Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Authentication Services Mac OS X agent removal

Authentication Services provides an uninstaller that removes the Authentication Services packages from the system. The uninstaller is found in /Applications/Uninstall QAS 4.n.n (where n.n indicates the product version number.)

To uninstall Authentication Services, use the Finder, navigate to /Applications and double click the Uninstall Authentication Services 4.n.n application. The uninstaller displays the packages that you can remove. The uninstaller requires administrator credentials.

Note: When removing Authentication Services from your system, files owned by accounts supplied by the Authentication Services components appear as not having a valid owner since those accounts are no longer available to the system.

The Authentication Services Mac OS X components

The following Authentication Services Unix components are included in the Authentication Services Mac OS X port:

  • The vastool command line utility
  • The vgptool command line utility
  • The uptool command line utility
  • The pam_vas PAM module
  • The One Identity Ownership Alignment Tool (OAT)

You can use these components inside a Terminal session the same way you use them on any other Unix platform. Man pages for each of these utilities are automatically installed and configured and you can view them with a standard man page viewer. The Authentication Services join process automatically configures Unix applications to use the pam_vas module where appropriate.

The components described in this section are specific to the Mac OS X platform.

Authentication Services startup items

A launchd config plist file is installed for each Authentication Services daemon under /Library/LaunchDaemons.

These .plist files are used to put the Authentication Services daemons under the control of launchd. You can use the launchctl utility to add or remove any one of these daemons from launchd control. For example, to remove the Authentication Services caching daemon (vasd) from launchd control, run the following command in a Terminal session:

$ sudo /bin/launchctl unload /Library/LaunchDaemons/com.quest.vasd.plist

You can also stop a daemon using launchctl, but the Authentication Services daemon configuration is such that launchd immediately restarts the stopped daemon unless you specify the unload command. If it is necessary to restart any one of the Authentication Services daemons, run a command similar to the following:

$ sudo /bin/launchctl stop com.quest.vasd

The Authentication Services join process automatically runs the necessary load commands at join time to put the Authentication Services daemons under launchd control. Typically, users do not need to directly interact with the Authentication Services startup items.

Authentication Services directory service plugin

Authentication Services provides a plugin for the system DirectoryService daemon.

The Authentication Services Directory Service Plugin uses the rest of the Authentication Services components to provide Active Directory group and user information to the rest of the system, and is installed at /Library/DirectoryServices/Plugins/VAS.dsplug.

The Authentication Services Directory Service Plugin also uses Kerberos authentication for Active Directory users. The plugin operates both when the system is connected to a network where Active Directory is available, and for disconnected scenarios where the Mac OS X system cannot contact Active Directory. The Authentication Services Directory Service Plugin provides secure authentication and performance identity lookups even in this disconnected mode.

Disconnected mode is available without having to create local Mobile Accounts on each Mac OS X system. The Authentication Services caching architecture also minimizes the impact that each Mac OS X system has on the Active Directory environment.

Related Documents