Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Safeguard Authentication Services 5.0.6 - macOS Administration Guide

Table of Contents

Privileged Access Suite for Unix

About this guide

Safeguard Authentication Services macOS agent installation

Installing using the graphical system installer Installing with the wizard Custom installation Command line installation

Installing the metapackage from command line Mounting and unmounting the .dmg from the command line

Agent upgrade macOS agent removal

Safeguard Authentication Services macOS components

Startup items Directory Service plugin Directory Utility

Safeguard Authentication Services client configuration

Join the Active Directory domain

Using QAS Join application Unjoining an Active Directory domain Command line join Using Terminal.app to join and unjoin System changes made by the join process Verifying the installation and configuration

Log in with Active Directory accounts

Unix-enable a user

Troubleshooting connections to Windows SMB shares

Connecting to SMB shares on domain controllers The DNS domain name differs from the Kerberos realm

Automatically mount network home folders

Configuring automatic home folder mounting at join time Mounting the Windows home folder or profile path Mounting an alternate share at login Configure automatic home folder mounting using Group Policy Group permissions on auto-mounted home directories Mounting AFP shares

Special macOS features

Local administrator rights for users

Granting accounts administrator rights

Active Directory user password hint Configuring Apple FileVault disk encryption

Limitations on macOS

Limitations lists

Group Policy for macOS

Profile-based policy

macOS management modes Installing profiles on macOS 11.0 and later Workgroup Manager settings

Applications Properties

Applications tab Options tab

Dock Properties

Dock Items tab Dock Display tab

Energy Saver Properties

Desktop tab Portable tab Battery tab Schedule tab

Finder Properties Login Properties

Window tab Options tab Access tab Scripts tab Items tab

Adding login items

Media Access Properties

Media Access tab

Network Properties

Sharing & Interfaces tab

Parental Controls Properties Printing Properties

Adding a printer

Software Update Properties

Software Update tab

System Preferences Properties

System Preferences tab

Time Machine Properties

Time Machine tab

Wireless Profile Properties

Adding wireless profiles

Preference Manifest settings

Adding a preference manifest

Certificate Autoenrollment

Certificate Autoenrollment on macOS Certificate Autoenrollment requirements and setup

Java requirement: Unlimited Strength Jurisdiction Policy Files Installing certificate enrollment web services Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy Configuring Certificate Services Client - Auto-Enrollment Group Policy Configuring Certificate Templates for autoenrollment

Using Certificate Autoenrollment

Configuring Certificate Autoenrollment manually

Configure a machine for Certificate Autoenrollment Configure a user for Certificate Autoenrollment

Trigger machine-based Certificate Autoenrollment

Troubleshooting Certificate Autoenrollment

Certificate Autoenrollment process exited with an error Enable full debug logging Pulse Certificate Autoenrollment processing Manually apply Group Policy

Command line tool

vascert command reference

vascert commands and arguments

Time Machine Properties

Group Policy for macOS > Profile-based policy > Workgroup Manager settings > Time Machine Properties

The Time Machine Properties allow you to control the Time Machine application which provides network backups of installed applications, preferences, documents and local account data. For more information about Time Machine, refer to documentation provided by Apple.

You can apply Time Machine Properties settings only under the Computer Configuration.

Time Machine tab

Group Policy for macOS > Profile-based policy > Workgroup Manager settings > Time Machine tab

The Time Machine tab settings control the Time Machine application and support the following management modes: Never, Always.

Time Machine is an application that performs network backup of local machine applications and data.

The following options are supported:

Backup Server

Specify the URL of the Time Machine backup server in the form: afp://someserver.company.com/Backups/. Refer to the Apple documentation for more information about AFP and Time Machine backup servers.
Back up

Specify which volumes to back up. You can choose to back up Startup volume only or All local volumes.
Skip system files

Select to skip system files. System files are operating system files installed when you install macOS. Selecting this option significantly reduces the amount of storage space used for backups. However, if you do not back up system files, you will need to install the operating system when performing a full restore.
Backup automatically

Select this option to force automatic backups.
Limit total backup storage to

Enter the backup storage limit in megabytes. If the backup limit is reached, no more data is backed up.

Wireless Profile Properties

Group Policy for macOS > Profile-based policy > Workgroup Manager settings > Wireless Profile Properties

Wireless settings allow you to configure networks and profiles used by AirPort on macOS systems. The Wireless Profile Properties settings allow you to control wireless user profiles for macOS.

To open the Wireless Profile properties page

In the Group Policy Object Editor, navigate to User Configuration | Policies | Mac OS X Settings | Profile Manager Settings.

Wireless Networks apply only to users.
Double-click the Wireless Networks node.

Related Topics

Adding wireless profiles

Adding wireless profiles

Group Policy for macOS > Profile-based policy > Workgroup Manager settings > Adding wireless profiles

The Wireless Profiles tab settings control user options associated with wireless networks.

For the AD certificate and certificates profile, you can use a certificate created by vascert to work with Network preferences. One scenario for this is for a computer to use QoS supportive adaptive polling (QAP) protocol for wirelesswireless network. For more information, see vascert command reference..

To add wireless profiles

Click the Up or Down buttons to reorder the wireless profiles. Wireless profiles are added to the user profiles list on macOS systems in the order listed in the policy.

From the Wireless Networks tab, click Add to open the Wireless Profiles dialog.
On the Networks tab:
1. Enter the name of the wireless profile in the Name box.
2. Enter the SSID of the wireless network to which this profile applies in the SSID box.
3. Select the type of wireless network from the Security Type drop-down list.
4. Select the authentication type options that apply to this profile from the Protocols list.
5. Select Hidden Network to allow users to join a network whose name is not broadcast.
6. Select Auto Join so the network is joined automatically. If unselected, the user must click the network name to join it.
On the Proxy tab:
1. Select the Proxy settings from the drop-down list. None is the default.
2. Enter the Proxy server and port.
3. Enter the Username (optional).
4. Enter the Password (optional).
5. Enter the Proxy Server URL.
6. Select Allow direct connection if PAC is unreachable, if desired.
On the Protocols tab:
1. In the EAP-FAST section, identify the configuration of Protected Access Credentials (PAC) by selecting any combination of the following:
  - Use PAC
  - Provision PAC
  - Provision PAC Anonymously
2. Select Allow only two RAND values with EAP-SIM, if desired.
3. Select the TTLS authentication protocol from the drop-down list.
4. Identify Externally visible.
5. Select the TLS minimum version from the drop-down list.
6. Select the TLS maximum version from the drop-down list.
On the Identity and Authentication tab:
1. Select Use two factor authentication, if you will use a second authentication.
2. Select Authenticate with host's directory credentials, if desired. If selected, enter the Username and Password.
3. In Identity Certificate, note that you must have vascert on the client to use certificate identity. Select any combination of check boxes, as appropriate:
  - Create a certificate identity with vascert
  - Allow all apps to access the private key
  - Allow a user to extract the private key from the keychain

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center