Preferences panes
• Enable other System Preferences panes
14 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE
Centrify Mac On-Prem Policies → Centrify User Policies → Adclient Settings (Mac) • Auto Zone remote file service (Mac OS X)
• Enable Auto Zone user home directory (Mac OS X)
• Generate new uid/gid using Apple scheme in Auto Zone
• Map /home to /Users (Mac OS X)
• Set user’s primary gid in Auto Zone
Centrify Mac On-Prem Policies → Centrify User Policies → Computer Configuration→ Administrative Templates → System → Group Policy • Turn off background refresh of Group Policy
• Group Policy refresh interval for computers
• User Group Policy loopback processing mode
Centrify Mac On-Prem Policies → Centrify User Policies → Computer Configuration→ Administrative Templates → System → Windows Time Service → Time Providers • Global Configuration Settings - MaxPollinterval
• Enable Windows NTP Client
Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Local Policies → Security Options • Interactive logon: Prompt user to change password before expiration
Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Account Polices → Password Policy • Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Password must meet complexity requirements
• Store passwords using reversible encryption
Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Account Polices → Account Lockout Policy • Account lockout duration
• Account lockout threshold
• Reset account lockout counter after
Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Account Polices → Kerberos Policy • Enforce user logon restrictions
• Maximum lifetime for service ticket
• Maximum lifetime for user ticket
• Maximum lifetime for user ticket renewal
• Maximum tolerance for computer clock synchronization
15 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM Manage your Mac with Active Directory Group Policies
Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Public Key Polices • Certificate Services Client - Auto-Enrollment Settings
• Trusted Root Certification Authorities
Centrify Mac On-Prem Policies → Centrify User Policies → User Configuration→ Administrative Template → System → Group Policy • Group Policy refresh interval for users
Centrify Mac On-Prem Policies → Centrify User Policies → Windows Settings → Security Settings → Public Key Policy • Certificate Services Client - Auto-Enrollment Settings
Centrify Cloud Management Settings → Common Mobile Settings • Wi-Fi Settings
Centrify Cloud Management Settings → Common Mobile Settings → Passcode Settings • Auto-Lock (minutes)
• Grace period for device lock
• Maximum number of failed attempts
• Maximum passcode age (days)
• Minimum number of complex characters
• Minimum passcode length
• Passcode history
• Permit simple value
• Require alphanumeric value
• Require passcode on device
Centrify Cloud Management Settings → Common Mobile Settings → OS X and iOS Settings • Calendar Settings
• Contacts Settings
• LDAP Settings
• Mail Settings
• Security and privacy settings
• VPN Settings
Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings • Custom settings
• Open application when user logs in
• Open authenticated network mounts when user logs in
• Open files, folders and items when user logs in
• Open network mounts when user logs in
• Permit shift key to skip opening items when user log in
• Security and privacy settings
16 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM WHP000103en-02042015 POLICY GUIDE
Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings • Restrict applications
• Restrict preferences
Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings → Applications • Allow folders
• Disallow folders
Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings → Media • Allow access to AirDrop
• Allow access to CDs & CD-ROMs
• Allow access to disk images
• Allow access to DVD-RAM
• Allow access to DVDs
• Allow access to external disks
• Allow access to internal disks
• Allow access to Recordable Discs
• Eject all removable media at logout
Centrify Cloud Management Settings → Common Mobile Settings → OS X Settings → Restrictions Settings → Preferences • Allow built-in System Preferences
• Allow other System Preferences
17 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM POLICY GUIDE Conclusion
Centrify Identity Service Mac Edition, enables Active Directory-based authentication and access control for both Mac OS X systems providing the industry’s most comprehensive set of policy-based controls for configuring and securing Mac systems, whether they are managed locally on-premises or remotely via the Centrify Identity Service. By leveraging your existing identity infrastructure, processes and trained IT staff, you can reduce costs and improve operational efficiency.
• Comprehensive Group Policy-based management automates computer and user configuration and policy enforcement.
• Automated certificate management provides strong authentication to wired and wireless networks.
• Automated FileVault 2 configuration protects data at rest through full-disk encryption supporting institution recovery.
• Comprehensive enterprise system configuration controls: Services Firewall Internet sharing Network configuration for DNS, proxies Login scripts Automount configuration to simplify user access to network shares
• Robust classroom configuration and policy enforcement Desktop lockdown with controls for Finder, storage media, preferences and applications Network home directories on AFP, SMB or NFS shares Seamless enterprise access to file servers, printers and applications
• Centrify Cloud Service extends management for updating of security policies as well as lock or wipe Macs and mobile devices
• Use familiar Windows tools such as Group Policy to centrally manage access to services and enforce security policies
• Mac OS X systems transparently connect to network file shares hosted on Microsoft Distributed File System (DFS) volumes
• Instead of configuring endpoint devices one by one, you can centrally enforce the industry’s broadest set of policies across workstations, laptops and mobile devices
• Non-intrusive solution deploys without installing software on domain controllers or requiring any changes to the Active Directory schema
• Automate device configuration for remote access, including Wi-Fi and VPN access
• PKI auto-issuance and auto-renewal
• Enable authorized user accounts to unlock and access encrypted disks through Apple’s FileVault 2 Full Disk Encryption
• Inventory devices and applications across your entire enterprise, organized by user, group or device, to easily track and enforce the status of both company-owned and user-owned devices
Centrify provides unified identity management across data center, cloud SANTA CLARA, CALIFORNIA +1 (669) 444-5200 and mobile environments that result in single sign-on (SSO) for users and EMEA +44 (0) 1344 317950 a simplified identity infrastructure for IT. Centrify’s unified identity ASIA PACIFIC +61 1300 795 789 management software and cloud-based Identity-as-a-Service (IDaaS) BRAZIL +55 11-3958 4876 solutions leverage an organization’s existing identity infrastructure to enable LATIN AMERICA +1 305 900 5354 single sign-on, multi-factor authentication, privileged identity management, EMAIL [email protected] www.centrify.com auditing for compliance and enterprise mobility management. WEB
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. WWW.CENTRIFY.COM +1 (669) 444-5200