IT Configuration Guide

Transcription

IT Configuration Guide
SAMPLE PAGES
IT Configuration Guide
For Your Mac Evaluation
(Version 4.0)
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
Table of Contents
Introduction .......................................................................................1
1
Imaging ...............................................................................2
1.1
1.2
1.2.1
1.2.1.1
1.2.2
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.5.1
1.3.5.2
1.3.5.3
1.3.5.4
1.3.5.5
1.3.5.6
1.4
1.4.1
1.4.1.1
1.4.1.2
1.4.1.3
1.4.2
1.4.3
1.5
1.5.1
Imaging Mac Computers ........................................................................................2
Creating Packages .....................................................................................................3
Creating Packages with PackageMaker............................................................4
Creating a Snapshot Package with PackageMaker......................................8
Creating Packages with Third-Party Utilities ................................................15
Creating Images with System Image Utility ................................................16
NetInstall from Installer ........................................................................................17
NetRestore from Installer .....................................................................................20
Using NetRestore from a Prepared Volume .................................................23
Creating NetRestore NetBoot Sets...................................................................26
Automations with System Image Utility .......................................................29
Creating an Installation DVD ..............................................................................36
Adding Patches and Upgrades ..........................................................................38
Adding Post-Install Scripts ..................................................................................39
Adding Additional Software ...............................................................................40
Adding Configuration Profiles ...........................................................................41
Additional System Image Utility Preferences ..............................................42
Creating an Image via a Configured Mac .....................................................43
Preparing a System for Imaging........................................................................44
Removing Unneeded LKDC Information.......................................................45
Removing .DS_Store Files ....................................................................................47
Removing Other System Files ............................................................................48
Customizing the Default User Template .......................................................49
Self-Removing Scripts ...........................................................................................50
Creating Images with Disk Utility .....................................................................52
Creating a Disk Image from the Command Line .......................................56
2
Deployment .....................................................................57
2.1
2.1.1
2.1.2
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.3
Local Deployment ..................................................................................................58
Creating a Bootable Disk or Volume Using NetInstall .............................59
Deploying with Disk Utility .................................................................................61
NetInstall Image Creation ....................................................................................62
Configuring a NetBoot Server............................................................................65
Custom Source NetRestore .................................................................................68
Unicast Apple Software Restore (ASR) ...........................................................70
Multicast Apple Software Restore (mASR) ...................................................71
Third-Party Deployment Solutions...................................................................73
Setting Clients to NetBoot Using the Bless Command ...........................74
Using NetBoot DHCP Helpers ............................................................................75
bootpd Relay ............................................................................................................76
Minimal Touch Deployments .............................................................................77
3
Support and Maintenance .............................................78
3.1
Asset Tags ...................................................................................................................79
ii
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.3
3.4
3.4.1
3.4.2
3.5
3.6
Apple Remote Desktop ........................................................................................80
Apple Remote Desktop and Computer Lists ...............................................81
Deploying Applications ........................................................................................85
Inventory Tools .........................................................................................................88
Apple Remote Desktop Task Server ................................................................90
Software Update Policy ........................................................................................91
OS X Lion Server Software Update Service ..................................................92
Configuring Software Update Server Clients ..............................................95
Cascading Software Update Service ...............................................................97
Third-Party Software Update Service .............................................................99
Client Management Suites ...............................................................................100
4
Directory Services .........................................................101
4.1
4.1.1.
4.1.1.1
Local Directory Services ....................................................................................102
Creating Local Administrative Accounts .....................................................104
Creating a Local Administrative Account Using System Preferences
......................................................................................................................................105
Creating a Local Administrative Account Using the Command Line
......................................................................................................................................107
Hiding a Local Account ......................................................................................109
Making Changes to the Local Administrative Account ........................110
Nesting Network Admins in a Local Administrative Group ................111
Creating a Local Administrative Account with a Package or Script.113
Open Directory ......................................................................................................114
Setting Up an Open Directory Master .........................................................115
Preparing for Binding to Open Directory ...................................................121
Binding to Open Directory Using the Users & Groups Pane in System
Preferences ..............................................................................................................123
Custom Binding Operations ............................................................................127
Binding to Open Directory Using the Command Line .........................134
Binding to Open Directory Using a Post-Installation Script ...............136
Using Workgroup Manager to Create New Users ...................................137
Setting Up an Open Directory Replica ........................................................142
Active Directory ....................................................................................................145
Binding to Active Directory ..............................................................................146
Binding to Active Directory Using Directory Utility ...............................147
Testing and Verifying Active Directory Binding Information ..............151
Binding to Active Directory from the Command Line ..........................155
Binding to Active Directory Using a Script ................................................158
Binding to Active Directory Using a Post-Install Script.........................159
Active Directory Plug-in Troubleshooting Commands .........................160
Mapping the UID and GID with Directory Utility ....................................164
Mapping UID, User GID, and Group GID Using dsconfigad.................168
Setting a User Home Directory .......................................................................169
Namespace Support Using dsconfigad.......................................................174
Active Directory Packet Encryption Options.............................................175
SSL Binding Instructions ....................................................................................176
Managing Certificates from the Command Line.....................................177
Active Directory Computer Password Changes .......................................178
Third-Party Active Directory Plug-Ins ...........................................................179
4.1.1.2
4.1.1.3
4.1.1.4
4.1.2
4.1.3
4.2
4.2.1
4.2.2
4.2.2.1
4.2.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.3
4.3.1
4.3.1.1
4.3.1.2
4.3.1.3
4.3.1.4
4.3.1.5
4.3.1.6
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.4
iii
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
4.5
4.5.1
4.5.1.1
4.5.1.2
4.5.2
4.6
4.7
4.8
4.8.1
4.8.2
4.9
4.9.1
4.9.2
4.9.3
LDAP ..........................................................................................................................180
Binding to LDAP....................................................................................................181
Simple Binding.......................................................................................................182
Trusted Binding......................................................................................................185
Mapping LDAP Attributes .................................................................................189
NIS ..............................................................................................................................194
Kerberos ...................................................................................................................197
Dual Directory Configuration ..........................................................................198
Setting Up Dual Directory ................................................................................199
Nesting Active Directory Groups in Open Directory .............................211
Distributed File Sharing .....................................................................................214
Connecting to DFS Shares ................................................................................215
Viewing DFS with smbutil.................................................................................216
Third-Party DFS Solutions .................................................................................218
5
Policy Management ......................................................219
5.1
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.3
5.3.1
5.3.2
5.3.3
5.4
5.4.1
5.4.1.1
Setting Up a Profile Server................................................................................220
Configuring Network Settings ........................................................................221
Configuring Users ................................................................................................223
Adding Users ..........................................................................................................226
Reviewing Certificates ........................................................................................229
Acquiring Apple Push Notification Certificates........................................232
Enabling Profile Manager ..................................................................................235
Automatic Push Versus Manual Download Profiles ...............................239
Editing Management Profiles ..........................................................................240
Creating Device Groups .....................................................................................244
Using Device Placeholders ...............................................................................247
Enrolling Devices Running OS X Lion ..........................................................249
Locking a Device via the User Portal ............................................................251
Wiping a Device via the User Portal .............................................................253
Locking a Device Using Profile Manager ....................................................254
Wiping a Device Using Profile Manager .....................................................256
Removing a Mac from Management via the User Portal.....................258
Removing Management Using Profile Manager .....................................259
Profile System Preferences................................................................................261
Forcing Management Profiles .........................................................................263
The profiles Command .......................................................................................265
Managed Preferences .........................................................................................266
Obtaining Effective Managed Preferences ................................................267
Refreshing Policy Data .......................................................................................269
Graphical User Interface Managed Preferences Reporting .................270
Importing Managed Preferences Manifests ..............................................272
Importing Application Preferences ...............................................................277
Local Policy .............................................................................................................282
Creating a Local Computer Account with dscl.........................................283
Managed Preferences dscl Extensions ........................................................285
Importing and Exporting Managed Preferences Using dscl ..............287
Directory Policy .....................................................................................................288
Open Directory ......................................................................................................289
Managed Preferences Using Workgroup Manager ................................290
iv
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
5.4.1.2
5.4.2
5.4.2.1
5.4.2.2
5.4.3
5.4.3.1
5.4.3.2
Using Workgroup Manager to Whitelist Windows Servers .................293
Active Directory ....................................................................................................295
Extending the Active Directory Schema on Windows Servers..........296
Managed Preferences Using Dual Directory .............................................308
LDAP ..........................................................................................................................312
Adding Apple Schema to Third-Party OpenLDAP...................................313
Integrating a Third-Party Schema into Open Directory .......................314
6
Security ...........................................................................316
6.1
6.2
6.3
6.3.1
6.3.2
6.4
6.5
6.5.1
6.5.2
6.6
6.6.1
6.6.2
6.7
6.8
6.9
6.9.1
6.9.1.1
6.9.1.2
6.9.2
6.10
6.10.1
6.10.2
6.10.3
6.10.4
6.10.5
6.10.6
6.10.7
6.10.8
6.11
6.12
Security Resources ...............................................................................................316
Application Restrictions .....................................................................................317
Password Policies .................................................................................................320
Auditing Local Password Policies ...................................................................324
Setting Local Password Policies ......................................................................327
Setting an Open Firmware Password ...........................................................328
SSH Access...............................................................................................................329
Key-Based SSH Access ........................................................................................330
SSH Tunnel...............................................................................................................332
FileVault 2 Full Disk Encryption.......................................................................333
Migrating from FileVault to FileVault 2 ........................................................343
FileVault 2 FDE Master Passwords .................................................................345
Third-Party Full Disk Encryption......................................................................347
Host-Based Intrusion Detection System .....................................................348
Network Firewall ...................................................................................................351
Application Layer Firewall .................................................................................352
Configuring the Application Layer Firewall ...............................................353
Managing the Application Layer Firewall from Terminal .....................357
ipfw ............................................................................................................................359
Keychain Usage and Management ...............................................................361
Accessing and Viewing Keychain Contents ...............................................363
Selecting Specific Categories of Keychain Items.....................................365
Enabling MobileMe and Directory Services Searching for Certificates
......................................................................................................................................366
Enabling Certificate Revocation Checking.................................................367
Importing Items into a Keychain via the GUI............................................368
Importing Items into a Keychain from within Keychain Access .......369
Exporting Items from a Keychain...................................................................371
Exporting Items from a Keychain via the GUI...........................................373
Encrypted Time Machine Backups ................................................................374
Third-Party Smart Card Service Options .....................................................379
7
Networking/Wireless ....................................................380
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
IPv4 Networking....................................................................................................381
IPv6 Networking....................................................................................................389
Network Setup Assistant for Wired and Wireless ....................................392
Network Diagnostics for Wired and Wireless ............................................396
VLAN Wired Network Deployment ...............................................................399
Networking Command Line Interface .........................................................403
Virtual Private Network ......................................................................................406
Network Security Overview .............................................................................416
v
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
7.8.1
7.8.2
7.8.3
7.8.4
7.8.5
7.8.6
7.9
7.10
7.11
7.12
WPA/TKIP—PSK .....................................................................................................417
WPA2/AES—PSK....................................................................................................419
WPA2/AES 802.1X—PEAP/MSCHAPv2 .........................................................421
WPA2/AES 802.1X—EAP/TLS ............................................................................427
WPA2/AES 802.1X—TTLS ...................................................................................434
WPA2/AES 802.1X — EAP/FAST.......................................................................441
Importing and Exporting 802.1X Profiles ...................................................449
Using 802.1X ...........................................................................................................452
Securing a Certificate from a Windows CA ................................................454
Trusting Certificates from the Command Line .........................................457
8
Collaboration .................................................................458
8.1
8.1.1
8.1.2
8.1.3
8.2
Microsoft Exchange Integration .....................................................................459
Using Mail, iChat, and Address Book with Exchange ............................460
Enabling S/MIME in Mail....................................................................................465
Enabling Out-of-Office in Mail ........................................................................466
Connecting to and Troubleshooting Mail, iCal, and Address Book
with Microsoft Exchange...................................................................................468
DNS ............................................................................................................................469
Improper Redirects/Certificate Errors ..........................................................470
Limits on Message Size ......................................................................................471
Additional Troubleshooting Resources .......................................................473
Troubleshooting Microsoft Outlook 2011 ...................................................474
Additional Microsoft Outlook 2011 Information.......................................475
Connecting to Microsoft SharePoint ............................................................476
Additional Microsoft SharePoint Information...........................................478
Instant Messaging ................................................................................................479
iChat and FaceTime .............................................................................................480
Microsoft Office Communications Servers ................................................483
AirDrop .....................................................................................................................486
Deactivating AirDrop ..........................................................................................487
Debugging AirDrop ............................................................................................490
Additional AirDrop Information......................................................................491
8.2.1
8.2.2
8.2.3
8.2.4
8.3
8.3.1
8.4
8.4.1
8.5
8.5.1
8.5.2
8.6
8.6.1
8.6.2
8.6.3
© 2011 Apple Inc. All rights reserved.
Apple, the Apple logo, AirPort, AirPort Extreme, AppleScript, Bonjour, FileVault, Finder, FireWire, iCal,
Mac, MacBook, MacBook Air, Mac OS, QuickTime, Safari, Spotlight, Time Machine, and Xcode are
trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop is a
trademarks of Apple Inc. Mac App Store is a service mark of Apple Inc. Intel is a trademark of Intel
Corp. in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates.
UNIX is a registered trademark of The Open Group. OS X version 10.7 Lion is an Open Brand UNIX 03
Registered Product. Other product and company names mentioned herein may be trademarks of
their respective companies. Product specifications are subject to change without notice. This
material is provided for information purposes only; Apple assumes no liability related to its use.
vi
SAMPLE PAGES
Introduction
This configuration guide is designed to help IT professionals who are
evaluating and deploying OS X Lion on Mac computers in medium to large
organizations. Each section contains multiple modules that cover different
topics with step-by-step instructions. Using this guide, organizations can
accelerate testing and planning to begin a proof of concept, or broader enduser test, of Mac computers.
Not all modules within this guide require extensive review for a single Mac
deployment plan, as many are mutually exclusive. For example, this guide
includes Directory Services modules that cover Open Directory, Active
Directory, Lightweight Directory Access Protocol (LDAP),, and other techniques.
Most organizations will choose the one that best meets their needs. Before
using this guide, consult with your Apple sales representative or Apple
Authorized Reseller for assistance in determining the right modules for your
environment.
This guide covers a wide range of topics critical to successfully deploying Mac
computers in large commercial and government organizations including:
•
•
•
•
•
•
•
•
Imaging
Deployment
Support and Maintenance
Directory Services
Policy Management
Security
Networking/Wireless
Collaboration
For more information, contact your Apple Authorized Reseller or Apple account
team.
© 2011 Apple Inc.
1
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
4.3
Active Directory
Active Directory is Microsoft’s directory services solution. Active Directory
provides information on users, groups, and computers (information stored in
LDAP), password management and encryption (using Kerberos ), and the ability
to find objects on a network. Information in Active Directory is used to manage
users, computers, groups, printers, and other resources. Administrators can also
assign policies to Windows computers using Group Policy Objects.
Active Directory deployments vary from smaller environments with a few
hundred objects to larger environments with thousands (or millions) of users
and systems distributed across a number of sites.
Mac computers can be manually bound to Active Directory through the Active
Directory Service plug-in in Directory Utility. From the command line, use
dsconfigad to bind and specify Active Directory-specific options.
Active Directory provides policies to Windows computers and the schema can
be extended to include policies for other operating systems, including OS X
Lion. A number of environments cannot extend their AD schemas and so thirdparty vendors can provide policies to Mac computers without extending the
schema.
In this section, we explore administrative tasks surrounding managing OS X
Lion using Active Directory.
© 2011 Apple Inc.
145
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
4.3.1
Binding to Active Directory
OS X Lion can be bound to Active Directory from the Users & Groups pane in
System Preferences, through Directory Utility (located in /System/Library/
CoreServices/Directory Utility), or using the command line utility dsconfigad.
While dsconfigad does contain some additional options, the majority of
functionality is available through Directory Utility.
Active Directory Validation
Prior to binding, it is important to verify some connectivity with Active
Directory. Because Active Directory clients use DNS service records to locate
Active Directory service, it is important to verify that DNS is working properly.
1.
Open Terminal from /Applications/Utilities. Enter the following command
to do a lookup on the service record to locate the global catalog:
dig -t SRV _gc._tcp.pretendco.com
; <<>> DiG 9.4.1-P1 <<>> -t SRV _gc._tcp.pretendco.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34512
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1
;; QUESTION SECTION:
;_gc._tcp.pretendco.com.
;; ANSWER SECTION:
_gc._tcp.pretendco.com.
dc.pretendco.com.
;; ADDITIONAL SECTION:
dc.pretendco.com. 3600
;;
;;
;;
;;
IN
SRV
600
IN
SRV
IN
A
192.168.55.47
0 100 3268
Query time: 83 msec
SERVER: 192.168.1.6#53(192.168.55.47)
WHEN: Thu Jul 31 14:09:32 2008
MSG SIZE rcvd: 92
2.
If your response does not include an answer section with the name of a
domain controller, check to make sure the OS X Lion network settings are
correct and that the DNS specified is one that will return service record
information for your Active Directory forest.
3.
To bind OS X Lion to Active Directory, you need credentials as a local
administrator on the Mac as well as an Active Directory user who has the
authority to join computers into the Organizational Unit (OU) that you will
be leveraging in Active Directory.
Once you have bound the Mac to Active Directory, you can set up the client to
allow Active Directory administrators (or any Active Directory user you choose)
to be local administrators on the local Mac client. However, during initial setup,
you will need the local administrative user name and password for the Mac.
This user is the first user set up during Setup Assistant after installation.
© 2011 Apple Inc.
146
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
4.3.1.1
Binding to Active Directory Using Directory Utility
To bind to Active Directory using Directory Utility:
1.
Choose System Preferences from the Apple menu.
2.
Open the Users & Groups pane.
Figure 4.3.1.1_1
3.
Click Login Options.
Figure 4.3.1.1_2
© 2011 Apple Inc.
147
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
4.
Click Join to the right of Network Account Server.
Figure 4.3.1.1_3
5.
Enter the name of the domain in the Server field.
The dialog expands for credentials and Computer ID (which is already
entered).
Figure 4.3.1.1_4
6.
Once joined, you can go back and look at the binding information and
provide more details, if needed. You can also get to the Active Directory
options in Directory Utility to bind if more information is required at the
bind screen. To open Directory Utility, click the Edit button in the Users &
Groups pane in System Preferences (or if the initial attempt at binding
failed, click Join).
© 2011 Apple Inc.
148
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
7.
Click the Open Directory Utility button.
Figure 4.3.1.1_5
8.
Double-click Active Directory (or click Active Directory and then click the
pencil icon).
Figure 4.3.1.1_6
9.
Enter the Active Directory domain name you wish to join (if you have not
yet bound).
© 2011 Apple Inc.
149
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
10. Change the computer ID if necessary, and click OK. Otherwise, you will see
an Unbind button.
Figure 4.3.1.1_7
11. If binding, enter the Active Directory user that has the delegated authority
to bind a machine to the OU you specify for Computer OU. Enter the Active
Directory user’s password, then click OK.
12. In the Users & Groups pane you will now see a green light next to the
domain if provided network accounts are accessible.
Figure 4.3.1.1_8
© 2011 Apple Inc.
150
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
4.3.1.2
Testing and Verifying Active Directory Binding Information
Prior to logging out and attempting to log in with an Active Directory user, it is
advisable to verify that OS X Lion is getting the requisite information from
Active Directory.
This section shows how to verify that OS X Lion is able to get information
about an Active Directory user, browse information within Active Directory, and
authenticate users.
To verify that the Mac can get information about an Active Director user:
For OS X Lion to work correctly, it needs to be able to look up information such
as the user’s numerical ID (UID), primary group ID (GID), and group
membership.
1.
To test this lookup capability, open Terminal from /Applications/Utilities,
and enter the following:
id <Active Directory Username>
Sample:
Client-1:~ admin$ id jfoster
uid=818406992(jfoster) gid=1450179434(PRETENDCO\domain
users) groups=1450179434(PRETENDCO\domain users)
2.
If the id command does not return information about an Active Directory
user, open Directory Utility and verify that OS X Lion is bound to Active
Directory and that Active Directory is listed under Search Path (the listing is
created automatically when the client is bound). Also verify network
connectivity between OS X Lion and the domain controller, and check
firewall settings on the network.
To browse the Active Directory network node:
1.
Open Terminal from /Applications/Utilities, and enter the following:
Client-1:~ admin$ dscl localhost
>
2.
You are now in interactive mode and can browse network nodes. Type the
following:
> ls
One of the listed nodes should be Active Directory (if not, Active Directory
is not enabled/checked in Directory Utility).
Active Directory
BSD
Local
Search
Contact
© 2011 Apple Inc.
151
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
3.
Navigate into the Active Directory node by using cd and perform another
ls to show the contents of the node.
> cd 'Active Directory'
/Active Directory > ls
All Domains
4.
Navigate into the All Domains node by using cd and perform another ls
to show the contents of the node. The node should contain the Users
node.
/Active Directory > cd 'All Domains'
/Active Directory/All Domains > ls
CertificateAuthorities
Computers
FileMakerServers
Groups
Mounts
People
Printers
Users
5.
Navigate into the Users node by using cd and performing another ls to
show the contents of the node. The node should contain all of the users in
the forest. If you have a large number of users, do not enter ls to list the
contents of this node, but rather use read to read the attributes of that
user:
/Active Directory/All Domains > cd Users
/Active Directory/All Domains/Users > read jfoster
dsAttrTypeNative:accountExpires: 9223372036854775807
dsAttrTypeNative:ADDomain: pretendco.com
dsAttrTypeNative:badPasswordTime: 0
dsAttrTypeNative:badPwdCount: 0
dsAttrTypeNative:cn:
Tim Lee
dsAttrTypeNative:codePage: 0
dsAttrTypeNative:countryCode: 0
dsAttrTypeNative:displayName:
Tim Lee
dsAttrTypeNative:distinguishedName:
CN=Jimmy Foster,CN=Users,DC=pretendco,DC=com
more...
© 2011 Apple Inc.
152
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
6.
If you are not able to read the attributes of a user, check access controls in
Active Directory and verify that you have bound to the correct OU.
7.
You can now exit out of dscl.
/Active Directory/All Domains/Users > exit
Goodbye
To verify the user password:
Up to this point, the Mac can get information about users, but you need to
verify that users can be authenticated.
1.
Open Terminal from /Applications/Utilities and enter the following:
>su <ad username>
Sample:
Client-1:~ Admin$ su jfoster
Password:
2.
Enter the Active Directory user’s password. If successful, you should now be
in a Terminal session as that user. To verify, use the whoami command.
>whoami
Sample:
bash-3.2$ whoami
jfoster
Note: If warnings appear about not having a home directory, disregard
them at this point. The home directory will be created on initial login. If this
does not work, verify that there are not multiple users with the same short
name in your Active Directory forest. If there are multiple users with the
same short name, you must enable namespace support via dsconfigad.
For this testing, enter a user name that has a unique short name forestwide.
To log in at the login window:
You could log out by choosing Log Out [user name] from the Apple menu, but
it is more convenient to use Fast User Switching to test the login window.
1.
To enable Fast User Switching, choose System Preferences from the Apple
menu, and click Users & Groups.
2.
In the Users & Groups pane, make sure the lock in the lower-left corner is
unlocked.
3.
If the pane is locked, click the lock icon and authenticate to unlock.
4.
Click Login Options from the list on the left.
© 2011 Apple Inc.
153
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
5.
Verify that the “Show fast user switching menu as” checkbox is selected.
Figure 4.3.1.2_1
A user name will appear in the menu bar in the upper-right corner of your
screen.
Figure 4.3.1.2_2
6.
Select the user name and choose Login Window.
A cube effect appears and the login window appears. The currently logged
in user session stays active; to return to it either select the original user in
the Fast User Switching menu or at the login window.
7.
Click Other, and enter the Active Directory user name and password. Either
use the short name or the UPN name (for example, jfoster, PRETENDCO
\jfoster, or jfoster@pretendco.com).
You should now be logged in as the Active Directory user.
8.
If the login window “shakes” when authenticating, confirm that you have
gone through the verify setting section above and validate the password.
Also, try a different Active Directory user account.
9.
If you receive a warning about not finding your home directory, open
Directory Utility and look at the settings for your Active Directory
configuration. If you have not selected “Force local home directory on
startup disk,” there is an issue mounting your network home directory. For
this module, make sure the “Force local home directory on startup disk”
option is selected.
© 2011 Apple Inc.
154
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
6 Security
6.1
Security Resources
Security Configuration Guides
The Apple website offers a section dedicated to the security of Apple products.
The Apple Product Security page can be found at http://www.apple.com/
support/security, with a link to the security configuration guides at
http://www.apple.com/support/security/guides.
Apple has posted the security configuration guides to aid administrators of OS
X and OS X Server for v10.3, v10.4, v10.5, and v10.6. Guides include checklists,
scripts, and in-depth analysis on the security architecture and components.
The security configuration guides provide best practices and are the byproduct
of collaborative review and vetting with the National Security Agency. These
guides can also be found at:
http://www.nsa.gov/ia/guidance/security_configuration_guides/
operating_systems.shtml#AppleMac
Security Updates
Each Apple security update is posted on the Apple Support website at
http://support.apple.com/kb/HT1222. Click the link for each update to view a
description and corresponding CVE IDs referencing any vulnerabilities patched
with each update.
© 2011 Apple Inc.
316
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
6.2
Application Restrictions
OS X Lion can restrict access to applications using Managed Preferences by
whitelisting applications that have been signed or directories that contain
applications (or both). In this module, we will do so using the Workgroup
Manager, although this can also be achieved with Profile Manager (as outlined
in Module 5.4.1.2).
For the purposes of this example, we recommend using Workgroup Manager
on a client computer that has all of the applications installed that a normal user
would have. The restrictions can be configured for a local (non-administrative)
account or for an account in a valid Open Directory domain.
To use Workgroup Manager to limit users to opening only specifically
allowed applications:
1.
Open Workgroup Manager from /Applications/Server.
2.
Click the test user account.
Figure 6.2_1
© 2011 Apple Inc.
317
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
3.
Click Preferences in the toolbar.
Figure 6.2_2
4.
Click the icon for Applications in the list of Managed Preferences.
5.
Click the Applications button.
6.
Change the Manage option to Always.
7.
The “Restrict which applications are allowed to launch” checkbox is already
selected. Use the Add (+) button to add applications to the list of allowed
applications.
8.
Add each application that a user should be allowed access to.
Note: You can select multiple applications concurrently by holding down
the command key when clicking them.
In the following example, the user will be logged into a web kiosk
workstation and will only be allowed to access the Safari application.
Figure 6.2_3
© 2011 Apple Inc.
318
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
9.
Once Managed Preferences are configured appropriately, click the Apply
Now button.
10. Log in as the test user and verify that Managed Preferences are applied
correctly.
11. To further restrict applications to specific folders, click the Folders button.
12. Navigate to and select each directory that users should be able to access.
13. Assuming the users are not administrators of the local computers, they will
only be able to open applications that are in the directories you have
included in the list. Click Apply to commit these changes to the directory
service.
Note: To restrict access to a specific software title, run Workgroup Manager
on a system that has that application installed. Workgroup Manager can be
copied to a USB drive and run from the drive to facilitate managing
preferences from client systems.
© 2011 Apple Inc.
319
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
6.3
Password Policies
A variety of password policies are available to clients running in an Open
Directory environment. These should conform to the requirements set forth by
your organization’s security policy. In this example, configure Open Directory
password policies globally and then specifically for the user Jimmy Foster. You
can use a different account for testing if you choose to do so.
To set up Open Directory password policies for a user:
1.
Open Server Admin.
2.
Click Open Directory in the Servers list.
Figure 6.3_1
3.
Click Settings for the Open Directory service in the Server Admin toolbar.
Figure 6.3_2
© 2011 Apple Inc.
320
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
4.
Click the Policies button.
Configure the global password policies for the Open Directory Service.
These policies are used to control login for accounts and set controls on
passwords for all users in the directory service.
Figure 6.3_3
5.
Once satisfied with the password policies, click Binding. These options only
apply to Mac computers using Open Directory, such as clients in a dual
directory scenario.
Figure 6.3_4
6.
Once satisfied with the password policies, click the Authentication button.
© 2011 Apple Inc.
321
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
7.
Choose the hash method(s) to store passwords on the OS X Lion Server
that hosts the Open Directory environment.
Figure 6.3_5
8.
To add other settings for specific users, open Workgroup Manager and
authenticate to Open Directory.
9.
Click the user in question (or select multiple users).
10. Click the Advanced button.
11. Click the Options button in the password section (located below the User
Password Type menu).
Figure 6.3_6
© 2011 Apple Inc.
322
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
12. Configure more granular settings for each user (or users). This includes
controlling when to disable accounts and when to require users to change
passwords.
Figure 6.3_7
13. Once finished managing these settings, click OK.
Note: When using Active Directory, the AD password policies are respected by
OS X Lion. Clients are notified of expiring passwords and users can change their
passwords in OS X Lion.
© 2011 Apple Inc.
323
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
8.6
AirDrop
AirDrop is the Apple implementation of the Wi-Fi Direct protocol. AirDrop
enables users to find other nearby users (via Bonjour, Apple’s multicast DNS
implementation) and transfer files directly to other client computers.
To activate AirDrop on a supported Mac:
1.
Click the AirDrop icon in the Finder sidebar.
2.
If a nearby colleague wishes to exchange files, they click the AirDrop icon
in their Finder sidebar. You will now see one another’s machines listed in
the AirDrop window.
3.
To transfer a file, drag and drop the file on the other person’s AirDrop icon.
They will be prompted to accept the file. Transfer progress is indicated by
the colored circle in their icon.
4.
To deactivate AirDrop, simply close that Finder window, or click on another
sidebar item.
The intentional nature of activating AirDrop, coupled with the “accept”
dialog, provides a strong measure of security and prevention from
hijacking. Additional deliberate steps are required to accept transfers.
© 2011 Apple Inc.
486
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
8.6.1
Deactivating AirDrop
While AirDrop is a great feature for many environments, some organizations
may wish to deactivate the AirDrop feature in OS X Lion to meet their
information assurance guidelines.
To deactivate AirDrop, enter the following command in Terminal.
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool YES
To reenable AirDrop, simply send the same command with a boolean payload
of NO:
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool NO
To see AirDrop disappear, either restart the system or restart the Finder by
running the following command.
sudo killall Finder
Default domains can be changed using Mobile Configuration (.mobileconfig)
files. Environments running OS X Lion Server or a third-party Mobile Device
Management (MDM) solution can use the Custom Settings feature to assign a
value to the com.apple.NetworkBrowser defaults domain.
To use the Custom Setting feature, follow these steps:
1.
Open the Server application from an OS X Lion Server.
2.
Click the Profile Manager service.
3.
Click Open Profile Manager.
4.
Authenticate when prompted.
Figure 8.6.1_1
© 2011 Apple Inc.
487
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
5.
To assign custom settings, click the relevant Device or Device Group.
Figure 8.6.1_2
6.
Click Edit.
Figure 8.6.1_3
7.
Click Custom Settings.
8.
Enter com.apple.NetworkBrowser into the Preference Domain field.
9.
Rename the initial key DisableAirDrop.
10. Choose Boolean from the Type menu.
© 2011 Apple Inc.
488
IT Configuration Guide—For Your Mac Evaluation (Version 4.0)
SAMPLE PAGES
11. Click the Value checkbox.
Figure 8.6.1_4
12. Click OK.
13. Send the profile to the Mac running OS X Lion. Restart the Mac, and verify
that the key is enforced.
© 2011 Apple Inc.
489