Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Local Administrator rights for Authentication Services users

Authentication Services allows you to give local administrator rights to Authentication Services users on individual Mac OS X systems. This gives a user the ability to administer his own system while still using Active Directory for authentication. It also allows Mac OS X system administrators "admin" access on Mac OS X systems without a shared local account.

Grant Authentication Services accounts administrator rights

To grant Authentication Services accounts administrator rights

  1. Modify the /etc/opt/quest/vas/vas.conf file and add the following section to the Authentication Services configuration using a text editor:
    [vas_macos]
    admin-users = johnd@example.com

    For example, with the pico text editor, enter:

    $ sudo pico /etc/opt/quest/vas/vas.conf

    Note: If there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy.

    For the value of the admin-users key, use a comma-separated list of Active Directory User Principal Names (UPN) for Authentication Services users with administrator rights. The Domain Users option also supports groups of users.

  2. Specify the group in the form, Domain\groupname.

    Either step ensures that Authentication Services processes the new configuration.

  3. Verify that the configured users have administrator rights by checking their group memberships using the following command line (the example is for a user called jdoe):
    $ groups jdoe

    If jdoe was correctly configured to have local administrator rights, you see the local admin, appserveradm, and appserverusr groups listed in the output. The jdoe user is then able to use his user credentials for authorizing administrative tasks started from the System Preferences application.

Active Directory user password hint

The password hint is displayed for all Active Directory users when you have Mac OS X configured to provide password hints. The password hint is used to notify a user of a website where they can reset their password, or to remind a user that the account they are using requires a domain password. The default value for the authentication-hint is "Windows Domain Password".

Before Mac OS X will display authentication hints, you must enable the "Show password hints" option through the log in options.

After enabling password hints, after several incorrect login attempts, the password hint displays.

You can manage this hint centrally on the domain controller through Group Policy.

Note: For security reasons, if a mapped user changes his password hint, it is intentionally reset to the generic Windows domain password hint the next time he logs in.

Configuring Apple FileVault disk encryption

Authentication Services is compatible with Apple’s FileVault disk encryption, introduced in Mac OS X 10.7. In order to use FileVault with an Active Directory user, you must first create a mobile account for that user on the Mac OS X client. A Mac OS X mobile account has a local home directory that can automatically sync with the user’s network home directory.

To encrypt your disk

  1. As an Active Directory user, open System Preferences and navigate to Users & Groups.
  2. Click the Lock icon and enter administrator credentials to enable preference changes.
  3. Click the Create button next to Mobile account.

  4. Select your preferred syncing and home folder location preferences in the pop-up menu and click Create.

    A popup message displays explaining that you must log out and log back in to create the local home folder.

  5. Click Create and enter your password at the prompt.
  6. Log back in and configure FileVault encryption.

  7. From System Preferences, navigate to Security & Privacy and open the FileVault tab.
  8. Click Turn on FileVault to begin the encryption process.

  9. Select users (local users and mobile accounts) to enable them to unlock the encrypted disk at system startup.

    Note: Once you enable FileVault unlock for a user account, if you subsequently delete the account from Active Directory, you must also delete the local user account to disable FileVault unlock for that user.

  10. Enter a password for each user you enable.

  11. Take note of the recovery key on the following screen; store it somewhere yourself, and store it with Apple Support.

  12. Restart your system to begin encrypting the drive.

    The encryption can take several hours, depending on the size of your disk, during which time you can continue using your computer. You can monitor the encryption process by returning to the FileVault tab in Security & Privacy preferences.

    After you enable FileVault, your Mac OS X will initially boot to an unencrypted disk partition and ask for your password to unlock the encrypted partition. Because this separate partition does not have access to Authentication Services and Active Directory, you must use your most recent locally cached password. Before the local cache is updated, if you need to unlock the encrypted disk after a password change, either use your old password or click the Recover Key to unlock the drive. Once the drive is unlocked, although it says you must reset your password, you can ignore the prompt and log in with your recently changed account password.

    You can find more information about FileVault in these articles by Apple Support:

Related Documents