Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.1 - macOS Administration Guide

Privileged Access Suite for Unix Installation Safeguard Authentication Services macOS components Safeguard Authentication Services client configuration Special macOS features Limitations on macOS Group Policy for macOS Certificate Autoenrollment Glossary

Configuring Apple FileVault disk encryption

Safeguard Authentication Services is compatible with Apple’s FileVault disk encryption, introduced in macOS 10.7. In order to use FileVault with an Active Directory user, you must first create a mobile account for that user on the macOS client. A macOS mobile account has a local home directory that can automatically sync with the user’s network home directory.

To encrypt your disk

  1. As an Active Directory user, open System Preferences and navigate to Users & Groups.
  2. Click the Lock icon and enter administrator credentials to enable preference changes.
  3. Click the Create button next to Mobile account.

  4. Select your preferred syncing and home folder location preferences in the pop-up menu and click Create.

    A popup message displays explaining that you must log out and log back in to create the local home folder.

  5. Click Create and enter your password at the prompt.
  6. Log back in and configure FileVault encryption.

  7. From System Preferences, navigate to Security & Privacy and open the FileVault tab.
  8. Click Turn on FileVault to begin the encryption process.

  9. Select users (local users and mobile accounts) to enable them to unlock the encrypted disk at system startup.

    Note: Once you enable FileVault unlock for a user account, if you subsequently delete the account from Active Directory, you must also delete the local user account to disable FileVault unlock for that user.

  10. Enter a password for each user you enable.

  11. Take note of the recovery key on the following screen; store it somewhere yourself, and store it with Apple Support.

  12. Restart your system to begin encrypting the drive.

    The encryption can take several hours, depending on the size of your disk, during which time you can continue using your computer. You can monitor the encryption process by returning to the FileVault tab in Security & Privacy preferences.

    After you enable FileVault, your macOS will initially boot to an unencrypted disk partition and ask for your password to unlock the encrypted partition. Because this separate partition does not have access to Safeguard Authentication Services and Active Directory, you must use your most recent locally cached password. Before the local cache is updated, if you need to unlock the encrypted disk after a password change, either use your old password or click the Recover Key to unlock the drive. Once the drive is unlocked, although it says you must reset your password, you can ignore the prompt and log in with your recently changed account password.

Limitations on macOS

There is some Safeguard Authentication Services functionality that is limited by the macOS system.

Limitations lists

  • When using the command line su utility to become a Safeguard Authentication Services user, the Safeguard Authentication Services PAM module will not create a ticket cache for the new session because Safeguard Authentication Services uses the CCacheServer process for Kerberos ticket cache management. Creating this ticket cache would inadvertently destroy any existing Kerberos tickets.
  • If Safeguard Authentication Services users who have custom home directory paths log into the system through the system login window and the parent directories for their home directory do not exist, the system home directory creation code incorrectly sets the ownership mode of all the home directory parent directories. This causes subsequent Safeguard Authentication Services user logins to fail if they share the same home directory path. Their home directory will be created but it will be inaccessible to the user.

    Administrators should ensure that if they are using custom home directory paths, the parent directories are pre-created with a valid ownership and mode that allows all Safeguard Authentication Services users to access those paths.

  • The automatic ticket feature of Safeguard Authentication Services does not currently work with non-file-based ccaches. Because macOS uses API based ccaches, the ticket renewal utility will not work.

    Note: You can manually renew tickets with any utility that supports renewing tickets, such as Apple's Ticket Viewer.

  • When using the Safeguard Authentication Services mapped user feature, if a local user is mapped to a Safeguard Authentication Services user and, at some point the user is unmapped (returned to a local account) you must reset the user’s password.

Group Policy for macOS

With Safeguard Authentication Services you can manage your macOS clients using Group Policy. Safeguard Authentication Services includes Group Policy extensions to manage preferences just as you would with Workgroup Manager. In addition, Safeguard Authentication Services supports custom policies based on Preference Manifests.

Safeguard Authentication Services Group Policy includes support for macOS. Using Safeguard Authentication Services you can manage your macOS through Group Policy. This eliminates the need to set up additional macOS Servers for macOS client management. macOS policy settings are applied using Profile-based policies.

Profile-based policy takes advantage of the Configuration Profile infrastructure provided by Apple. Policy settings are defined in Group Policy and downloaded to macOS clients where the settings are assigned to Configuration Profiles, which apply the settings to various configuration files on the macOS.

Profile-based policy

Profile policy settings are divided into two categories: Workgroup Manager Settings and Preference Manifest Settings.

The Workgroup Manager settings are designed to look and feel like the Workgroup Manager application. If you are familiar with Workgroup Manager from macOS server, it should be easy to transition to Group Policy. Settings for Applications, Classic, Dock, Energy Saver, Finder, Login, Media Access, Network, Parental Controls, Printing, Software Update, System Preferences, Time Machine and Universal Access are included. Safeguard Authentication Services supports the Never, Always and Once policy application options. You can apply settings to users or computers. With standard Group Policy security filtering, you can restrict settings to specific groups of users or computers.

Safeguard Authentication Services also includes support for Preference Manifest files. Preference Manifest files describe application settings you can manage centrally. Many standard macOS Preference Manifest files are included by default such as iChat, Mail, Sidebar, Time Zone and iTunes. You can import additional Preference Manifest files at any time, increasing the number of applications and features that you can manage.

On the macOS agent, Group Policy integrates with the Configuration Profile subsystem according to macOS best practices. This ensures that policy settings are applied correctly and appropriately to each new release of macOS.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating