best practices for adding macs to microsoft networks - centrify

W H I T E P A P E R

WWW.CENTRIFY.COM

Best Practices for Adding Macs to Microsoft Networks

http://www.centrify.com

2 ©2015 CENTRIFY CORPORATION ALL RIGHTS RESERVED WWW.CENTRIFY.COM


ContentsAbstract 3

Introduction 4

Requirements for Solving the Challenge 4

Two Approaches for Managing Macs 5

Mac-centric Solutions 5

Microsoft-centric Solutions 5

Centrify’s Approach: Best of Both Worlds 6

Single Consolidated Identity 6

Group Policy Management 7

Enhanced Security 8

Cloud-based Identity Service 8

Integrated Mobile Security and Management 9

Smart Card Support 10

Summary 11

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, record-ing, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2015 Centrify Corporation. All rights reserved.

Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Other brand names used in this document are the trademarks or registered trademarks of their respective companies.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


W H I T E P A P E R


AbstractAdding Macs to a Microsoft-based corporate network can be a challenge. Are Microsoft tools, Apple tools or third party tools the best solution? Are Mac-oriented management tools the best option or is it best to incorporate the Macs within existing management and security infrastructure?

This paper will help answer those questions and explore how Centrify can quickly and easily provide the necessary tools to allow Macs to be managed in the same way PCs are managed today.




IntroductionFor years, PCs have been workhorses for corporate desktop computing. Many organizations standardized their PCs on the Microsoft Windows platform. Often, they also managed their desktop computers and secured both users and data with Microsoft’s backend server technologies. This homogenous approach worked well and IT organizations were able to build a robust and predictable computing infrastructure using off-the-shelf commercial technology.

But things are changing. With the Apple iPhone/iPad revolution that began in 2007, more and more end users are choosing alternatives to Windows desktops and laptops. Although the Apple Mac is not a new platform, its primary base in the past consisted of students, media professionals, digital artists and high-end consumers. But today, workers from all verticals want to use Macs and this is creating new challenges for IT organizations that have historically supported a Windows-only computing environment. How can IT address this growing demand from users while also maintaining appropriate control over access to data and corporate resources in a non-disruptive way?

Requirements for Solving the ChallengeBefore exploring this challenge and possible solutions, it is worth creating a checklist of requirements for the incorporation of any new solution into an organization’s network:

1. Leverage existing tools, processes and policies. Ideally, any new solution should work well with what is currently installed and not introduce disruption to existing methods for managing and securing systems.

2. No compromise on security. In this era of constant attacks on corporate networks, there is no justification for relaxing the security of networks or devices just so new platforms can be deployed for end users. In fact, any new solution should substantially enhance security and provide IT management with better visibility into who is using each system, what resources they are accessing and how those resources are being used.

3. Minimize the requirement for training IT staff. Training IT staff requires time and money and takes staff away from their core duties. Any new software should require minimal training for existing staff and not require substantial new skills.

4. Easy for IT to deploy and manage. Before committing to a new software solution, it is essential that the software can be easily deployed and managed both on internal systems as well as systems used by workers. Ideally, the solution should work without touching Domain Controllers and other critical production systems.

5. Easy to use for workers. If the solution is hard to use, slows down systems or requires substantial training or new skills for end users, you will have pushback — if not outright revolt — from end users. Ide-ally, users should not see any negative impact but instead should have a more productive work experience.


W H I T E P A P E R


6. Supports mobile scenarios. The days of only working at an office desk are over. Workers need their devices to work equally well both inside and outside the corporate firewall. And IT needs to be able to man-age devices both on-premises and when workers are traveling or working from home.

7. Cost effective. A new solution should not require large capital outlays, high recurring user fees or high costs for deployment. Any new solution should more than pay for itself in increased pro-ductivity and reduced IT management costs and should not require a major investment of time to setup and deploy the solution.

Ultimately introducing Macs into predominantly Microsoft environments should not be disruptive, costly or involve compromises. The end goal should be to manage Macs with no more overhead than what is required today for managing Windows-based PCs.

Two Approaches for Managing MacsThere are at least two strategies to solving the challenge of adding Macs into a Microsoft-oriented infrastructure.

Mac-centric SolutionsThe first approach focuses on selecting a mature, full-featured Mac management solution that is proven in the enterprise. There are several products on the market that do a decent job of managing an Apple Mac or a Mac plus iOS network of devices and users. The attraction of this approach is that the management solutions are tuned exactly to the capabilities of Mac OS X and iOS.

However, there are numerous potential pitfalls to this approach. The Apple-oriented solution may require substantial new IT skills or even new IT staff to deploy and manage the software. If the solution is not tied into existing Microsoft management software, then there will be duplicative actions required to ensure that policies, access rights, user roles and profiles are exactly matched with what exists in the Microsoft world. Ultimately this “dual management console” approach may lead to gaps in security and manageability and require extra investments to manage a separate infrastructure.

In addition, some Apple-centric management solutions may fall short when it comes to managing other platforms such as Android or Linux. If a different management solution has to be installed for each new platform, the complexity, cost and unpredictability of management and security challenges have the potential to leave an organization exposed.

Microsoft-centric SolutionsThe second approach leverages existing Microsoft infrastructure and adds software or plug-ins to allow Macs to join the Microsoft world and be managed in a way that is more consistent with current practices. The obvious benefits of this approach would be less disruption to existing management infrastructure and fewer requirements for new skills to deploy and manage the solution.




But this approach can have pitfalls as well. Some solutions may not support all PC management concepts on the Mac resulting in gaps in security, policy enforcement or device management functionality. Some solutions may work well from the IT point of view but may be confusing to use for workers or cause degradation in performance if they are not optimized for the Mac platform. Some solutions may not be built for use both inside and outside the corporate firewall.

Centrify’s Approach: Best of Both WorldsCentrify has employed a blended approach when grappling with the challenge of managing non-Microsoft platforms, such as Macs, Linux and UNIX, in a Microsoft-oriented infrastructure for over a decade. A blended approach means the solution seamlessly plugs into existing infrastructure with minimal disruption and has the same functionality as managed Windows clients. But the solution also needs to be exactly tuned to the capabilities of the non-Windows platform so that the operating system performs well and feels natural to the user. In other words, a robust solution needs to be the best of both worlds.

Centrify Identity Service, Mac Edition is the latest release of a solution that has been on the market for over eight years. With that service history across enterprises of all sizes and constant feedback from real customers, the software has evolved beyond just providing Active Directory-based authentication for Mac users and includes capabilities to address the current mixed Mac/PC environments and beyond.

Let’s review each of these key capability areas and see how they map to typical enterprise needs.

Single Consolidated Identity

One of the key features of Centrify’s suite of offerings is based on the simple concept that a user should only have one corporate identity and one corporate password, regardless of which device he or she uses or where the device is used. With only one username and password, users are less likely to forget their passwords and will be more productive. With only one identity to manage, IT doesn’t need to make multiple changes to staff records on different systems when users change roles, add devices or leave the company. Everything is managed

from a single, central console.

Microsoft Active Directory (AD) does an excellent job of managing users and computers in a centralized way, but it was designed to work best with Microsoft client systems — that is, Windows-based

Figure 1 Macs joined to Active Directory, just like PCs


W H I T E P A P E R


PCs. Once a user logs in to an Active Directory-joined PC with his or her credentials, the user is granted access to resources such as file shares, printers and applications based on the user’s role, which is centrally managed by IT. Users experience silent authentication to applications and do not need to re-enter their passwords each time they access resources across the corporate network. Users can even log in to other computers on the network with their AD credentials and have a consistent, personalized experience.

With Centrify Identity Service, Mac Edition, the same experience and control are available to Macs, which can also join an Active Directory domain. Macs operate in the exact same way as PCs. Users log in with their Active Directory credentials and gain access to the same resources with silent authentication to corporate applications. It is important to note that Centrify goes beyond just basic AD authentication support. With Centrify, Macs work well in large multi-forest scenarios with cross-domain trusts and users can even log in while disconnected from the corporate network. Macs become true peers to PCs on the corporate network with no compromises while users are able to work with their Macs in a totally familiar way.

Group Policy ManagementWhile some solutions stop at support for logging in to a Mac using AD credentials, Centrify goes further with the additional full support of Group Policy on Macs. While AD authentication helps to certify who can use a device, Group Policy goes further by enforcing rules on how that device can be used. Do you want to ensure strong passwords are used? Use Group Policy. Do you want to set up a secure connection to an 802.1x network? Use Group Policy. Do you want to make sure the computer firewall is on and setup correctly? Use Group Policy. In fact, hundreds of device configuration and usage attributes can be centrally set and enforced by Group Policy. Policies can also be associated with individual users or groups of users. Do you want to only

allow the finance group to access the corporate accounts file share but turn off access to everyone else? Enforce it with Group Policy.

As Windows IT administrators have found, Group Policy is indispensable for securing computers, networks, users, data and other resources in a corporate network. But again, Group Policy is designed for Windows networks and Windows PCs.

Centrify overcomes that limitation by building Group Policy support into its Mac offering. Policies are enforced using a combination of Mac concepts including updating plist files and standard config files, enforcing MCX settings and creating profiles for local enforcement. Centrify also adds unique Mac policies such as the ability to enforce Apple’s File Vault 2 full disk encryption for all Macs joined to the corporate network.

With these tools, administrators can establish and enforce policies corporate-wide or for specific classes of users or for different types of devices or all of the above. And this can all be done from a single, central, familiar console for all devices and users.

Figure 2 Centrify fully supports Group Policy on Macs




Enhanced SecurityComputer and network security has vaulted to the top of the “immediate action required” list for IT departments in every type of business and industry around the world. With constant attacks from hackers, data breaches and unauthorized access to corporate resources, security professionals have their hands full protecting not just computing assets, but corporate reputations and the ability for organizations to operate and do business. To help lock down networks and minimize exposure, many organizations have a strict policy on which types of devices can be used on the corporate network. Many companies have enforced a PC-only policy for corporate workstations so as to reduce the possibility of an unfamiliar rogue device introducing a security exposure to the company. And yet, many organizations want the flexibility to also use Macs side-by-side with PCs.

Again, Centrify includes enterprise-class security features in its Identity Service that not just makes Macs more secure, but they are secured in a way that is consistent with other approved devices on the network. For example, Centrify can manage PKI certificate auto-issuance and auto-renewal, VPN configuration, force the

screen locking of idle machines and enforce restrictions against running applications on a Mac that are not approved. This is just a small sample of supported security features that are available to secure Macs in a predictable and consistent way.

Cloud-based Identity Service

While Active Directory and Group Policy work great inside the firewall, there is less control over users and devices that are mobile or in remote offices. For this reason Microsoft has created the cloud-based directory service, Azure Active Directory. Unfortunately, Azure AD requires complex software to sync with on-premises AD and it replicates sensitive AD data up into the cloud. With Azure AD, IT has to secure two repositories for user information and make sure both are in sync.

Centrify has created a different, more secure approach. Rather than replicate user data into an external directory, Centrify provides a gateway into the on-premises directory service but does so in a totally secure way. This leaves IT with only one directory to manage but allows users and devices

WHP000057EN-02262015

Figure 3 PKI certificate management for Macs

Figure 4 Web-based management for Macs


W H I T E P A P E R


to be integrated into AD both inside and outside the firewall. Centrify goes further by providing web-based management tools for both IT and users to automate tasks such as adding new devices, locating devices, doing device inventory management, changing passwords and enforcing a remote lock or remote wipe on a Mac that has been lost or stolen.

In addition, Centrify provides a cloud-based directory service, separate from AD, for cases where IT wants to manage off-premises devices but doesn’t want to integrate these devices into the AD infrastructure. With all these options, IT can choose the best way to manage devices both inside and outside the corporate firewall using a wide variety of techniques.

Integrated Mobile Security and ManagementWhile this paper is focused on Macs, virtually every Mac user also owns an iPhone and/or an iPad, or possibly an Android mobile device. Workers want to be able to use these devices while away from the office to access corporate email, work on documents, run corporate apps and access corporate files and other resources. Centrify is not alone is recognizing the opportunity to help organizations support mobile devices in a secure and predicable way. There is a whole industry of mobile device management (MDM) vendors with a wide variety of solutions for securing and managing mobile devices in the workplace.

But even in this crowded MDM market, Centrify stands out in the way it tightly integrates mobile devices into existing IT infrastructures. Most vendors require special servers to be set up to manage mobile devices using software and services that are very different and incompatible with the services used to manage on-premises devices. In contrast to this approach, Centrify integrates mobile devices into Active Directory in the same way that it does for Macs. And again, Centrify provides a cloud-based service that is tightly coupled with on-premises AD systems so that AD-based identity management and policies can be enforced on iOS and Android mobile devices in a way that is consistent with other managed devices.

Centrify also goes further by leveraging its identity service to provide single sign-on to thousands of corporate apps as well as auto app deployment and configuration on authenticated devices. Mobile devices can also be setup for multi-factor authentication to add an extra layer of security when users access sensitive corporate resources, apps and data.

Since most workers have more than one device, Centrify has adopted a licensing program where each user can install the Centrify solution on up to five Macs or mobile devices.

Figure 5 Mobile devices can be managed and secured using Active Directory as well. Active Directory




Smart Card SupportGovernment, military, financial services and customers in other security-oriented industries often rely on smart card authentication as an extra form of security for gaining access to corporate networks. In some cases, Federal agencies and other organizations must meet Homeland Security Presidential Directive 12 (HSPD-12), NIST guidance and other security mandates for smart card authentication.

Active Directory and Windows-based PCs have supported smart card authentication for years. But many organizations want to extend smart card use to other platforms such as Apple Mac and Linux.

Centrify not only supports AD-based smart card authentication on Mac and Red Hat and CentOS Linux for the most commonly used CAC, CACNG, PIV and PIV-I smart cards, but it has also certified its solution with numerous agencies. For example, Centrify’s support for the Department

of Defense’s Common Access Card (CAC) standard is certified by the Joint Interoperability Test Command (JITC) and has additionally earned the Certificate of Networthiness (CoN) from the U.S. Army Network Enterprise Technology Command (NETCOM). Centrify has further obtained FIPS 140-2 Level 1 validation for the Centrify Crypto Module providing the core cryptography and the entire solution is also Common Criteria certified at EAL 2. Figure 6

AD-based smart card authentication for Macs


W H I T E P A P E R

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. WWW.CENTRIFY.COM +1 (669) 444-5200

Centrify provides unified identity management across data center, cloud

and mobile environments that result in single sign-on (SSO) for users and

a simplified identity infrastructure for IT. Centrify’s unified identity

management software and cloud-based Identity-as-a-Service (IDaaS)

solutions leverage an organization’s existing identity infrastructure to enable

single sign-on, multi-factor authentication, privileged identity management,

auditing for compliance and enterprise mobility management.

SANTA CLARA, CALIFORNIA +1 (669) 444-5200

EMEA +44 (0) 1344 317950

ASIA PACIFIC +61 1300 795 789

BRAZIL +55 11-3958 4876

LATIN AMERICA +1 305 900 5354

EMAIL [email protected]

WEB www.centrify.com

SummaryIntegrating new platforms into existing infrastructure can be a complex, risky, disruptive and expensive undertaking. But the trend towards using modern mobile devices and computing technologies is undeniable and the push to use these modern platforms in workplace scenarios is only going to increase over time. And yet, organizations need to proceed cautiously before adopting these new platforms to maintain uncompromised security and control over sensitive applications and data used on corporate networks.

Plus, managing devices is only half the challenge. IT needs to ensure that workers who use these devices are properly authenticated and are granted access to only the applications, data and resources they need to do their jobs. Finally, any new platform added to an organization should not result in the need to deploy a whole new management and security infrastructure to support the new platform. Using existing tools, processes, policies, staff and IT skills is the best path for ensuring long-term success for the adoption of new platforms.

With its best-in-class Active Directory support for Mac and mobile platforms, its decade of experience supporting over 5,000 enterprise customers and its forward-thinking solution that leverages existing Microsoft-based infrastructures while also supporting mobile scenarios via cloud-based services, Centrify is in the best position to support any sized organization that wants to add Macs and mobile devices in the enterprise.

For more information on Centrify’s solutions for Apple Mac, visit: http://www.centrify.com/mac.

WHP001531EN-03162015

http://www.centrify.com/solutions/overview.asp


best practices for adding macs to microsoft networks - centrify

Documents