Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Safeguard Authentication Services 4.1.3 - Mac OS X/macOS Administration Guide

Table of Contents

One Identity Privileged Access Suite for Unix

About this guide

Authentication Services Mac OS X agent installation

Install Authentication Services using the graphical system installer Install Authentication Services with the system installer Custom install Command line install

Install the Authentication Services metapackage from command line Install a single Authentication Services package from command line Mount and unmount the Authentication Services.dmg from the command line

Authentication Services agent upgrade Authentication Services Mac OS X agent removal

The Authentication Services Mac OS X components

Authentication Services startup items Authentication Services directory service plugin Authentication Services directory utility plugin Authentication Services security server plugin

Configuring the Authentication Services client

Launch the directory utility application Configure the Authentication Services node Adding, checking, and verifying Authentication Services licenses

Add, check, and verify licenses

Joining the Active Directory domain

Unconfigure local LDAPv3 Graphically join the domain Unjoin an Active Directory domain Command line join Using Terminal.app to join and unjoin System changes made by the join process Verify the installation and configuration

Logging in with Active Directory accounts

Unix-enable a user

Troubleshooting connections to Windows SMB shares

Connecting to SMB shares on domain controllers The DNS domain name differs from the Kerberos realm

Automatically mount network home folders

Configure automatic home folder mounting at join time Mount the Windows home folder or profile path Mount an alternate share at login Configure automatic home folder mounting using VARprod.gp Group permissions on auto-mounted home directories Mounting AFP shares

Special Mac OS X features

Local Administrator rights for Authentication Services users

Grant Authentication Services accounts administrator rights

Active Directory user password hint Configuring Apple FileVault disk encryption

Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac

Profile-based policy

Mac OS X management modes Workgroup Manager settings

Applications properties

Applications tab Front Row tab Legacy tab Widgets tab

Classic properties

Startup tab Advanced Tab

Dock properties

Dock Items tab Dock Display tab

Energy Saver properties

Desktop tab Portable tab Battery tab Schedule tab

Finder properties

Preferences tab Commands tab Views tab

Login properties

Window tab Options tab Access tab Scripts tab Items tab

Add login items

Media Access properties

Media Access tab

Network properties

Sharing & Interfaces tab

Parental Controls properties

Content Filtering tab

Filter content explicitly Filter content with the built-in adult content filter

Time Limits tab

Configure time allowances Configure time curfews

Printing properties

Add a printer

Software Update properties

Software Update tab

System Preferences properties

System Preferences tab

Time Machine properties

Time Machine tab

Universal Access properties

Seeing tab Hearing tab Keyboard tab Mouse tab Options tab

Wireless User Profile properties

Add wireless profiles

Preference Manifest settings

Add a Preference Manifest

Certificate Autoenrollment

Certificate Autoenrollment on Mac OS X/macOS Certificate Autoenrollment requirements and setup

Java requirement: Unlimited Strength Jurisdiction Policy Files Installing certificate enrollment web services Configuring Certificate Services Client - Certificate Enrollment Policy Configuring Certificate Services Client - Auto-Enrollment Configuring Certificate Templates for Auto-enrollment

Using Certificate Autoenrollment

Configuring Certificate Autoenrollment manually

Configure a machine for Certificate Autoenrollment Configure a user for Certificate Autoenrollment

Trigger machine-based Certificate Autoenrollment

Troubleshooting Certificate Auto-Enrollment

Enable debug logging on Windows Pulse Certificate Autoenrollment processing Manually apply Group Policy

Command line tool

qcert command reference

vascert commands and arguments

Configure automatic home folder mounting using VARprod.gp

Configuring the Authentication Services client > Automatically mount network home folders > Configure automatic home folder mounting using VARprod.gp

During deployment, installation and join usually happen in a scripted fashion from the command line. It is still possible to configure home folder mounting without using the graphical join interface, either through modification of the vas.conf file or by setting the appropriate options in group polices that apply to your Mac OS X machines.

The two options that have bearing upon home directory mount behavior are nethome and nethome-mount-protocol. These options are set in the vas.conf policy.

The nethome is either the name of the user attribute where the UNC path is stored ("homeDirectory" or "profilePath"), or it is the server URL expression for all users (that is, cifs://servername/sharename/%c).

If the nethome is specified as an attribute name, you can specify whether the path is mounted by means of AFP or CIFS using the "nethome-mount-protocol" setting.

Setting either of these options has no effect on any Authentication Services platform other than Mac OS X, so you can safely set it on a domain-wide Unix settings policy. Creation or modification of group policies is accomplished using the Microsoft GPOE on any Windows administrative workstation.

Group permissions on auto-mounted home directories

Configuring the Authentication Services client > Automatically mount network home folders > Group permissions on auto-mounted home directories

For Authentication Services to resolve to a Windows SID to a Unix UID or GID, the user or group to whom that SID belongs must have had a UID or GID manually assigned to them. Or, in other words, you must Unix-enable the user or group on the Unix Account tab in Active Directory Users and Computers. If a group or user has not been Unix-enabled, the Mac OS X machine will still assign a UID or GID to the user or group, but the Authentication Services agent software will not be able to resolve the a UID or GID.

To log into an Mac OS X machine, all users must be Unix-enabled so this normally only causes problems when dealing with group permissions on SMB-mounted home directories. It is not uncommon for the group owner of a network home location to be a group WITHOUT a Unix GID assigned. When a user's ability to access this directory relies on correct group membership, problems can arise. It is, therefore, best practice to Unix-enable all groups that are used for SMB File level permissions on network mounted home directories.

Mounting AFP shares

Configuring the Authentication Services client > Automatically mount network home folders > Mounting AFP shares

To mount AFP shares, you must have an AFP file server that knows about all your Active Directory users and credentials. You can easily accomplish this using third-party software that shares files from a Windows machine joined to your domain.

Special Mac OS X features

Special Mac OS X Features

Local Administrator rights for Authentication Services users

Grant Authentication Services accounts administrator rights

Active Directory user password hint

Configuring Apple FileVault disk encryption

This section details two special Mac OS X features:

Local Administrator Rights for Authentication Services Users
Active Directory User Password Hint

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy