Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.2 - macOS Administration Guide

Privileged Access Suite for Unix Installation Safeguard Authentication Services macOS components Safeguard Authentication Services client configuration Special macOS features Limitations on macOS Group Policy for macOS Certificate Autoenrollment Glossary

Safeguard Authentication Services macOS components

The following Safeguard Authentication Services Unix components are included in the Safeguard Authentication Services macOS port:

  • The vastool command line utility
  • The vgptool command line utility
  • The uptool command line utility
  • The pam_vas PAM module
  • The One Identity Ownership Alignment Tool (OAT)

You can use these components inside a Terminal session the same way you use them on any other Unix platform. Man pages for each of these utilities are automatically installed and configured and you can view them with a standard man page viewer. The Safeguard Authentication Services join process automatically configures Unix applications to use the pam_vas module where appropriate.

The components described in this section are specific to the macOS platform.

Startup items

A launchd config plist file is installed for each Safeguard Authentication Services daemon under /Library/LaunchDaemons.

These .plist files are used to put the Safeguard Authentication Services daemons under the control of launchd. You can use the launchctl utility to add or remove any one of these daemons from launchd control. For example, to remove the Safeguard Authentication Services caching daemon (vasd) from launchd control, run the following command in a Terminal session:

$ sudo /bin/launchctl unload /Library/LaunchDaemons/com.quest.vasd.plist

You can also stop a daemon using launchctl, but the Safeguard Authentication Services daemon configuration is such that launchd immediately restarts the stopped daemon unless you specify the unload command. If it is necessary to restart any one of the Safeguard Authentication Services daemons, run a command similar to the following:

$ sudo /bin/launchctl stop com.quest.vasd

The Safeguard Authentication Services join process automatically runs the necessary load commands at join time to put the Safeguard Authentication Services daemons under launchd control. Typically, users do not need to directly interact with the Safeguard Authentication Services startup items.

Directory Service plugin

Safeguard Authentication Services provides a plugin for the system DirectoryService daemon.

The Safeguard Authentication Services Directory Service plugin uses the rest of the Safeguard Authentication Services components to provide Active Directory group and user information to the rest of the system, and is installed at /Library/DirectoryServices/Plugins/VAS.dsplug.

The Safeguard Authentication Services Directory Service plugin also uses Kerberos authentication for Active Directory users. The plugin operates both when the system is connected to a network where Active Directory is available, and for disconnected scenarios where the macOS system cannot contact Active Directory. The Safeguard Authentication Services Directory Service plugin provides secure authentication and performance identity lookups even in this disconnected mode.

Disconnected mode is available without having to create local Mobile Accounts on each macOS system. The Safeguard Authentication Services caching architecture also minimizes the impact that each macOS system has on the Active Directory environment.

Directory Utility

You use the Directory Utility application to configure the Directory Service Plugins that provide identity information for authenticating to the machine. When installed, Safeguard Authentication Services is one of the plugins.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating