Centrify Corp. (http://www.centrify.com) — a provider of Microsoft
Active Directory-based auditing, access control and identity
management solutions for non-Microsoft platforms — has released
Centrify DirectControl 4.2 for Mac OS X, which adds smart card-based
login to Active Directory for single sign-on to Windows-integrated
services and applications.
Centrify leverages the PKI infrastructure provided by Apple and works
with both Common Access Cards (CAC) and Personal Identity
Verification (PIV) cards as well as with other cards that support the
Apple TokenD interface such as the .NET smart card from Gemalto. With
this capability, government agencies and other organizations can use
smart cards for interactive login from the Mac to all services in the
organization whose access is controlled from Active Directory, not
just the local computer, says David McNeely, director of product
management for Centrify.
In February, Centrify announced support for smart card authentication of managed Mac OS X computers. This allows Macs in a Windows network environment to use smart cards for login authentication based on a user’s Active Directory account. Centrify Adds Smart Card Support to Its Solution for Integrating Mac OS X in Active Directory Environments DirectControl for Mac OS X, Smart Card Login Option to initially Support the Department of Defense Common Access Card (CAC) Mountain View, CA-February 5, 2007- Centrify Corporation, a leading provider of Microsoft Active Directory-based access control and identity management solutions for. Select 'Uninstall' from the Centrify Express for Smart Card window. Also follow this section to remove.tokend files. How to Remove ActivClient for Mac. Go to: Hard disk / Applications / Utilities. Double click: ActivID ActivClient for Mac Uninstaller. Select 'Uninstall' from the ActivID ActivClient for Mac Uninstaller screen.
DirectControl effectively turns a Mac, UNIX or Linux system into an
Active Directory client, enabling administrators to secure that
system using the same authentication and Group Policy services
currently deployed for their Windows systems. By adding smart card
support to its Mac agent, Centrify enables customers to use Mac
systems in high security environments complying with Homeland
Security Presidential Directive (HSPD) 12 requiring secure and
reliable identification of Federal employee and contractors using PIV
cards.
DirectControl 4.2 for Mac OS X also adds increased security features
that include allowing organizations to lock the Mac Finder. This is
especially important in schools and universities that allow students
to share Macs but don’t want them to manipulate the system, McNeely
says.
Centrify Express for Smartcard stores this option in the keychain, and you are not prompted to select the certificate again. If you accidentally select the wrong certificate, see appendix A for the steps to remove the certificate from the Centrify Express for Smartcard keychain. Demo showing Centrify agent installed on a Mac, joining to Active Directory using Auto Zone, setting up Smart Card Authentication and logging on with a Smart.
Finder Lock is one of more than 200 Mac-specific Group Policies that
Centrify has developed to help administer Macs from the same
centralized administrative tools from which Windows computers are
managed. Other policies added in this release include enforcement of
a computer policy to require smart card login, a removal policy to
either lock the screen or force a logout when the smart card is
removed, and additional security controls.
With this release, Centrify DirectControl for Mac OS X also includes
a streamlined installation that allows a one-click setup of the Mac
in Active Directory. Centrify’s workstation installer was
specifically designed to enable administrators to deploy
DirectControl on Macs and quickly join them to an Active Directory
domain, McNeely says. In this way the users get prompt access to
network services and administrators can quickly apply policies to the
Macs, he adds.
Centrify DirectControl for Mac OS X Smart Card edition is licensed
for US$90 for one copy and is available in beta now. It will be
available within 90 days. CAC and PIV are supported on Mac OS X
10.5.3 and higher,
To fully support smart card login, you can do either one of the following.
- Configure a computer to require smart card login by enabling the Require smart card login group policy (Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require smart card login.) When you enable this policy, no one can log into a computer for which this policy applies with a user name and password but must insert a smart card, unless you create an exception group. An exception group is simply an Active Directory group that you create and add to this group policy to allow group members to log in, if necessary, with a user name and password. The purpose of creating an exception group is to allow users to temporarily log in if they do not have their smart card in hand.
Note: If you use set this policy, be certain that all users have their passwords set to never expire. Otherwise, if a password expires, a user may be unable to log in with a smart card and see a potentially confusing error message about changing their password. If you use the option to require smart card login for specific users, as explained in the next bullet, you can ignore password expiration.
Set an individual user’s account options to require login with a smart card, as shown in the following procedure. When you set this option, the user cannot interactively log in to a computer with a user name and password but must insert a smart card. Do not use this option if you want to allow specific users to log in temporarily with a user name and password in case they do not have their smart card with them. In this case, use the Require smart card login group policy and create and add an exception group.
To require smart-card login for a specific user:
Centrify Express For Mac Smart Card
Centrify Express For Mac Smart Card Online
- Open the Access Manager console or Active Directory Users and Computers.
- Select the user. For example, in the Access Manager console, open domainName > Zones > zoneName > Users > userName.
- Right-click the userName and select Properties.
- Select the Account tab.
- In Account options, scroll until Smart card is required for interactive logon is visible, then select it.
- Click OK.