Quest® Authentication Services™ for Mac OS X
Installation, Configuration, and Administration Guide Version 3.5.2 © 2009 Quest Software, Inc. ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: [email protected] telephone: 949-754-8000
Refer to our Web site for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, ChangeAuditor, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, GPOAdmin, iToken, I/Watch, Imceda, InLook, IntelliProfile, InTrust, Invirtus, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, MessageStats, NBSpool, NetBase, Npulse, NetPro, PassGo, PerformaSure, Quest Central, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, vAMP, vAnalyzer, vAutomator, vControl, vConverter, vDupe, vEssentials, vFoglight, vMigrator, vOptimizer Pro, vPackager, vRanger, vRanger Pro, vReplicator, vSpotlight, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.
Quest Authentication Services for Mac OS X Installation, Configuration, and Administration Guide Updated - November 2009 Software Version - 3.5.2 CONTENTS
ABOUT THIS GUIDE ...... 5 INTRODUCTION ...... 6
CHAPTER 1: DEPLOYING QAS FOR MAC OS X ...... 7 INSTALLING QAS FOR MAC ...... 8 INSTALLING THROUGH THE MAC OS X GUI ...... 9 INSTALLING THROUGH THE UNIX COMMAND LINE ...... 13 UPGRADING QAS FROM PREVIOUS RELEASES ...... 14 UNINSTALLING QAS ...... 14
CHAPTER 2: PRODUCT COMPONENTS ...... 17 THE QAS MAC OS X COMPONENTS...... 18 QAS STARTUP ITEMS ...... 18 QAS DIRECTORY SERVICE PLUGIN ...... 19 QAS DIRECTORY ACCESS PLUGIN ...... 19 QAS SECURITY SERVER PLUGIN ...... 19
CHAPTER 3: CONFIGURING THE QAS CLIENT...... 21 CONFIGURING THE QAS CLIENT ...... 22 LAUNCHING DIRECTORY ACCESS OR DIRECTORY UTILITY . . . .22 ADDING, CHECKING, AND VERIFYING QAS LICENSES ...... 27 JOINING THE DOMAIN ...... 28 PERFORMING AN UNATTENDED QAS MAC CLIENT INSTALL . . .31 USING TERMINAL.APP TO JOIN AND UNJOIN ...... 32 SYSTEM CHANGES MADE BY THE QAS JOIN PROCESS ...... 32 VERIFYING THE INSTALLATION AND CONFIGURATION ...... 33 LOGGING IN WITH ACTIVE DIRECTORY ACCOUNTS ...... 34 CONNECTING TO SMB SHARES ON WINDOWS SERVERS . . . . .35 AUTOMATICALLY MOUNTING NETWORK HOME FOLDERS . . . . .36
CHAPTER 4: SPECIAL MAC OS X FEATURES...... 43 QAS FEATURES DESIGNED SPECIFICALLY FOR MAC OS X ...... 44 LOCAL ADMINISTRATOR RIGHTS FOR QAS USERS ...... 44 ACTIVE DIRECTORY USER PASSWORD HINT ...... 46
iii Quest® Authentication Services™ for Mac OS X
CHAPTER 5: PLATFORM LIMITATIONS...... 51 QAS LIMITATIONS ON MAC OS X ...... 52
CHAPTER 6: QAS FOR MAC OS X DESKTOP POLICIES...... 55 MAC OS X DESKTOP POLICY OVERVIEW ...... 56 MANAGING MAC DESKTOP POLICIES WITH THE GPOE ...... 57 USING THE MAC OS X, WORKGROUP MANAGER, AND PREFERENCE MANIFEST SETTINGS NODES ...... 63
INDEX ...... 89
iv About this Guide
•Introduction Quest® Authentication Services™ for Mac OS X Introduction
This document describes the port of the Quest® Authentication Services™ for Mac OS X Product to the Mac OS X platform. Quest® Authentication Services™ for Mac OS X brings the enterprise functionality QAS supplies on every other major Unix platform to Mac OS X.
Both Mac OS X and Mac OS Server versions 10.4 and 10.5 are supported on both the PPC and Intel platforms using a Universal Binary. A separate binary is provided for Mac OS client and server version 10.6, which is only supported on the Intel platform. Quest recommends that you install all the latest Apple system updates before installing QAS.
In this guide, you will find step-by-step instructions on installing, configuring, and uninstalling QAS along with a detailed explanation of the QAS components for Mac OS X.
Added to this version of the guide is a chapter entitled "QAS for Mac OS X Desktop Policies," which documents each policy supported for this version of QAS for Mac OS X.
This guide is not comprehensive and only describes those QAS features specific to Mac OS X. Refer to the QAS Solutions Guide for complete documentation on all other QAS features.
6 1
Deploying QAS for Mac OS X
• Installing QAS for Mac • Upgrading QAS from Previous Releases • Uninstalling QAS Quest® Authentication Services™ for Mac OS X Installing QAS for Mac
The QAS Software is provided in a standard disk image which can be found in the Mac OS X subdirectory on your QAS installation disk.
To install QAS 1. Insert your QAS installation disk and navigate to the Mac OS X folder. 2. Mount the disk image by double-clicking on the VAS-
For version 10.6, the dmg contents are located in /Volumes/VAS_OS106-Installer and will appear as a mounted volume in the Finder window.
Under the mounted disk image you will find the QAS metapackage (VAS.mpkg) that contains the following QAS packages:
• QAS Client (vasclnt) • QAS Group Policy (vasgp) •Dynamic DNS (vasddns) •QAS SDK (vasdev)
Both packages are required.
There are two supported installation methods.
• GUI installation • Command line installation
8 Deploying QAS for Mac OS X
Installing through the Mac OS X GUI
To install QAS using the system installer 1. OS 10.6 users should see a package named VAS-OS106.mpkg, OS 10.4 and 10.5 users should see a package named VAS_OS104u.mpkg. Double click the QAS/VAS metapackage to continue with the installation.
9 Quest® Authentication Services™ for Mac OS X
An installation wizard will appear that will allow you to view supplementary installation information.
2. Click Continue. 3. If you agree to the terms, click Agree. You must agree to continue.
10 Deploying QAS for Mac OS X
4. Click Install.
5. Select which QAS packages you want to install.
The QAS packages must be installed to the root volume and are not relocatable.
To perform a custom install 6. Select Customize to select additional components (besides QAS Client and QAS Group Policy) of the product you want to install. New options include
• QAS Software Development Kit (SDK) • Dynamic DNS Support—which supports authenticated A-record and PTR-record updates to Microsoft's DNS servers
11 Quest® Authentication Services™ for Mac OS X
The system Installer prompts you for local administrator credentials when the software begins to install.
7. Enter administrator credentials and click OK.
12 Deploying QAS for Mac OS X
The following screen confirms a successful QAS for Mac OS X installation.
Installing through the Unix Command Line
The QAS software may be installed via the command line using the system command line installer (/usr/sbin/installer). You can either install the QAS metapackage, which will install all of the QAS packages, or else the individual QAS packages.
If you do not have administrator rights for your system, contact your system administrator for assistance.
To install all of the QAS packages found in the QAS metapackage, open a Terminal.app window and execute the following commands:
$ cd /Volumes/VAS_OS106-Installer $ sudo /usr/sbin/installer -pkg VAS_OS106.mpkg -target /
This will install all of the QAS packages contained in the QAS metapackage. To install individual QAS components, you would run the following:
$ cd /Volumes/VAS_OS106-Installer/VAS_OS106.mpkg/Contents $ sudo /usr/sbin/installer -pkg Packages/vasclnt.pkg \ -target /
13 Quest® Authentication Services™ for Mac OS X
OS 10.4 and 10.5 users should use the VAS_OS104u.mpkg package.
Note that you must install all QAS components into the root file system, so the parameter to the -target command line option must be /. Also, you must have local administrator rights to run commands using the sudo utility.
Mounting and Unmounting the DMG
To mount the DMG 1. Enter hdiutil attach /
To unmount the DMG 1. Enter hdiutil detach /Volumes/VAS_OS106-Installer
Upgrading QAS from Previous Releases
To upgrade an older version of QAS, simply follow the normal installation steps for both the GUI process and the command line process. The QAS installation scripts will detect when an upgrade is being performed and will automatically perform the proper steps to upgrade versions. Note that upgrades are only supported between released versions of QAS.
Uninstalling QAS
An uninstaller is provided with QAS for cases where the QAS packages need to be removed from the system. The uninstaller is found in the QAS disk image next to the QAS metapackage. To uninstall QAS, use the Finder and navigate to the mounted QAS-Installer directory, and double click on the Uninstall application. The uninstaller will display the packages that can be removed.
14 Deploying QAS for Mac OS X
To remove individual packages, select each package you want to remove and click the Uninstall button.
The Uninstaller will prompt for administrator credentials and then remove the files associated with the selected packages and execute each package's uninstall scripts. If you do not have administrative access to your system, contact your system administrator for assistance.
Note that when removing QAS from your system, files owned by accounts supplied by the QAS components will now appear as not having a valid owner since those accounts are no longer available to the system. Also, the uninstaller can only uninstall the same version of QAS for which it was built.
15 Quest® Authentication Services™ for Mac OS X
16 2
Product Components
• The QAS Mac OS X Components •QAS Startup Items • QAS Directory Service Plugin • QAS Directory Access Plugin Quest® Authentication Services™ for Mac OS X The QAS Mac OS X Components
The following QAS Unix components are included in the QAS Mac OS X port:
•The vastool command line utility •The vgptool command line utility •The uptool command line utility •The pam_vas PAM module • The Quest Ownership Alignment Tool (OAT)
These components can all be used inside a Terminal session the same way they can be used on any other Unix platform. Man pages for each of these utilities are automatically installed and configured and can be viewed using the standard man page viewer. The QAS join process will automatically configure Unix applications to use the pam_vas module where appropriate.
The following components are specific for the Mac OS X platform.
QAS Startup Items
A launchd config plist file is installed for each QAS daemon under /Library/LaunchDaemons. These .plist files are used to put the QAS daemons under the control of launchd. You can use the launchctl utility to add or remove any one of these daemons from launchd control. For example, to remove the QAS caching daemon (vasd) from launchd control, run the following command in a Terminal session:
$ sudo /bin/launchctl unload /Library/LaunchDaemons/com.quest.vasd.plist
You can also stop a daemon using launchctl, but the QAS daemon configuration is such that launchd will immediately restart the stopped daemon unless the unload command specified above is used.
If it is necessary to restart any one of the QAS daemons, run a command similar to the following:
$ sudo /bin/launchctl stop com.quest.vasd
The QAS join process will automatically run the necessary load commands at join time to put the QAS daemons under launchd control. Most users should not need to ever directly interact with the QAS startup items.
18 Product Components
QAS Directory Service Plugin
QAS provides a plugin for the system DirectoryService daemon. The QAS DS Plugin uses the rest of the QAS components to provide Active Directory group and user information to the rest of the system, and is installed at /Library/DirectoryServices/Plugins/VAS.dsplug.
The QAS DS Plugin also uses Kerberos authentication for Active Directory users. The plugin operates both when the system is connected to a network where Active Directory is available, and for disconnected scenarios where the Mac OS X system cannot contact Active Directory. The QAS DS Plugin provides secure authentication and performant identity lookups even in this disconnected mode.
This disconnected mode is available without having to create local Mobile Accounts on each Mac OS X system. The QAS caching architecture also minimizes the impact that each Mac OS X system has on the Active Directory environment.
QAS Directory Access Plugin
The system Directory Access application is used to configure what Directory Service Plugins are used to provide identity information and authenticate users. The QAS Directory Access plugin provides a GUI utility for joining and leaving Active Directory domains, and controlling the local QAS configuration. The QAS DA Plugin is installed at /Applications/Utilities/Directory Access.app/ Contents/Plugins/VAS.daplug on Tiger (10.4), /Applications/ Utilities/Directory Utility.app/Contents/Plugins/VAS.daplug on Leopard (10.5), and /System/Library/CoreServices/Directory Utility.app/contents/PlugIns/VAS.daplug on Snow Leopard (10.6).
QAS Security Server Plugin
The system Security Server controls all authorization on the Mac OS X system. In order to correctly initialize QAS user login sessions, a VASMechanism Security Server plugin is installed and configured in the /etc/authorization file by the QAS join process. This plugin is installed under /System/Library/ CoreServices/SecurityAgentPlugins/VASMechanism.bundle. The VAS mechanism will initialize a Kerberos ticket cache for each QAS user's login session with the Kerberos tickets obtained during DirectoryService authentication. Note that these ticket caches are fully compatible with the system Kerberos.app utility and the system MIT Kerberos command line utilities, so that the rest of the Mac OS X system components can reuse the Kerberos functionality.
19 Quest® Authentication Services™ for Mac OS X
20 3
Configuring the QAS Client
• Configuring the QAS Client • Using Terminal.app to join and unjoin • System Changes made by the QAS Join Process • Verifying the Installation and Configuration • Logging in with Active Directory Accounts • Connecting to SMB shares on Windows Servers • Automatically Mounting Network Home Folders Quest® Authentication Services™ for Mac OS X Configuring the QAS Client
After the QAS packages are installed, you must configure the client to start using QAS. This consists of installing your license(s), joining an Active Directory Domain, and configuring the local system to use the QAS components. All of these tasks can be accomplished using the Directory Utility (Directory Access on 10.4) application.
To configure the QAS Client, complete the following tasks using Directory Access or Directory Utility—depending on your OS X release.
• Launch Directory Access or Directory Utility and access the QAS node • Install licenses using the GUI (optional—can be done through Group Policy) •Join the domain
Launching Directory Access or Directory Utility
To launch the appropriate application on Mac OS 10.4 and 10.5 1. Open Finder and select Applications in the left hand pane. 2. Select the Utilities sub folder in the right hand pane. 3. Mac OS 10.4 users: Select the Directory Access.app in the right hand pane. Mac OS 10.5 users: Select the Directory Utility.app.
22 Configuring the QAS Client
To launch Directory Utility.app on Mac OS 10.6 1. Open System Preferences and select the Accounts preferences.
2. Select Login Options on the bottom left side of the page.
23 Quest® Authentication Services™ for Mac OS X
3. Select the Network Account Server Join button on the bottom right.
4. Now click the Open Directory Utility button.
Do NOT enter the name of your domain and click OK from this dialog. If you do this, you will join using the native Apple AD plugin which has no support for AD group policies. You MUST open the Directory Utility app to join the domain using QAS.
24 Configuring the QAS Client
25 Quest® Authentication Services™ for Mac OS X
To Configure the QAS node
1. Click the Lock icon to be authorized as an administrator so that you can modify the system's Directory Access configuration.
If you are working with OS 10.5, you will not be able to join the domain using a local admin account (on the Mac side) that has a blank password. This is because you have to join using sudo and the Apple version of sudo won't let you run any command without at least a single character password.
2. OS 10.5 users only: Click Services to display Configurable Services. 3. Select Active Directory + Group Policy (QAS), and click Configure. 4. NOTE: The Configure button looks like a pencil on OSX 10.5 and 10.6. You will now see the QAS Directory Utility plugin interface.
26 Configuring the QAS Client
Adding, Checking, and Verifying QAS Licenses
To utilize the complete QAS functionality, you must have two licenses installed. The first license provides basic functionality such as Active Directory authentication. The second license enables management of OS X settings through Group Policy. Complete the following steps to install the licenses using QAS Directory Utility plugin.
For scripted or command line configuration, copy the licenses to /etc/opt/quest/vas/.licenses.
To add, check, and verify licenses 1. From the QAS Directory Utility plugin, click the Status Disclosure Triangle to check for valid licenses.
If the license is missing or expired, click Add License.
Most QAS deployments have QAS licenses available through an Active Directory Group Policy that will be automatically applied to the system when the QAS join process is performed. If you have a license policy configured in Active Directory, you can skip these manual install instructions. Instead return to this screen after joining to verify proper license installation.
27 Quest® Authentication Services™ for Mac OS X
2. Once the license has been added, verify validity and click Close.
Joining the Domain
To join an Active Directory domain 1. Once you have validated the license, enter the name of the Active Directory Domain you want to join and click Join Domain.
2. In the Join Domain dialog that appears, you must supply Active Directory credentials in order to join the domain.
28 Configuring the QAS Client
3. You can click on the Options Disclosure Triangle to modify the QAS join options. These options allow you to • specify an alternate name for the computer object that will be created. • specify the location where the computer object will be created in the directory (default: Computers container) • specify a specific domain controller to which to join (instead of using DNS to detect an appropriate domain controller). For a detailed explanation of all join options, see the vastool join command documentation in the QAS_Manpages documentation available on the QAS installation DVD, or in the vastool man page. These options include the option to specify an organizational unit (OU) to create the computer object in, or to specify a QAS Unix Personality Container to load Unix identities from.
4. Click OK to execute the join operation.
Caution • If you previously joined with the Apple plugin, your user’s UID/GID will most likely be different after Unix enabling. Manually change the ownership (UID/GID) on the previously created home directory (chown) or you will have to remove it.
If any errors occur, an error dialog will allow you to view the join process log which can be saved and sent to Quest support for troubleshooting.
Caution • If you are running OSX Server, version 10.5, you must unconfigure the local LDAPv3 node before joining to QAS via AD. Problems arise with application of machine policy if you do not do this. Complete the following steps to unconfigure LDAPv3.
29 Quest® Authentication Services™ for Mac OS X
To unconfigure local LDAPv3 1. From the Directory Utility screen, check the LDAPv3 box.
2. Click the pencil icon to edit the service.
30 Configuring the QAS Client
3. On the Search Policies screen, check Delete and then click OK.
To unjoin an Active Directory Domain
To leave the Active Directory Domain, complete the same steps, except click Leave Domain instead. You do not have to supply Active Directory credentials when unjoining if you do not delete the Active Directory computer object. This option is available in the Leave Domain dialog options.
After modifying the QAS configuration, click Apply in the main Directory Access dialog to ensure that your changes take effect.
Performing an Unattended QAS Mac Client Install
To perform an unattended install of the QAS Mac client 1. Attach the QAS dmg file as a new volume: # hdiutil attach VAS-
This will display which volume it attached as. Normally this will be '/Volumes/VAS_OS106-Installer/'.
31 Quest® Authentication Services™ for Mac OS X
2. Use the Mac installer for the product (vasclnt/vasgp/vasdev/ vasddns) you want to install. # /usr/sbin/installer -pkg /Volumes/VAS_OS106-Installer/VAS_OS106.mpkg/Contents/ Packages/vasclnt.pkg -target /
3. Detach the Volume # hdiutil detach /Volumes/VAS_OS106-Installer/
Using Terminal.app to join and unjoin
The same functionality available through the QAS Directory Access Plugin can be accessed through the QAS command line utilities. An interactive command line wizard called vasjoin.sh can be used from a Terminal session as follows:
$ sudo /opt/quest/libexec/vas/scripts/vasjoin.sh
This script will prompt you for information needed to perform the join operation without requiring you to know the syntax of the vastool join command. You can also use the vastool join command directly as follows:
$ sudo /opt/quest/bin/vastool -u Administrator join -f example.com
See the vastool man page for more information on directly using the vastool join command.
To leave an Active Directory Domain from a Terminal session, use the vastool unjoin command. See the vastool man page for more information on directly using the vastool unjoin command.
System Changes made by the QAS Join Process
When joining an Active Directory Domain, QAS will automatically modify the following system configurations:
• QAS will be added to the DirectoryService search path. • The QAS startup items will be configured to startup automatically. • The system MIT Kerberos configuration file will be configured to use the Active Directory servers that QAS detects.
32 Configuring the QAS Client
• The system authorization rules contained in /etc/authorization will be modified to use the VASMechanism for QAS logins. • Group Policies configured for the Mac OS X system will be applied by the QAS Group Policy components if they are installed.
Once you have successfully completed the QAS join process, you will immediately be able to login to the Mac OS X system through both the Mac OS X Login Window and remotely through SSH.
When leaving a domain, the QAS unjoin process will revert the above changes that were made by the QAS join process. Also, uninstalling QAS will automatically revert the above changes as well.
You can re-join on top of existing computer accounts created with the Mac AD Plugin by default using the QAS AD plugin, but we recommend disabling the Mac Active Directory plugin so that the domain will not appear in the Directory Servers window as not responding.
Verifying the Installation and Configuration
In order to verify that your system is configured correctly to use the Active Directory account information provided by QAS, you can try the following shell commands in a Terminal session:
• dscl /VAS list /Users—This will show a list of the available Unix-enabled Active Directory users • dscl /VAS list /Groups—This will show a list of the available Unix-enabled Active Directory groups • dscl /Search read /Users/
If any of the above steps do not work, you can capture debug information from the QAS Directory Service plugin that can be used in troubleshooting.
Add the following items to the vas.conf [vas_macos] section:
[vas_macos] dslog-mode = /Library/Logs/vasds.log dslog-components = plugin,auth
33 Quest® Authentication Services™ for Mac OS X
After adding those items, run the following shell command in a Terminal session to trigger the QAS DS Plugin to reload it's logger configuration:
$ sudo /opt/quest/libexec/vas/macos/vasdsreload
Now execute the previous verification commands that failed and then send the contents of /Library/Logs/vasds.log to Quest Support who will assist in resolving the problems.
Logging in with Active Directory Accounts
QAS for Mac OS X allows you to authenticate using an Active Directory account. There are two methods available for authentication. The more complicated method involves verifying that your domain controller supports the RFC2307 Unix identity attributes (UIDNumber GIDNumber, gecos, loginshell, and unixhomedirectory) and making sure that these attributes are populated. This sometimes requires a small schema extension to be applied to the domain controller before you are able to proceed with the authentication process. If you either do not want or are not able to make changes to your domain controller, use the Mapped User feature of QAS to begin authenticating with Active Directory users immediately.
QAS Mapped User mode essentially converts local accounts into Active Directory accounts. Mapped user mode does not require any changes to your domain controller (nothing needs to be installed on the domain controller and no schema extensions are necessary). You just need a local machine account and you must know the Active Directory user principal name (UPN) of the account to which you want to authenticate. Instructions for executing the user mapping process can be found in Deploying Mapped User in the QAS Solutions Guide.
Home Directory Creation Workaround
If you are using local home directories and you change the default configuration by setting the map-homedir-to-Users option to false, your home directory will not be automatically created upon login. This problem is related to the auto mounter which has autohome mounted on /home.
The work around requires you to open /etc/auto_home and remove the auto_home mount point. This issue only affects OS 10.5 and 10.6. Once you have removed the mount point, restart autofs and you will be able to create home directories in /home again.
34 Configuring the QAS Client
Connecting to SMB shares on Windows Servers
There is a known issue associated with connecting to SMB/CIFS (i.e. Windows) shares using Finder. You should not be prompted for your password when connecting to one of these shares if you have logged in with a domain user. Your Kerberos credentials should be used instead.
This issue doesn’t affect all Windows shares; only those on a Domain Controller.
This issue is related to two settings in the Default Domain Controllers Policy.
To disable the policies and allow OSX machines to connect to SMB shares 1. Open Active Directory Users and Computers, select the domain, right-click, then select Properties. 2. Click the Group Policy tab.
If you are using MS Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence.
a) If the Default Domain Controllers Policy is linked to this domain, click Edit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, then double-click and disable the following two policies: • Microsoft network server: Digitally sign communications (always) • Microsoft network server: Digitally sign communications (if client agrees) b) If the Default Domain Policy is linked to this domain, click Edit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, then double-click and disable the following two policies: • Microsoft network server: Digitally sign communications (always) • Microsoft network server: Digitally sign communications (if client agrees)
35 Quest® Authentication Services™ for Mac OS X
If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, Mac OS X computers will not be able to use SMB connections to mount the Windows file shares. 3. If you change these policies on the domain controller, run the gpupdate command to refresh the group policies before logging on to Mac OS X computers.
Automatically Mounting Network Home Folders
When you Unix-enable an Active Directory user with QAS, the default configuration for that user is that he or she will use a local home directory. The home directory path is populated with a Unix path (/home/
On OSX systems, /home is replaced with /Users, aligning with the OSX standard location for local home directories. QAS supports the automatic mounting of network shares (SMB or AFP) using AD credentials, but you must specify a server path. This server path can be stored in the directory on each user as a UNC path, or it can be stored as a per machine setting.
You can configure your home folder strategy globally for the entire domain using Quest Group Policy extensions for Unix, or you can configure it on a per machine basis at the time you join your OSX machine to the domain.
Configuring automatic home folder mounting at join time
To setup automatic mounting during join
1. Click the disclosure triangle when you are prompted for your administrative username and password. The Join Options dialog is displayed.
36 Configuring the QAS Client
2. Select the User Home Config tab to expose all of the home folder mounting options, as shown below.
37 Quest® Authentication Services™ for Mac OS X
Mounting the Windows Home Folder or Profile Path
You can configure QAS to mount a share that is specified as a UNC format path and stored on a user. The two most commonly used paths are found on the users Profile tab in ADUC as shown below.
1. Use QAS to mount either the Profile Path or Home Folder on a MAC client at login by selecting Use AD UNC path for network home from the User Home Config properties, as shown below.
38 Configuring the QAS Client
Mounting an alternate share at login
If you cannot use the shares specified in Profile Path or Home Folder for some reason (for example, if your Windows home shares are DFS shares), you can specify an alternate share at join time by specifying a network home path expression.
To specify a network home path expression 1. Select Use the following path for network home from the User Home Config tab as shown below.
Selecting this option will configure the network home for all users on the machine. Because of this you must specify how the path name will be resolved for each user.
2. Under User Path Expression, specify the appropriate user attributes in the path portion of server url. For example, if you selected Common Name and then clicked Insert Attribute, the expansion macro for Common Name (%c) will be inserted into your path expression. The path expression may have text and expansion macros, or it may just be a single expansion macro with no other text.
Configuring automatic home folder mounting using group policy
During deployment, installation and join usually happen in a scripted fashion from the command line. It is still possible to configure home folder mounting without using the Graphical join interface, either through modification of the vas.conf file or by setting the appropriate options in group polices that will apply to your OSX machines.
39 Quest® Authentication Services™ for Mac OS X
The two options that have bearing upon home directory mount behavior are nethome and nethome-mount-protocol. These options are set in the vas.conf policy as shown below.
The nethome is either the name of the user attribute where the UNC path is stored ("homeDirectory" or "profilePath"), or it is the server URL expression for all users (i.e. cifs://servername/sharename/%c).
If the nethome is specified as an attribute name, you can specify whether the path is mounted via AFP or CIFS using the "nethome-mount-protocol" setting.
Setting either of these options will have no effect on any QAS platform other than OSX, so it can be safely set on a domain wide unix settings policy. Creation or modification of group policies is accomplished using the Microsoft GPOE on any windows administrative workstation.
40 Configuring the QAS Client
Group Permissions on Auto Mounted Home Directories
For QAS to be able to resolve a Windows SID to a Unix UID or GID, the user or group to whom that SID belongs must have had a UID or GID manually assigned to them. Or, in other words, the user or group must have been "Unix Enabled" on the Unix Account tab in Active Directory Users and Computers. If a group or user has not been "Unix Enabled", the Mac machine will still assign a UID or GID to the user or group, but it won't be a UID or GID that can be resolved by the QAS client software.
To login to an OSX machine all users must be "Unix Enabled" so this normally only causes problems when dealing with group permissions on SMB mounted home directories. It is not uncommon for the group owner of a network home location to be a group WITHOUT a Unix GID assigned. When a user's ability to access this directory relies on correct group membership, problems can arise. It is, therefore, best practice to "Unix Enable" all groups that are used for SMB File level permissions on network mounted home directories.
Mounting AFP Shares
To mount AFP shares you must have an AFP file server that knows about all your AD users and credentials. You can easily accomplish this using third party software that shares files from a Windows machine joined to your domain.
Mounting CIFS/SMB Shares
Mounting of DFS shares is not supported. To successfully mount CIFS/SMB shares at join time your login name must be the same as your Active Directory user "samAccountName". QAS caches the "userPrincipalName" as the login name for Active Directory users. The userPrincipalName and samAccountName default to the same value during user creation, so automounting will work in the default case. There is, however, no restraint that requires UPN's and samAccountNames to remain the same. Best practices suggest that you configure QAS to use the samAccountName as your user login name to avoid any difficulties. This should be done using Group policy, but it can also be set in the vas.conf file directly by running the following vastool command from a terminal:
/opt/quest/bin/vastool configure vas vasd username-attr-name samaccountname
If you change your username attribute as shown above, you will need to flush your identity cache using the vastool flush command.
/opt/quest/bin/vastool flush
41 Quest® Authentication Services™ for Mac OS X
42 4
Special Mac OS X Features
• Local Administrator Rights for QAS Users • Active Directory User Password Hint Quest® Authentication Services™ for Mac OS X QAS Features Designed Specifically for Mac OS X
The following sections describe features designed specifically for Mac OS X.
Local Administrator Rights for QAS Users
This feature allows administrators to give QAS accounts local administrator rights on individual Mac OS X systems. This can give users more ability to administer their own systems while still using Active Directory for authentication, or it can be used to allow each Mac OS X administrator admin access on Mac OS X systems without having to have shared local accounts.
To specify which QAS accounts should have admin rights, you must modify the /Library/Preferences/Quest/VAS/vas.conf file and add the following section to the QAS configuration using a text editor:
[vas_macos] admin-users = [email protected]
You can do this by using the pico text editor which you would launch like this:
$ sudo pico /Library/Preferences/Quest/VAS/vas.conf
Note that if there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy.
The value of the admin-users key should be a comma-separated list of Active Directory User Principal Names (UPN) for QAS users that should have admin rights. The Domain Users option also supports groups of users. Specify the group in the form Domain\groupname.
The domain name must be specified as a DNS domain name NOT as a netbios domain. For example, you should specify the group name as "EXAMPLE.COM\Administrators" NOT "EXAMPLE\Administrators".
Either step will ensure that the new configuration is processed by QAS. You can verify that the configured users have admin rights by checking their group memberships using the following command line (the example is for a user called jdoe):
$ groups jdoe
44 Special Mac OS X Features
If jdoe was correctly configured to have local admin rights, you will see the local admin, appserveradm, and appserverusr groups listed in the output. The jdoe user will then be able to use his user credentials for authorizing administrative tasks started from the System Preferences application.
45 Quest® Authentication Services™ for Mac OS X
Active Directory User Password Hint
The password hint is displayed for all Active Directory Users when Mac OS X is configured to provide password hints. The password hint is used to notify a user of a website where they can reset their password, or to remind a user that the account they are using requires a domain password. The default value for the authentication-hint is “Windows Domain Password”.
Before Mac OS X will display authentication hints, you must turn on "Show password hints" through the login options.
46 Special Mac OS X Features
After enabling password hints, users will see a Forgot Password button on OS 10.5 during authentication.
47 Quest® Authentication Services™ for Mac OS X
If you press the Forgot Password button, the password hint will be displayed.
48 Special Mac OS X Features
This hint can be managed centrally on the domain controller through QAS Group Policy, as shown in the following graphic.
For security reasons, if a mapped user changes his/her password hint, it will be intentionally reset to the generic Windows domain password hint the next time he/she logs in.
49 Quest® Authentication Services™ for Mac OS X
50 5
Platform Limitations
• QAS Limitations on Mac OS X Quest® Authentication Services™ for Mac OS X QAS Limitations on Mac OS X
This list details QAS functionality that is limited by the Mac OS X system:
• When using the command line su utility to become a QAS user, the QAS PAM module will not create a ticket cache for new session due to QAS using the CCacheServer process for Kerberos ticket cache management. Creating this ticket cache would inadvertently destroy any existing Kerberos tickets. • If QAS users who have custom home directory paths login to the system through the system login window and the parent directories for their home directory do not exist, the system home directory creation code incorrectly sets the ownership mode of all the home directory parent directories. This causes subsequent QAS user logins to fail if they share the same home directory path as their home directory will be created but will be inaccessible by the user. Administrators should ensure that if they are using custom home directory paths, the parent directories are pre-created with a valid ownership and mode that allows all QAS users to access those paths. • The automatic ticket renewal utility doesn't currently work with non- file based ccaches. Because OSX uses API based ccaches, the ticket renewal utility will not work. • When using QAS Mapped User mode, if a local user is mapped to a QAS user and, at some point the user is unmapped (returned to a local account) you must reset the user’s password. • Once a network user’s password has expired, they will not be able to reset their password from the System Preferences Accounts tab.
52 Platform Limitations
To work around this issue, launch the Terminal app, and run the passwd command. Follow the prompts to change your password.
53 Quest® Authentication Services™ for Mac OS X
54 6
QAS for Mac OS X Desktop Policies
• Mac OS X Desktop Policy Overview • Managing Mac Desktop Policies with the Group Policy Object Editor • Using the Mac OS X, Workgroup Manager, and Preference Manifest Settings Nodes Quest® Authentication Services™ for Mac OS X Mac OS X Desktop Policy Overview
Quest® Authentication Services™ for Mac OS X leverages and extends Active Directory to Unix, Linux and Mac systems. Not only does Quest® Authentication Services™ for Mac OS X extend authentication, security, and access control, but it also extends the Active Directory Group Policy framework.
As with standard QAS group policies, Mac OS X desktop policy settings customize and control the user’s computer experience. Built into the QAS GPOE, the Mac OS X, Workgroup Manager, and Prefrence Manifest Settings node supports the following policies.
POLICY FUNCTION
Allows you to manage Applications and Dashboard widgets Applications available to users, and if Front Row is enabled.
Allows you to set Classic startup options, assign a Classic Classic System Folder, set sleep options for the Classic environment, and make specific Apple menu items available to users.
Allows you to adjust the position of the Dock on the desktop Dock and change the Dock’s size. You can also control animated Dock behaviors.
Allows you to set performance options for Mac OS X client and Energy Saver server computers, battery usage for portable computers, and sleep or wake options.
Controls various aspects of Finder menus and windows, which Finder can help improve or control workflow.
Allows you to set options for user login, to provide password hints, and to control the user’s ability to restart and shut down Login the computer from the login window. You can also mount a group volume or set applications to open when a user logs in.
Allows you to control settings for and access to CDs, DVDs, Media Access the local hard disk, and external disks (for example, floppy disks and FireWire drives).
Allows you to configure specific proxy servers and settings for Network hosts and domains to bypass and disabling Internet Sharing, AirPort, and Bluetooth.
Parental Controls Allows you to filter content or limit client computer usage.
Allows you to use Preference Manifests to set attributes on Preference Manifests Applications.
56 QAS for Mac OS X Desktop Policies
POLICY FUNCTION
Allows you to control updates that are applied to specific users Software Update or groups.
Allows you to specify which preferences to show in System System Preferences Preferences.
Allows you to control backup of computer data to network Time Machine servers, such as installed applications and their preferences, all local account data, and system files.
Allows you to control mouse and keyboard behavior, enhance Universal Access display settings, and adjust sound or speech for users with special needs.
Managing Mac Desktop Policies with the Group Policy Object Editor
QAS extends the Group Policy Object Editor (GPOE) by adding the Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes to manage Mac-specific policies.
To install the GPOE extensions, run the VAS-
If you plan to install the GPOE extensions for 64-bit domain controllers, you must manually run adminTools\win32\VASx64components-
Start the Group Policy Object Editor in any of the following ways:
• Run mmc from the command line and add the Group Policy Object Editor Snap-in manually. • Select the Group Policy tab from the Properties dialog of an OU in the Users and Computers Snap-in, select a GPO, and click Edit. • Right click on a Group Policy Object in the Group Policy Management Console and select Edit. NOTE: This option is only available to Windows XP and Windows 2003 Server users.
57 Quest® Authentication Services™ for Mac OS X
To run mmc and add the GPOE manually 1. Click Start -> Run.
2. Enter mmc and click OK. The MMC console is displayed.
3. Open the console File menu and click Add/Remove Snap-in....
58 QAS for Mac OS X Desktop Policies
The Add/Remove Snap-in dialog is displayed.
4. Click Add.
59 Quest® Authentication Services™ for Mac OS X
The Add Standalone Snap-in dialog is displayed.
5. Locate and select the Group Policy Object Editor from the list of available Snap-ins. 6. Click Add.
60 QAS for Mac OS X Desktop Policies
The Select Group Policy Object Wizard starts.
7. Click Browse... to locate and select the Group Policy Object to edit. Select or create a Group Policy Object which affects one or more Unix computer objects in order for VGP to apply the policy on the client side. Refer to your Group Policy documentation for more information on how to link policies to computers.
NOTE: VGP does not support the Local Computer Group Policy Object.
8. Click Finish. 9. Click Close to close the Add Standalone Snap-in dialog. 10. Click OK to close the Add/Remove Snap-in dialog. The selected Group Policy Object now displays in the left pane of the MMC console. The GPOE extensions installation process adds the Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes (Computer Configuration and User Configuration) and stores all Mac Desktop policies there.
61 Quest® Authentication Services™ for Mac OS X
The following graphic shows the GPOE view of the new Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes.
62 QAS for Mac OS X Desktop Policies Using the Mac OS X, Workgroup Manager, and Preference Manifest Settings Nodes
The GPOE extensions installation process adds Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes to both the Computer Configuration and User Configuration nodes and stores all QAS for Mac OS X Desktop policies there. See the GPOE graphic on the previous page.
In the QAS for Mac desktop policy environment, a user whose account has defined properties is referred to as a managed user. An individual computer, or a computer that is a member of a computer group with defined properties, is called a managed computer. A group with defined properties is called a workgroup.
When you define policy/settings, you can manage them Always or Once. The policies are set to Never by default. You can choose the management frequency to apply to each policy/setting, as noted in the table below.
FREQUENCY DESCRIPTION
Only limited availability. You can create default preferences, which users can then modify and keep the modifications. These preferences are effectively unmanaged. Once For example, you could set up a group of computers to display the Dock in a certain way the first time users log in. A user can change these preferences (you’ve set to Once) and the selected changes always apply to that user.
Preferences are not managed at this account level but may be managed at a different account level. Never For example, even if you set the Dock preference to Never for a user, the Dock preference could still be managed at the computer level.
Causes the preferences to remain in effect until you change them on the server. When properly designed, a Mac OS X application that Always conforms to standard preference conventions does not allow a user to modify preferences set to Always.
63 Quest® Authentication Services™ for Mac OS X
The following policies/settings only have the Never and Always manage options.
• Time Machine • System Preferences • Software Update • Network Settings • Media Access • Energy Saver • Classic • Applications
Energy Saver, Time Machine, and most Login policies/settings can be defined only in the Computer Configuration node. Other policies/settings can be defined in both the Computer Configuration and User Configuration nodes.
By managing Mac OS X properties in the Computer Configuration and User Configuration nodes, you can customize the user’s experience and restrict user access to only the applications and network resources you choose.
As with standard QAS, Computer Configuration policy settings affect the computers in Active Directory with which the GPO is associated regardless of which user logs in. And User Configuration policy settings affect the users in Active Directory to which the GPO is associated regardless of which computer they use.
To manage properties, use the properties dialog for each policy listed in the Workgroup Manager Settings node.
Applications Settings
Applications settings allow you to control access by restricting the paths from which applications are allowed to run.
Applications settings can be applied in both the Computer Configuration and User Configuration nodes.
To configure Applications settings 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Applications.
64 QAS for Mac OS X Desktop Policies
The Applications Properties dialog is displayed.
4. Select settings on each of four available property tabs: • Applications—control access to applications by restricting the paths from which applications are allowed to run. • Widgets—controls a list of allowed Dashboard widgets for users of Mac OS v10.5 or later • Front Row—controls whether Front Row is allowed. • Legacy—controls access to specific applications and paths to applications using bundle IDs (only for users of Mac OS v10.4 or earlier)
The Applications - > Legacy settings should be used only with Mac OS v10.4 or earlier.
65 Quest® Authentication Services™ for Mac OS X
Classic
The Classic policy allows you to set Classic startup options, assign a Classic System Folder, set sleep options for the Classic environment, and make specific Apple menu items available to users.
The Classic policy can be applied in both the Computer Configuration and User Configuration nodes..
Classic can only be run on Mac OS v10.4 or earlier.
To manage the Classic policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Classic. The Classic Properties dialog is displayed.
66 QAS for Mac OS X Desktop Policies
If managed users have access to the Classic pane of System Preferences, they can click the Start/Restart button in the Classic pane to start or restart Classic.
Classic includes two property tabs:
• Startup—controls which folder is the Classic System Folder and what occurs when Classic starts • Advanced—controls items in the Apple menu, Classic sleep settings, and the user’s ability to turn off extensions or rebuild the Classic desktop file during startup.
Dock Settings
Dock settings allow you to adjust the behavior of the user’s Dock and specify what items appear in it.
Dock settings can be applied in both the Computer Configuration and User Configuration nodes.
To configure Dock settings 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Dock.
67 Quest® Authentication Services™ for Mac OS X
The Dock Properties dialog is displayed.
Dock includes two property tabs:
• Dock Items—controls items and their position in a user’s Dock. You can also add links to SMB or CIFS shares under Doc Items.
To do this,
1. Click Add on the Dock Items tab in the Documents and Folders section. 2. Enter a cifs url in the format cifs://servername/sharename. This should be the name of a share in the domain to which you are joining/joined. If it is, the link will show up on the dock as an unmounted share until a user clicks it. The share will then be mounted using the logged in user's Kerberos credentials and the user will have access to the contents of the share. • Dock Display—controls the Dock’s position and behavior.
68 QAS for Mac OS X Desktop Policies
Energy Saver Policy
The Energy Saver policy helps you save energy and battery power by managing wake, sleep, and restart timing for servers and client computers.
The Energy Saver policy can be applied only in the Computer Configuration node.
The Dock policy applies to users, groups, computers, and computer groups.
To manage the Energy Saver policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Energy Saver. The Energy Saver Properties dialog is displayed.
69 Quest® Authentication Services™ for Mac OS X
Energy Saver includes four property tabs:
• Desktop—controls sleep timing for the computer, display, hard disks, and wake and restart options for Mac OS X and Mac OS X Server. • Portable—controls processor performance setting, sleep timing similar to Desktop, and wake and restart options for adapter and battery power sources. • Battery Menu—controls display of the battery status indicator. • Schedule—controls regular schedules for startup or shutdown.
Finder Policy
The Finder policy allows you to control various aspects of Finder menus and windows, which can help improve or control workflow.
The Finder policy can be applied in both the Computer Configuration and User Configuration nodes.
To manage the Finder policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Finder.
70 QAS for Mac OS X Desktop Policies
The Finder Properties dialog is displayed.
Note: Under Mac OS X Settings -> Workgroup Manager Settings -> Finder Properties -> Views -> Computer View, the Snap to grid option is located in the Keep arranged by drop down menu. This is different from the Mac server Finder preferences where the Snap to grid option is located right above the Keep arranged by drop down menu.
Finder includes three property tabs:
• Preferences—controls Finder window behavior, Simple Finder, whether open items appear on the desktop, filename extension visibility, and the Empty Trash warning. • Commands—controls whether commands in Finder menus and the Apple menu are available to users. These allow users to perform tasks such as connecting to servers or restarting the computer. Views—allow you to adjust the arrangement and appearance of items on a user’s desktop, in Finder windows, and in the top-level folder of the computer.
71 Quest® Authentication Services™ for Mac OS X
Login Policy
The Login policy allows you to set options for user login, to provide password hints, and to control the user’s ability to restart and shut down the computer from the login window. You can also mount a group volume or set applications to open when a user logs in.
The Login policy can be applied in both the Computer Configuration and User Configuration nodes.
To manage the Login policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup ManagerSettings. 3. Double-click Login. The Login Properties dialog is displayed.
Login includes five property tabs:
• Window—controls the appearance of the login window such as the heading, message, which users are listed if the “List of users” is specified, and the ability to restart or shut down.
72 QAS for Mac OS X Desktop Policies
• Options—controls Login window options like enabling password hints, automatic login, console, fast user switching, inactivity log out, disabling of management, setting the computer name to match the computer record, external account login, guest account access, and login window screensaver settings. Access—controls who can log in, if local users can use workgroup settings, and the combination and selection of workgroups. Access is limited, as shown in the following graphic.
• Scripts—controls what script to run during login or logout and whether to execute or disable the client computer’s own LoginHook or LogoutHook scripts. • Items—controls access to the group volume, which applications open automatically for the user; and if users can add or remove login items.
Window, Options, Access, and Scripts can be managed for computers only. The Items tab is available in both the Computer and User Configuration nodes.
73 Quest® Authentication Services™ for Mac OS X
Media Access Policy
The Media Access policy allows you to control settings for and access to CDs, DVDs, the local hard disk, and external disks (for example, floppy disks and FireWire drives).
The Media Access policy can be applied in both the Computer Configuration and User Configuration nodes.
To manage the Media Access policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Media Access. The Media Access Properties dialog is displayed.
Media Access includes two property tabs:
• Disc Media—controls settings for CDs, DVDs, and recordable discs (for example, CD-R, CD-RW, or DVD-R). Computers without appropriate hardware are not affected by these settings. • Other Media—controls Internal hard disks and external disks (other than CDs or DVDs).
74 QAS for Mac OS X Desktop Policies
Network Settings
Network settings allow you to configure specific proxy servers and settings for hosts and domains to bypass and disabling Internet Sharing, AirPort, and Bluetooth.
The Network Proxies functionality applies to both the Computer Configuration and User Configuration nodes. The Sharing & Interfaces functionality applies only to the Computer Configuration node.
To configure Network settings 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Network. The Network Properties dialog is displayed.
75 Quest® Authentication Services™ for Mac OS X
Parental Controls
The Parental Controls policy allows you to hide profanity in Dictionary, limit access to websites, or set time limits or other contraints on computer usage.
To manage Parental Controls preferences, computers must have Mac OS v10.5 or later.
To manage the Parental Control policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Parental Controls. The Parental Controls Properties dialog is displayed.
76 QAS for Mac OS X Desktop Policies
Parental Controls includes two property tabs:
• Content Filtering—controls whether profanity is allowed in Dictionary, and limitations on which websites users can view. • Time Limits—controls how long and when users can log in to their accounts.
Preference Manifest Policies
The Preference Manifest Policies are managed under the Preference Manifests node. It is accessed as part of QAS and can be viewed through the Group Policy Snap-In.
The Preference Manifests node contains preference manifest files. These are XML property list (.plist) files that describe an application’s preferences and makes them available for management through the QAS Preference Manifests node.
Application developers create preference manifest files to make their application’s preference keys available for management through the Preference Manifests node.
Many standard items are readily available and configurable. You can also import custom preference manifests for policy configuration.
Policy items contained in this node are specific to the Macintosh operating system.
The QAS installation process adds Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes to both the Computer Configuration and User Configuration nodes and stores all the QAS for Mac OS X Desktop policies there.
The Preference Manifest policies, accessible through the Preference Manifests node, provide three management options:
• Always—Causes the preferences to remain in effect until you change them on the server. When properly designed, a Mac OS X application that conforms to standard preference conventions does not allow a user to modify preferences set to Always. • Once—Limited. You can create default preferences which are applied when a user first logs in. The users can then modify the settings to suit their needs. These preferences are effectively unmanaged. • Often—Settings can be changed by the user temporarily, but when the policy is applied again, the user changes are overwritten.
77 Quest® Authentication Services™ for Mac OS X
For example, if often were set for your background, you could log in and change your background image; but the next time you logged in it would go back to what was specified in the policy.
A sample preference manifest file can be found at the following link. http://developer.apple.com/DOCUMENTATION/MacOSXServer/Conceptual/Pref erence_Manifest_Files/Preference_Manifest_Files.pdf
Managing Preference Manifest Policies
Using the Microsoft Group Policy Management Console editor, you can configure Mac application settings which are applied using the Group Policy framework built in to QAS. The graphic below shows the preference manifest policies that ship with QAS by default.
Each policy is configurable according to the settings described in the preference manifest file.
78 QAS for Mac OS X Desktop Policies
For example, the preference manifest for Screen Saver exposes the six settings shown in the graphic below.
In this example, Screen Saver has been configured to require a password. When this GPO is applied to a Mac system running QAS, the configuration will be propagated to the Managed Client application which will reconfigure Screen Saver to prompt for a password.
The following table describes each Preference Manifest available with QAS.
APPLICATION DESCRIPTION
Enables management of Crash Reporter behavior, Apple Crash Reporter including determining when users will be prompted to send a crash report to Apple (always, never, etc.).
Enable or disable the creation of .DS_Store files on Apple Desktop Services remote servers.
Enables management of a number of Terminal Apple Terminal settings.
79 Quest® Authentication Services™ for Mac OS X
APPLICATION DESCRIPTION
Enables management of some "Time Machine" backup Apple Time Machine settings.
Extends the user's available, physical random access Apple Virtual Memory memory by treating the hard disk as if it were Settings additional RAM.
Bluetooth Allows you to enable or disable Bluetooth access.
Dashboard Disables dashboard widgets.
Sets the basic required information to establish a Desktop Picture Desktop picture.
Enables management of additional Finder settings that are not included in the Workgroup Manager -> Finder Finder policy. These include trash settings (enforce securely emptying trash) as well as Finder sidebar settings.
Sets preferences for desired actions depending on the Digital Hub type of media detected when a CD/DVD is inserted into the drive.
Allows redirection of folders in the user’s home directory.
NOTE: This policy has no effect unless a network Home Folder Redirection home folder is specified in conjunction with the policy. See Automatically Mounting Network Home Folders. Do NOT use this policy with QAS clients previous to version 3.5.2.
Allows synchronization of home directory preferences.
NOTE: This policy has no effect unless a network Home Sync home folder is specified in conjunction with the policy. See Automatically Mounting Network Home Folders. Do NOT use this policy with QAS clients previous to version 3.5.2.
Controls the default behavior of the Hot Corners. Hot corners allow users to drag their mouse into a corner Hot Corner Actions to trigger an action such as sleeping the computer or starting the screensaver.
iCal Allows configuration of imported iCal accounts.
Preloads account info for iChat users. These settings iChat are specific to OS 10.6.
80 QAS for Mac OS X Desktop Policies
APPLICATION DESCRIPTION
Allows you to manage Internet configuration including Internet Configuration mail servers/applications and browser defaults.
Sets granular control over the entire suite of settings iTunes in iTunes—includiing parental controls.
Creates basic settings to establish the registration iWork Registration keys for network managed systems.
Mail Presets values for user’s Mail account.
Managed Menu Extras Adds or disables menu items.
Microsoft Entourage 2008 Synchronizes Entourage calendar, contacts, notes, and Sync Services tasks.
Microsoft Excel 2008 Allows customization of Excel settings.
Allows customization of Microsoft Office 2008 auto Microsoft Office 2008 correction preferences.
Microsoft Office 2008 Auto Allows customization of Microsoft Office 2008 Auto Update Update settings.
Allows customization of settings that affect the Microsoft Word 2008 behavior of Microsoft Word 2008.
Manage mobile account creation, deletion, FileVault Mobility and Time Settings settings, and other options related to mobile accounts. Time zone and time server can also be set here.
Sets preferences for QuickTime Pro, including Name, QuickTime Pro Registration Organization, and Registration Key.
Sets Safari settings including Home Page, History Age Safari Limit, Download Location, Default Font, etc.
Enables the management of all screensaver settings other than "Require Password to Unlock". These include settings such as how long before the Screen Saver By Host screensaver activates (if at all), and which screensaver module is run. Management of these settings require 10.5 or later.
Manages whether users are required to enter a Screen Saver Password password to unlock the screensaver.
Manages what types of things are visible from the Sidebar Lists Finder Sidebar Lists.
81 Quest® Authentication Services™ for Mac OS X
APPLICATION DESCRIPTION
Settings governing system speech recognition, such Speech Recognition as whether a key press is required to "Listen" for a Preferences command.
Time zone and other Allows you to set the time zone to recognized options standards.
Allows you to manage which VM will be started VMware Fusion automatically when Fusion starts.
Allows you to preload VPN values—including Service VPN Settings Type, VPN Server Address, User Login Name, User Defined Serve Name, User Authentication Type.
Each preference manifest includes a properties dialog with additional help description information.
82 QAS for Mac OS X Desktop Policies
Software Update
The Software Update policy checks for new and updated versions of your software based on information about your computer and current software.
With Mac OS X Server, you can create your own Software Update server to control updates that are applied to specific users or groups. This is helpful because it reduces external network traffic while also providing more control to server administrators.
By configuring the Software Update server, server administrators can choose which updates to provide.
To manage the Software Update policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Software Update. The Software Update Properties dialog is displayed.
83 Quest® Authentication Services™ for Mac OS X
System Preferences
The System Preferences policy allows you to specify which preferences to show in System Preferences.
To manage the System Preferences policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click System Preferences. The System Preferences Properties dialog is displayed.
84 QAS for Mac OS X Desktop Policies
Time Machine Settings
Time Machine settings allow you to control backup of computer data to network servers, such as installed applications and their preferences, all local account data, and system files.
Time Machine settings can only be applied in the Computer Configuration node.
To manage the Time Machine policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Time Machine. The Time Machine Properties dialog is displayed.
85 Quest® Authentication Services™ for Mac OS X
Universal Access Settings
Universal Access settings can help improve the user experience for some users. For example, if a user has difficulty using a computer or wants to work in a different way, you can choose settings that enable the user to work more effectively.
Using Workgroup Manager Settings, you can set up and manage Universal Access settings for specific workgroups or computers dedicated to users with special needs.
To manage the Universal Access policy 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Universal Access. The Universal Access Properties dialog is displayed.
Universal Access includes five property tabs:
• Seeing—controls visual display and desktop zooming. • Hearing—controls visual alert for users.
86 QAS for Mac OS X Desktop Policies
• Keyboard—controls how the keyboard responds to keystrokes and key combinations. • Mouse—controls how the pointer responds, and whether users can use the numeric keypad instead of a mouse. • Options—controls shortcut key combinations, the use of assistive devices, and whether the computer reads text in the Universal Access preference pane.
87 Quest® Authentication Services™ for Mac OS X
88 INDEX
A P Active Directory accounts, logging in Password hint, explained 46 with 34 Preference Manifests node, Administrator rights for QAS users, explained 77 explained 44 Q C QAS Configuring the QAS client, installing, for Mac OS X 8 explained 22 QAS for Mac OS X components, listed 18 D Directory Access plugin, Deploying QAS for Mac OS X 7 explained 19 Directory Service plugin, H explained 19 Home directory workaround, Security Server plugin, explained 34 explained 19 startup items, explained 18 I uninstalling 14 Install, custom, performing 11 upgrading 14 Installation and configuration, QAS Mac OS X client verifying 33 configuring 22 performing an unattended M install 31 Mac desktop policies management options 63 S Mac desktop settings SMB shares on Windows servers, Preference Manifest Policy, connecting 35 explained 77 System changes made by join Mac OS X process, explained 32 deploying, QAS for 7 GUI install, explained 9 T installing QAS 8 Terminal.app, using to join and installing through Unix command unjoin 32 line 13 U Unattended install, performing 31
89 Quest® Authentication Services™ for Mac OS X
90