Editor’s Note: This story is reprinted from Computerworld. For more Mac coverage, visit Computerworld’s Macintosh Knowledge Center.
Centrify’s Direct Control for Mac is a complete solution for Active Directory environments in which you have to support Mac clients and need secure access to Mac OS X system components or must manage the user environment.
Direct Control allows you to join Mac OS X computers, as well as other versions of Unix/Linux, to Active Directory. You can organize them and delegate administration via organizational units known as zones. And you can manage them using a series of group policies specifically designed to work with Apple’s managed preferences model.
Overview
Direct Control for Mac fulfills a common need. Although Macs typically make up a small fraction of the total number of PCs in a corporate network, they often still need access to the resources of that network. And they still need to be controlled and secured according to company policies and government regulations.
Apple does include some Active Directory support in Mac OS X. But that support is limited to letting users log into a Mac workstation using an Active Directory account. It provides very little support for securing local resources—although, by default, it doesn’t grant Active Directory users local administrator access, so there is some safeguard. But it provides no support for configuring a managed user environment.
Another major limitation is that Apple’s Active Directory solution uses LDAP rather than Microsoft’s ADSI protocol when authenticating users, and it doesn’t support signed LDAP communication. This means that you must lower the domain security policy for Windows 2003 Server to support Mac clients, which can expose an Active Directory domain to increased risk of network attacks.
Direct Control for Mac offers full support for signed communication with Active Directory, although it does rely on Apple’s variation of Samba to provide access to file shares and print queue, and this version of Samba doesn’t support signed communication. Also, Directory Access uses the ADSI protocol. Further, Direct Control extends Active Directory’s smart-card authentication support to work seamlessly with Mac OS X.
More important, Direct Control offers several server-side components that allow you to fully support Mac users by assigning the user ID (UID) and group ID (GID) attributes that Mac OS X relies upon for user identification and file permissions.
While all the above features make Direct Control for Mac a tempting solution, the fact that it includes a range for group policies that can be used to secure and manage the Mac OS X environment is what makes it an excellent solution.
Direct Control for Mac uses group policies that integrate with the client-side components of Apple’s managed preference environment. The icing on the cake for Windows administrators is that Direct Control integrates well with Active Directory; managing Mac workstations has the same familiar feel as managing Windows PCs.
Installation and configuration
Installing Direct Control and its Mac system agent is extremely simple and straightforward. On the server side, once you’ve run the installer, you need to open the Centrify management console and configure the appropriate Direct Control organization tools. After that, you can add a Centrify snap-in to any Microsoft Management Console for easy management. Then you’ll need to use either the Group Policy Management Console or Group Policy Object Editor to add the appropriate administrative templates to a new or existing group policy object.
On the client side, you’ll need to install the Mac system agent. Again, this is a simple installer that can be run either as a Mac OS X installer package or a command-line shell script. The system agent includes a series of command-line tools and a plug-in for Apple’s Directory Access utility. You can join the Mac to a domain using either the command-line tool or the Directory Access utility.
The process is simple and similar to that of joining a Windows PC to a domain. Overall, the installation process on both client and server side is very painless, even if you’re not used to working with Macs.
In the zone
Direct Control introduces a type of organizational tool called zones. They’re used to apply necessary attributes to user accounts for Mac OS X (as well as other Unix versions) without making major schema changes to Active Directory. Each Mac user must be assigned to a zone but can be a member of more than one zone. Each Mac client must be a member of one, and only one, zone.
When configuring a zone, you specify UID attributes for users of that zone by entering a starting UID; each user added to the zone will receive the next-highest UID. You also specify which Active Directory group will be used as the primary group attribute for users as well as the associated GID attribute.
Zones also define the location of the home directory for users and which Unix shells will be available to them. You can delegate authority over certain zones if you want to split the administrative workload of managing them. You use the Centrify management console to create and manage zones, but you assign users to a zone by using the Centrify Profile tab that is added to the user’s property window.
Zones allow you to group similar workstations and/or users for management purposes. They also make it possible to support situations where users may need conflicting settings depending on which computers they are using or if you want to limit which Macs users have access to. Zones can also be helpful as you migrate to Direct Control from other Active Directory solutions or even from using local workstation accounts. You can also generate reports about computer use for each zone, making them even more useful.
Zones are a powerful tool in Direct Control, and they also serve as an elegant solution for providing attributes that are needed by Mac OS X. However, when you first begin using Direct Control, the concept of zones and how to use them can seem a little confusing. Although zones affect some access to Macs and their configuration, they don’t directly relate to setting group policies for Macs. This is definitely one section of Direct Control’s documentation that you don’t want to skip over.
While we’re on the topic, I should add that Centrify’s documentation is extremely thorough, and the answers to almost any possible question can be found in it. However, the current documentation places the majority of Mac-specific information in a separate document from the Direct Control guides, which can make it difficult to find answers. Centrify says it will provide a more streamlined set of user guides with the next major release.
Setting group policies for Mac OS X
Setting group policies for Macs using Direct Control is exactly the same as setting any other group policy. You create and link group policy objects to specific organizational units just as you would in any other situation. With the administrative template added to a group policy object, you can simply drill down to the settings that you want and configure them. Centrify includes detailed explanations of what each policy does and how to use it directly in the management console display.
Centrify’s initial Mac group policies, which are those included with the current release, are limited to features used for securing Mac OS X. These policies include requiring the use of a screen saver and enforcing the use of a password to exit the screen saver or to wake the computer from sleep; controlling the Mac OS X log-in window and fast user switching; limiting access to various network sharing services such as file and printer sharing; configuring Apple’s Software Update engine and the Energy Saver system preferences; and limiting access to System Preferences panes.
Centrify says it initially focused on group policies designed to secure Mac OS X because that is the most immediate need for many organizations. However, in an upcoming release, the vendor plans to offer a much broader set of group policies that mirror virtually all the Mac OS X Server preferences management functions. These include support for such things as configuring a custom Mac OS X user environment, setting mobile computer file-synchronization options and automatically opening applications or files at log-in.
Having had the opportunity to work with both the existing set of group policies and to see a preview version of the upcoming expanded set, I was amazed at Centrify’s success. The experience of managing Macs was exactly the same as managing Windows computers using group policies. Any experienced Active Directory administrators, even those who have no Mac support experience, will feel completely at home. Any experienced Mac administrator will also notice that Centrify has managed to mirror the preference management component of Mac OS X Server’s Workgroup Manager.
Overall impressions
Having worked with various methods of supporting Macs in a Windows Server environment for years and having worked with Mac OS X Server’s preferences management features, I had very high expectations for Direct Control for Mac. The product either met or exceeded my expectations, and I would highly recommend it to any company that’s running Active Directory and needs to support a handful of Macs. There are, however, a couple of points that administrators considering Direct Control should keep in mind.
First, it doesn’t provide support for signed communications when browsing or allow access to Windows shares or print queues. This means that you will either need to configure your domain’s security policy to allow unsigned communications for these purposes or invest in a third-party solution, such as Thursby’s DAVE. This product adds more advanced support for the Windows server message block protocol to Mac OS X, including support for signed SMB.
Alternatively, there are server-side solutions such as Group Logic’s ExtremezIP, which allows the use of Mac OS X’s Apple Filing Protocol under Windows server with secure communication.
Second, Direct Control could be used by any experienced Active Directory administrator, regardless of Mac experience. However, I would suggest that if you are considering this solution, you will probably have more success if you have at least a passing familiarity with Mac OS X and basic Mac troubleshooting and networking concepts. That said, it is a solution that you will be able understand and use with very little learning curve.
[ Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. In addition to writing for Computerworld , he is a frequent contributor to InformIT.com. Ryan was also the co-author of O’Reilly’s Essential Mac OS X Panther Server Administration . ]