立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.0.1 - macOS Administration Guide

Privileged Access Suite for Unix Installation Safeguard Authentication Services macOS components Safeguard Authentication Services client configuration Special macOS features Limitations on macOS Group Policy for macOS Certificate Autoenrollment Glossary

macOS management modes

The following management modes exist for macOS policy settings:

Table 1: macOS: Management modes
Mode Description
Never This mode means that the settings do not apply. This is equivalent to disabling the policy. This is the default mode.
Once In this mode, policy settings are applied one time. Users can remove the Configuration Profile. This mode functions as a default value.
Always In this mode, policy settings will always apply. Users cannot remove the Configuration Profile.

Workgroup Manager settings

Safeguard Authentication Services provides Group Policy extensions that mirror the functionality available in Apple Workgroup Manager console. Workgroup Manager Settings are located in the Mac OS X Settings folder (or in the Policies folder, if you are using the new Group Policy Management Editor.)

To open the properties of the Workgroup Manager settings

  1. Start the Group Policy Management Editor.
  2. Navigate to Computer Configuration | Mac OS X Settings or User Configuration | Mac OS X Settings.
  3. Double-click the Workgroup Manager Settings to open its properties.

Applications Properties

The Applications Properties settings allow you to control access to specific applications and paths to applications using digital signatures.

You can apply Application Properties settings under both Computer Configuration and User Configuration.

There are two tabs:

Applications tab

The Application settings control which applications are allowed to execute on macOS.

  1. Select the Manage mode: Never, Once, or Always.
  2. Select Restrict which applications are allowed to launch if you want to disallow applications thus restricting the applications the user can access.
  3. Application restrictions are controlled by means of folder paths. Group Policy does not currently support application management using digital signatures, therefore to allow or prevent users from launching an application, add the application or the path to the application to one of two lists:
    • Disallow applications within these folders.

      Add folders containing applications that you want to prevent users from opening. All applications in sub-folders of disallowed applications are also disallowed.

    • Allow applications within these folders.
      Add folders containing applications that you want users to launch. If an application or path to the application appears in both the Disallow and the Allow lists, then the Disallow list takes precedence and the user is not allowed to launch the application.

    If an application does not appear in either of these lists, the user can not launch the application.

  4. Click Add to open the New Application Item dialog. You can type the absolute Unix path or you can click Remote Browse to log into a remote macOS machine (by means of SSH) and browse for the target folder. It displays recently specified paths. To reuse a recently specified path, double-click the item in the list.

Note: Both disallow and allow paths support the %HOME% macro-expansion to the user's Unix home directory. For example, to restrict a user from running applications in their home directory, specify %HOME%. This macros is only supported by user policies; machine policies do not support this macro type.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级