Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Authentication Services limitations on Mac OS X

There is some Authentication Services functionality that is limited by the Mac OS X system.

Limitations lists

  • When using the command line su utility to become a Authentication Services user, the Authentication Services PAM module will not create a ticket cache for the new session because Authentication Services uses the CCacheServer process for Kerberos ticket cache management. Creating this ticket cache would inadvertently destroy any existing Kerberos tickets.
  • If Authentication Services users who have custom home directory paths log into the system through the system login window and the parent directories for their home directory do not exist, the system home directory creation code incorrectly sets the ownership mode of all the home directory parent directories. This causes subsequent Authentication Services user logins to fail if they share the same home directory path. Their home directory will be created but it will be inaccessible to the user.

    Administrators should ensure that if they are using custom home directory paths, the parent directories are pre-created with a valid ownership and mode that allows all Authentication Services users to access those paths.

  • The automatic ticket feature of Authentication Services does not currently work with non-file-based ccaches. Because Mac OS X uses API based ccaches, the ticket renewal utility will not work.

    Note: You can manually renew tickets with any utility that supports renewing tickets, such as Apple's Ticket Viewer.

  • When using the Authentication Services mapped user feature, if a local user is mapped to a Authentication Services user and, at some point the user is unmapped (returned to a local account) you must reset the user’s password.

Authentication Services Group Policy for Mac OS X

With Authentication Services you can manage your Mac OS X clients using Group Policy. Authentication Services includes Group Policy extensions to manage preferences just as you would with Workgroup Manager. In addition, Authentication Services supports custom policies based on Preference Manifests.

Authentication Services Group Policy includes support for Mac OS X. Using Authentication Services you can manage your Mac OS X through Group Policy. This eliminates the need to set up additional Mac OS X Servers for Mac OS X client management. Mac OS X policy settings are applied using Profile-based policies.

Profile-based policy takes advantage of the Configuration Profile infrastructure provided by Apple. Policy settings are defined in Group Policy and downloaded to Mac OS X clients where the settings are assigned to Configuraiton Profiles, which apply the settings to various configuration files on the Mac OS X.

Profile-based policy

Profile policy settings are divided into two categories: Workgroup Manager Settings and Preference Manifest Settings.

The Workgroup Manager settings are designed to look and feel like the Workgroup Manager application. If you are familiar with Workgroup Manager from Mac OS X server, it should be easy to transition to Group Policy. Settings for Applications, Classic, Dock, Energy Saver, Finder, Login, Media Access, Network, Parental Controls, Printing, Software Update, System Preferences, Time Machine and Universal Access are included. Authentication Services supports the Never, Always and Once policy application options. You can apply settings to users or computers. With standard Group Policy security filtering, you can restrict settings to specific groups of users or computers.

Authentication Services also includes support for Preference Manifest files. Preference Manifest files describe application settings you can manage centrally. Many standard Mac OS X Preference Manifest files are included by default such as iChat, Mail, Sidebar, Time Zone and iTunes. You can import additional Preference Manifest files at any time, increasing the number of applications and features that you can manage.

On the Mac OS X agent, Group Policy integrates with the Configuration Profile subsystem according to Mac OS X best practices. This ensures that policy settings are applied correctly and appropriately to each new release of Mac OS X.

Mac OS X management modes

The following management modes exist for Mac OS X policy settings:

Table 1: Mac OS X: Management modes
Mode Description
Never This mode means that the settings do not apply. This is equivalent to disabling the policy. This is the default mode.
Once In this mode, policy settings are applied one time. Users can remove the Configuration Profile. This mode functions as a default value.
Always In this mode, policy settings will always apply. Users cannot remove the Configuration Profile.
Related Documents