Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Workgroup Manager settings

Authentication Services provides Group Policy extensions that mirror the functionality available in Apple Workgroup Manager console. Workgroup Manager Settings are located in the Mac OS X Settings folder (or in the Policies folder, if you are using the new Group Policy Management Editor.)

For additional information about any of the topics covered in this section, refer to Chapter 10: Managing Preferences in the Mac OS X Server User Management manual available from Apple. Apple's User Management guide is written for Workgroup Manager, but most of the settings and information also apply to Group Policy for Mac OS X.

To open the properties of the various settings described in this section

  1. Start the Group Policy Management Editor and navigate to the Mac OS X Settings directory under either Computer Configuration or User Configuration.
  2. Double-click the Workgroup Manager Setting to open its properties.

Applications properties

The Applications Properties settings allow you to control access to specific applications and paths to applications using digital signatures. The Applications, Widgets, and Front Row tabs apply only to users of Mac OS X 10.5 or later. The Legacy tab applies only to users of Mac OS X 10.4.

You can apply Application Properties settings under both Computer Configuration and User Configuration.

Related Topics

Applications tab

Front Row tab

Legacy tab

Widgets tab

Applications tab

The Application tab settings control which applications are allowed to execute on Mac OS X and support the following management modes: Never, Always. The Applications settings apply only to Mac OS X 10.5 and later.

Application restrictions are controlled by means of folder paths. Group Policy does not currently support application management using digital signatures, therefore to allow or prevent users from launching an application, add the application or the path to the application to one of two lists:

  • Disallow applications within these folders.

    Add folders containing applications that you want to prevent users from opening. All applications in sub-folders of disallowed applications are also disallowed.

  • Allow applications within these folders.

    Add folders containing applications that you want users to launch. If an application or path to the application appears in both the disallow and the allow lists, then the disallow list takes precedence and the user is not allowed to launch the application.

If an application does not appear in either of these lists, the user can not launch the application.

Click Add to open the New Application Item dialog. You can type the absolute Unix path or you can click Remote Browse to log into a remote Mac OS X machine (by means of SSH) and browse for the target folder. It displays recently specified paths. To reuse a recently specified path, double-click the item in the list.

Note: Both disallow and allow paths support the %HOME% macro-expansion to the user's Unix home directory. For example, to restrict a user from running applications in their home directory, specify %HOME%. This macros is only supported by user policies; machine policies do not support this macro type.

Front Row tab

Front Row is media center software for Mac OS X. Front Row tab settings allow you to control whether or not Front Row is allowed to execute and supports the following management modes: Never, Always.

Select Allow Front Row, to allow Front Row to execute on Mac OS X.

Related Documents