Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Safeguard Authentication Services 5.0.1 - macOS Administration Guide

Table of Contents

Privileged Access Suite for Unix

About this guide

Safeguard Authentication Services macOS agent installation

Installing using the graphical system installer Installing with the wizard Custom installation Command line installation

Installing the metapackage from command line Mounting and unmounting the .dmg from the command line

Agent upgrade macOS agent removal

Safeguard Authentication Services macOS components

Startup items Directory Service plugin Directory Utility

Safeguard Authentication Services client configuration

Join the Active Directory domain

Using QAS Join application Unjoining an Active Directory domain Command line join Using Terminal.app to join and unjoin System changes made by the join process Verifying the installation and configuration

Log in with Active Directory accounts

Unix-enable a user

Troubleshooting connections to Windows SMB shares

Connecting to SMB shares on domain controllers The DNS domain name differs from the Kerberos realm

Automatically mount network home folders

Configuring automatic home folder mounting at join time Mounting the Windows home folder or profile path Mounting an alternate share at login Configure automatic home folder mounting using Group Policy Group permissions on auto-mounted home directories Mounting AFP shares

Special macOS features

Local administrator rights for users

Granting accounts administrator rights

Active Directory user password hint Configuring Apple FileVault disk encryption

Limitations on macOS Group Policy for macOS

Profile-based policy

macOS management modes Workgroup Manager settings

Applications Properties

Applications tab Options tab

Dock Properties

Dock Items tab Dock Display tab

Energy Saver Properties

Desktop tab Portable tab Battery tab Schedule tab

Finder Properties Login Properties

Window tab Options tab Access tab Scripts tab Items tab

Adding login items

Media Access Properties

Media Access tab

Network Properties

Sharing & Interfaces tab

Parental Controls Properties Printing Properties

Adding a printer

Software Update Properties

Software Update tab

System Preferences Properties

System Preferences tab

Time Machine Properties

Time Machine tab

Wireless Profile Properties

Adding wireless profiles

Preference Manifest settings

Adding a preference manifest

Certificate Autoenrollment

Certificate Autoenrollment on macOS Certificate Autoenrollment requirements and setup

Java requirement: Unlimited Strength Jurisdiction Policy Files Installing certificate enrollment web services Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy Configuring Certificate Services Client - Auto-Enrollment Group Policy Configuring Certificate Templates for autoenrollment

Using Certificate Autoenrollment

Configuring Certificate Autoenrollment manually

Configure a machine for Certificate Autoenrollment Configure a user for Certificate Autoenrollment

Trigger machine-based Certificate Autoenrollment

Troubleshooting Certificate Autoenrollment

Certificate Autoenrollment process exited with an error Enable full debug logging Pulse Certificate Autoenrollment processing Manually apply Group Policy

Command line tool

vascert command reference

vascert commands and arguments

Safeguard Authentication Services client configuration

Safeguard Authentication Services client configuration

Join the Active Directory domain

Using QAS Join application

Unjoining an Active Directory domain

Command line join

Using Terminal.app to join and unjoin

System changes made by the join process

Verifying the installation and configuration

Log in with Active Directory accounts

Unix-enable a user

Troubleshooting connections to Windows SMB shares

Connecting to SMB shares on domain controllers

The DNS domain name differs from the Kerberos realm

Automatically mount network home folders

Configuring automatic home folder mounting at join time

Mounting the Windows home folder or profile path

Mounting an alternate share at login

Configure automatic home folder mounting using Group Policy

Group permissions on auto-mounted home directories

Mounting AFP shares

Before you can log in with Active Directory users and manage agent settings for users and computers, you must first join your macOS machine to an Active Directory domain.

Join the Active Directory domain

Safeguard Authentication Services client configuration > Join the Active Directory domain

Safeguard Authentication Services provides both a graphical option and a command line option for joining the domain.

Note: You cannot manage agent settings by means of Safeguard Authentication Services Group Policy if you have joined with the Apple-provided Active Directory plug-in. If you are currently bound to the domain using Apple components, unbind before proceeding.

Using QAS Join application

Safeguard Authentication Services client configuration > Join the Active Directory domain > Using QAS Join application

To join the domain using the QAS Join application

Open the QAS Join application located at /Applications/QAS Join.
On the Authentication Services dialog, enter the name of the Active Directory Domain you want to join and click Join Domain.
On the Join Domain dialog, enter the Active Directory credentials to be used to join the domain.
From this dialog you can also specify a number of optional join arguments before continuing with the join operation. For example, you can specify a specific Active Directory container in which you want to create the new computer object. (By default it is created in the Computers Container). For a detailed explanation of each join option, see the vastool man page located in the docs directory of the installation media.
Click OK to run the join operation.
The join operation may take several seconds, to several minutes depending upon your domain configuration. Domain Join progress is continuously updated as progress proceeds.
If any errors occur during join, an error dialog opens with a detailed error message as well as the option to view and save the join process log. As an example, the error message below is seen if you specified an incorrect password for the account you are using to join to the domain.

Unjoining an Active Directory domain

Safeguard Authentication Services client configuration > Join the Active Directory domain > Unjoining an Active Directory domain

To leave the Active Directory domain, repeat the join steps, except click Leave Domain instead. You do not have to supply Active Directory credentials when unjoining if you do not delete the Active Directory computer object. This option is available in the Leave Domain dialog options.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center