IT Configuration Guide
Transcription
IT Configuration Guide
SAMPLE PAGES IT Configuration Guide For Your Mac Evaluation (Version 4.0) IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES Table of Contents Introduction .......................................................................................1 1 Imaging ...............................................................................2 1.1 1.2 1.2.1 1.2.1.1 1.2.2 1.3 1.3.1 1.3.2 1.3.3 1.3.4 1.3.5 1.3.5.1 1.3.5.2 1.3.5.3 1.3.5.4 1.3.5.5 1.3.5.6 1.4 1.4.1 1.4.1.1 1.4.1.2 1.4.1.3 1.4.2 1.4.3 1.5 1.5.1 Imaging Mac Computers ........................................................................................2 Creating Packages .....................................................................................................3 Creating Packages with PackageMaker............................................................4 Creating a Snapshot Package with PackageMaker......................................8 Creating Packages with Third-Party Utilities ................................................15 Creating Images with System Image Utility ................................................16 NetInstall from Installer ........................................................................................17 NetRestore from Installer .....................................................................................20 Using NetRestore from a Prepared Volume .................................................23 Creating NetRestore NetBoot Sets...................................................................26 Automations with System Image Utility .......................................................29 Creating an Installation DVD ..............................................................................36 Adding Patches and Upgrades ..........................................................................38 Adding Post-Install Scripts ..................................................................................39 Adding Additional Software ...............................................................................40 Adding Configuration Profiles ...........................................................................41 Additional System Image Utility Preferences ..............................................42 Creating an Image via a Configured Mac .....................................................43 Preparing a System for Imaging........................................................................44 Removing Unneeded LKDC Information.......................................................45 Removing .DS_Store Files ....................................................................................47 Removing Other System Files ............................................................................48 Customizing the Default User Template .......................................................49 Self-Removing Scripts ...........................................................................................50 Creating Images with Disk Utility .....................................................................52 Creating a Disk Image from the Command Line .......................................56 2 Deployment .....................................................................57 2.1 2.1.1 2.1.2 2.2 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.3 Local Deployment ..................................................................................................58 Creating a Bootable Disk or Volume Using NetInstall .............................59 Deploying with Disk Utility .................................................................................61 NetInstall Image Creation ....................................................................................62 Configuring a NetBoot Server............................................................................65 Custom Source NetRestore .................................................................................68 Unicast Apple Software Restore (ASR) ...........................................................70 Multicast Apple Software Restore (mASR) ...................................................71 Third-Party Deployment Solutions...................................................................73 Setting Clients to NetBoot Using the Bless Command ...........................74 Using NetBoot DHCP Helpers ............................................................................75 bootpd Relay ............................................................................................................76 Minimal Touch Deployments .............................................................................77 3 Support and Maintenance .............................................78 3.1 Asset Tags ...................................................................................................................79 ii IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.3 3.4 3.4.1 3.4.2 3.5 3.6 Apple Remote Desktop ........................................................................................80 Apple Remote Desktop and Computer Lists ...............................................81 Deploying Applications ........................................................................................85 Inventory Tools .........................................................................................................88 Apple Remote Desktop Task Server ................................................................90 Software Update Policy ........................................................................................91 OS X Lion Server Software Update Service ..................................................92 Configuring Software Update Server Clients ..............................................95 Cascading Software Update Service ...............................................................97 Third-Party Software Update Service .............................................................99 Client Management Suites ...............................................................................100 4 Directory Services .........................................................101 4.1 4.1.1. 4.1.1.1 Local Directory Services ....................................................................................102 Creating Local Administrative Accounts .....................................................104 Creating a Local Administrative Account Using System Preferences ......................................................................................................................................105 Creating a Local Administrative Account Using the Command Line ......................................................................................................................................107 Hiding a Local Account ......................................................................................109 Making Changes to the Local Administrative Account ........................110 Nesting Network Admins in a Local Administrative Group ................111 Creating a Local Administrative Account with a Package or Script.113 Open Directory ......................................................................................................114 Setting Up an Open Directory Master .........................................................115 Preparing for Binding to Open Directory ...................................................121 Binding to Open Directory Using the Users & Groups Pane in System Preferences ..............................................................................................................123 Custom Binding Operations ............................................................................127 Binding to Open Directory Using the Command Line .........................134 Binding to Open Directory Using a Post-Installation Script ...............136 Using Workgroup Manager to Create New Users ...................................137 Setting Up an Open Directory Replica ........................................................142 Active Directory ....................................................................................................145 Binding to Active Directory ..............................................................................146 Binding to Active Directory Using Directory Utility ...............................147 Testing and Verifying Active Directory Binding Information ..............151 Binding to Active Directory from the Command Line ..........................155 Binding to Active Directory Using a Script ................................................158 Binding to Active Directory Using a Post-Install Script.........................159 Active Directory Plug-in Troubleshooting Commands .........................160 Mapping the UID and GID with Directory Utility ....................................164 Mapping UID, User GID, and Group GID Using dsconfigad.................168 Setting a User Home Directory .......................................................................169 Namespace Support Using dsconfigad.......................................................174 Active Directory Packet Encryption Options.............................................175 SSL Binding Instructions ....................................................................................176 Managing Certificates from the Command Line.....................................177 Active Directory Computer Password Changes .......................................178 Third-Party Active Directory Plug-Ins ...........................................................179 4.1.1.2 4.1.1.3 4.1.1.4 4.1.2 4.1.3 4.2 4.2.1 4.2.2 4.2.2.1 4.2.2.2 4.2.3 4.2.4 4.2.5 4.2.6 4.3 4.3.1 4.3.1.1 4.3.1.2 4.3.1.3 4.3.1.4 4.3.1.5 4.3.1.6 4.3.2 4.3.2.1 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 4.3.8 4.4 iii IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.5 4.5.1 4.5.1.1 4.5.1.2 4.5.2 4.6 4.7 4.8 4.8.1 4.8.2 4.9 4.9.1 4.9.2 4.9.3 LDAP ..........................................................................................................................180 Binding to LDAP....................................................................................................181 Simple Binding.......................................................................................................182 Trusted Binding......................................................................................................185 Mapping LDAP Attributes .................................................................................189 NIS ..............................................................................................................................194 Kerberos ...................................................................................................................197 Dual Directory Configuration ..........................................................................198 Setting Up Dual Directory ................................................................................199 Nesting Active Directory Groups in Open Directory .............................211 Distributed File Sharing .....................................................................................214 Connecting to DFS Shares ................................................................................215 Viewing DFS with smbutil.................................................................................216 Third-Party DFS Solutions .................................................................................218 5 Policy Management ......................................................219 5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.1.10 5.1.11 5.1.12 5.1.13 5.1.14 5.1.15 5.1.16 5.1.17 5.1.18 5.1.19 5.1.20 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.3 5.3.1 5.3.2 5.3.3 5.4 5.4.1 5.4.1.1 Setting Up a Profile Server................................................................................220 Configuring Network Settings ........................................................................221 Configuring Users ................................................................................................223 Adding Users ..........................................................................................................226 Reviewing Certificates ........................................................................................229 Acquiring Apple Push Notification Certificates........................................232 Enabling Profile Manager ..................................................................................235 Automatic Push Versus Manual Download Profiles ...............................239 Editing Management Profiles ..........................................................................240 Creating Device Groups .....................................................................................244 Using Device Placeholders ...............................................................................247 Enrolling Devices Running OS X Lion ..........................................................249 Locking a Device via the User Portal ............................................................251 Wiping a Device via the User Portal .............................................................253 Locking a Device Using Profile Manager ....................................................254 Wiping a Device Using Profile Manager .....................................................256 Removing a Mac from Management via the User Portal.....................258 Removing Management Using Profile Manager .....................................259 Profile System Preferences................................................................................261 Forcing Management Profiles .........................................................................263 The profiles Command .......................................................................................265 Managed Preferences .........................................................................................266 Obtaining Effective Managed Preferences ................................................267 Refreshing Policy Data .......................................................................................269 Graphical User Interface Managed Preferences Reporting .................270 Importing Managed Preferences Manifests ..............................................272 Importing Application Preferences ...............................................................277 Local Policy .............................................................................................................282 Creating a Local Computer Account with dscl.........................................283 Managed Preferences dscl Extensions ........................................................285 Importing and Exporting Managed Preferences Using dscl ..............287 Directory Policy .....................................................................................................288 Open Directory ......................................................................................................289 Managed Preferences Using Workgroup Manager ................................290 iv IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 5.4.1.2 5.4.2 5.4.2.1 5.4.2.2 5.4.3 5.4.3.1 5.4.3.2 Using Workgroup Manager to Whitelist Windows Servers .................293 Active Directory ....................................................................................................295 Extending the Active Directory Schema on Windows Servers..........296 Managed Preferences Using Dual Directory .............................................308 LDAP ..........................................................................................................................312 Adding Apple Schema to Third-Party OpenLDAP...................................313 Integrating a Third-Party Schema into Open Directory .......................314 6 Security ...........................................................................316 6.1 6.2 6.3 6.3.1 6.3.2 6.4 6.5 6.5.1 6.5.2 6.6 6.6.1 6.6.2 6.7 6.8 6.9 6.9.1 6.9.1.1 6.9.1.2 6.9.2 6.10 6.10.1 6.10.2 6.10.3 6.10.4 6.10.5 6.10.6 6.10.7 6.10.8 6.11 6.12 Security Resources ...............................................................................................316 Application Restrictions .....................................................................................317 Password Policies .................................................................................................320 Auditing Local Password Policies ...................................................................324 Setting Local Password Policies ......................................................................327 Setting an Open Firmware Password ...........................................................328 SSH Access...............................................................................................................329 Key-Based SSH Access ........................................................................................330 SSH Tunnel...............................................................................................................332 FileVault 2 Full Disk Encryption.......................................................................333 Migrating from FileVault to FileVault 2 ........................................................343 FileVault 2 FDE Master Passwords .................................................................345 Third-Party Full Disk Encryption......................................................................347 Host-Based Intrusion Detection System .....................................................348 Network Firewall ...................................................................................................351 Application Layer Firewall .................................................................................352 Configuring the Application Layer Firewall ...............................................353 Managing the Application Layer Firewall from Terminal .....................357 ipfw ............................................................................................................................359 Keychain Usage and Management ...............................................................361 Accessing and Viewing Keychain Contents ...............................................363 Selecting Specific Categories of Keychain Items.....................................365 Enabling MobileMe and Directory Services Searching for Certificates ......................................................................................................................................366 Enabling Certificate Revocation Checking.................................................367 Importing Items into a Keychain via the GUI............................................368 Importing Items into a Keychain from within Keychain Access .......369 Exporting Items from a Keychain...................................................................371 Exporting Items from a Keychain via the GUI...........................................373 Encrypted Time Machine Backups ................................................................374 Third-Party Smart Card Service Options .....................................................379 7 Networking/Wireless ....................................................380 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 IPv4 Networking....................................................................................................381 IPv6 Networking....................................................................................................389 Network Setup Assistant for Wired and Wireless ....................................392 Network Diagnostics for Wired and Wireless ............................................396 VLAN Wired Network Deployment ...............................................................399 Networking Command Line Interface .........................................................403 Virtual Private Network ......................................................................................406 Network Security Overview .............................................................................416 v IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 7.8.1 7.8.2 7.8.3 7.8.4 7.8.5 7.8.6 7.9 7.10 7.11 7.12 WPA/TKIP—PSK .....................................................................................................417 WPA2/AES—PSK....................................................................................................419 WPA2/AES 802.1X—PEAP/MSCHAPv2 .........................................................421 WPA2/AES 802.1X—EAP/TLS ............................................................................427 WPA2/AES 802.1X—TTLS ...................................................................................434 WPA2/AES 802.1X — EAP/FAST.......................................................................441 Importing and Exporting 802.1X Profiles ...................................................449 Using 802.1X ...........................................................................................................452 Securing a Certificate from a Windows CA ................................................454 Trusting Certificates from the Command Line .........................................457 8 Collaboration .................................................................458 8.1 8.1.1 8.1.2 8.1.3 8.2 Microsoft Exchange Integration .....................................................................459 Using Mail, iChat, and Address Book with Exchange ............................460 Enabling S/MIME in Mail....................................................................................465 Enabling Out-of-Office in Mail ........................................................................466 Connecting to and Troubleshooting Mail, iCal, and Address Book with Microsoft Exchange...................................................................................468 DNS ............................................................................................................................469 Improper Redirects/Certificate Errors ..........................................................470 Limits on Message Size ......................................................................................471 Additional Troubleshooting Resources .......................................................473 Troubleshooting Microsoft Outlook 2011 ...................................................474 Additional Microsoft Outlook 2011 Information.......................................475 Connecting to Microsoft SharePoint ............................................................476 Additional Microsoft SharePoint Information...........................................478 Instant Messaging ................................................................................................479 iChat and FaceTime .............................................................................................480 Microsoft Office Communications Servers ................................................483 AirDrop .....................................................................................................................486 Deactivating AirDrop ..........................................................................................487 Debugging AirDrop ............................................................................................490 Additional AirDrop Information......................................................................491 8.2.1 8.2.2 8.2.3 8.2.4 8.3 8.3.1 8.4 8.4.1 8.5 8.5.1 8.5.2 8.6 8.6.1 8.6.2 8.6.3 © 2011 Apple Inc. All rights reserved. Apple, the Apple logo, AirPort, AirPort Extreme, AppleScript, Bonjour, FileVault, Finder, FireWire, iCal, Mac, MacBook, MacBook Air, Mac OS, QuickTime, Safari, Spotlight, Time Machine, and Xcode are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop is a trademarks of Apple Inc. Mac App Store is a service mark of Apple Inc. Intel is a trademark of Intel Corp. in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group. OS X version 10.7 Lion is an Open Brand UNIX 03 Registered Product. Other product and company names mentioned herein may be trademarks of their respective companies. Product specifications are subject to change without notice. This material is provided for information purposes only; Apple assumes no liability related to its use. vi SAMPLE PAGES Introduction This configuration guide is designed to help IT professionals who are evaluating and deploying OS X Lion on Mac computers in medium to large organizations. Each section contains multiple modules that cover different topics with step-by-step instructions. Using this guide, organizations can accelerate testing and planning to begin a proof of concept, or broader enduser test, of Mac computers. Not all modules within this guide require extensive review for a single Mac deployment plan, as many are mutually exclusive. For example, this guide includes Directory Services modules that cover Open Directory, Active Directory, Lightweight Directory Access Protocol (LDAP),, and other techniques. Most organizations will choose the one that best meets their needs. Before using this guide, consult with your Apple sales representative or Apple Authorized Reseller for assistance in determining the right modules for your environment. This guide covers a wide range of topics critical to successfully deploying Mac computers in large commercial and government organizations including: • • • • • • • • Imaging Deployment Support and Maintenance Directory Services Policy Management Security Networking/Wireless Collaboration For more information, contact your Apple Authorized Reseller or Apple account team. © 2011 Apple Inc. 1 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.3 Active Directory Active Directory is Microsoft’s directory services solution. Active Directory provides information on users, groups, and computers (information stored in LDAP), password management and encryption (using Kerberos ), and the ability to find objects on a network. Information in Active Directory is used to manage users, computers, groups, printers, and other resources. Administrators can also assign policies to Windows computers using Group Policy Objects. Active Directory deployments vary from smaller environments with a few hundred objects to larger environments with thousands (or millions) of users and systems distributed across a number of sites. Mac computers can be manually bound to Active Directory through the Active Directory Service plug-in in Directory Utility. From the command line, use dsconfigad to bind and specify Active Directory-specific options. Active Directory provides policies to Windows computers and the schema can be extended to include policies for other operating systems, including OS X Lion. A number of environments cannot extend their AD schemas and so thirdparty vendors can provide policies to Mac computers without extending the schema. In this section, we explore administrative tasks surrounding managing OS X Lion using Active Directory. © 2011 Apple Inc. 145 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.3.1 Binding to Active Directory OS X Lion can be bound to Active Directory from the Users & Groups pane in System Preferences, through Directory Utility (located in /System/Library/ CoreServices/Directory Utility), or using the command line utility dsconfigad. While dsconfigad does contain some additional options, the majority of functionality is available through Directory Utility. Active Directory Validation Prior to binding, it is important to verify some connectivity with Active Directory. Because Active Directory clients use DNS service records to locate Active Directory service, it is important to verify that DNS is working properly. 1. Open Terminal from /Applications/Utilities. Enter the following command to do a lookup on the service record to locate the global catalog: dig -t SRV _gc._tcp.pretendco.com ; <<>> DiG 9.4.1-P1 <<>> -t SRV _gc._tcp.pretendco.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34512 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_gc._tcp.pretendco.com. ;; ANSWER SECTION: _gc._tcp.pretendco.com. dc.pretendco.com. ;; ADDITIONAL SECTION: dc.pretendco.com. 3600 ;; ;; ;; ;; IN SRV 600 IN SRV IN A 192.168.55.47 0 100 3268 Query time: 83 msec SERVER: 192.168.1.6#53(192.168.55.47) WHEN: Thu Jul 31 14:09:32 2008 MSG SIZE rcvd: 92 2. If your response does not include an answer section with the name of a domain controller, check to make sure the OS X Lion network settings are correct and that the DNS specified is one that will return service record information for your Active Directory forest. 3. To bind OS X Lion to Active Directory, you need credentials as a local administrator on the Mac as well as an Active Directory user who has the authority to join computers into the Organizational Unit (OU) that you will be leveraging in Active Directory. Once you have bound the Mac to Active Directory, you can set up the client to allow Active Directory administrators (or any Active Directory user you choose) to be local administrators on the local Mac client. However, during initial setup, you will need the local administrative user name and password for the Mac. This user is the first user set up during Setup Assistant after installation. © 2011 Apple Inc. 146 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.3.1.1 Binding to Active Directory Using Directory Utility To bind to Active Directory using Directory Utility: 1. Choose System Preferences from the Apple menu. 2. Open the Users & Groups pane. Figure 4.3.1.1_1 3. Click Login Options. Figure 4.3.1.1_2 © 2011 Apple Inc. 147 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4. Click Join to the right of Network Account Server. Figure 4.3.1.1_3 5. Enter the name of the domain in the Server field. The dialog expands for credentials and Computer ID (which is already entered). Figure 4.3.1.1_4 6. Once joined, you can go back and look at the binding information and provide more details, if needed. You can also get to the Active Directory options in Directory Utility to bind if more information is required at the bind screen. To open Directory Utility, click the Edit button in the Users & Groups pane in System Preferences (or if the initial attempt at binding failed, click Join). © 2011 Apple Inc. 148 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 7. Click the Open Directory Utility button. Figure 4.3.1.1_5 8. Double-click Active Directory (or click Active Directory and then click the pencil icon). Figure 4.3.1.1_6 9. Enter the Active Directory domain name you wish to join (if you have not yet bound). © 2011 Apple Inc. 149 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 10. Change the computer ID if necessary, and click OK. Otherwise, you will see an Unbind button. Figure 4.3.1.1_7 11. If binding, enter the Active Directory user that has the delegated authority to bind a machine to the OU you specify for Computer OU. Enter the Active Directory user’s password, then click OK. 12. In the Users & Groups pane you will now see a green light next to the domain if provided network accounts are accessible. Figure 4.3.1.1_8 © 2011 Apple Inc. 150 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4.3.1.2 Testing and Verifying Active Directory Binding Information Prior to logging out and attempting to log in with an Active Directory user, it is advisable to verify that OS X Lion is getting the requisite information from Active Directory. This section shows how to verify that OS X Lion is able to get information about an Active Directory user, browse information within Active Directory, and authenticate users. To verify that the Mac can get information about an Active Director user: For OS X Lion to work correctly, it needs to be able to look up information such as the user’s numerical ID (UID), primary group ID (GID), and group membership. 1. To test this lookup capability, open Terminal from /Applications/Utilities, and enter the following: id <Active Directory Username> Sample: Client-1:~ admin$ id jfoster uid=818406992(jfoster) gid=1450179434(PRETENDCO\domain users) groups=1450179434(PRETENDCO\domain users) 2. If the id command does not return information about an Active Directory user, open Directory Utility and verify that OS X Lion is bound to Active Directory and that Active Directory is listed under Search Path (the listing is created automatically when the client is bound). Also verify network connectivity between OS X Lion and the domain controller, and check firewall settings on the network. To browse the Active Directory network node: 1. Open Terminal from /Applications/Utilities, and enter the following: Client-1:~ admin$ dscl localhost > 2. You are now in interactive mode and can browse network nodes. Type the following: > ls One of the listed nodes should be Active Directory (if not, Active Directory is not enabled/checked in Directory Utility). Active Directory BSD Local Search Contact © 2011 Apple Inc. 151 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 3. Navigate into the Active Directory node by using cd and perform another ls to show the contents of the node. > cd 'Active Directory' /Active Directory > ls All Domains 4. Navigate into the All Domains node by using cd and perform another ls to show the contents of the node. The node should contain the Users node. /Active Directory > cd 'All Domains' /Active Directory/All Domains > ls CertificateAuthorities Computers FileMakerServers Groups Mounts People Printers Users 5. Navigate into the Users node by using cd and performing another ls to show the contents of the node. The node should contain all of the users in the forest. If you have a large number of users, do not enter ls to list the contents of this node, but rather use read to read the attributes of that user: /Active Directory/All Domains > cd Users /Active Directory/All Domains/Users > read jfoster dsAttrTypeNative:accountExpires: 9223372036854775807 dsAttrTypeNative:ADDomain: pretendco.com dsAttrTypeNative:badPasswordTime: 0 dsAttrTypeNative:badPwdCount: 0 dsAttrTypeNative:cn: Tim Lee dsAttrTypeNative:codePage: 0 dsAttrTypeNative:countryCode: 0 dsAttrTypeNative:displayName: Tim Lee dsAttrTypeNative:distinguishedName: CN=Jimmy Foster,CN=Users,DC=pretendco,DC=com more... © 2011 Apple Inc. 152 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 6. If you are not able to read the attributes of a user, check access controls in Active Directory and verify that you have bound to the correct OU. 7. You can now exit out of dscl. /Active Directory/All Domains/Users > exit Goodbye To verify the user password: Up to this point, the Mac can get information about users, but you need to verify that users can be authenticated. 1. Open Terminal from /Applications/Utilities and enter the following: >su <ad username> Sample: Client-1:~ Admin$ su jfoster Password: 2. Enter the Active Directory user’s password. If successful, you should now be in a Terminal session as that user. To verify, use the whoami command. >whoami Sample: bash-3.2$ whoami jfoster Note: If warnings appear about not having a home directory, disregard them at this point. The home directory will be created on initial login. If this does not work, verify that there are not multiple users with the same short name in your Active Directory forest. If there are multiple users with the same short name, you must enable namespace support via dsconfigad. For this testing, enter a user name that has a unique short name forestwide. To log in at the login window: You could log out by choosing Log Out [user name] from the Apple menu, but it is more convenient to use Fast User Switching to test the login window. 1. To enable Fast User Switching, choose System Preferences from the Apple menu, and click Users & Groups. 2. In the Users & Groups pane, make sure the lock in the lower-left corner is unlocked. 3. If the pane is locked, click the lock icon and authenticate to unlock. 4. Click Login Options from the list on the left. © 2011 Apple Inc. 153 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 5. Verify that the “Show fast user switching menu as” checkbox is selected. Figure 4.3.1.2_1 A user name will appear in the menu bar in the upper-right corner of your screen. Figure 4.3.1.2_2 6. Select the user name and choose Login Window. A cube effect appears and the login window appears. The currently logged in user session stays active; to return to it either select the original user in the Fast User Switching menu or at the login window. 7. Click Other, and enter the Active Directory user name and password. Either use the short name or the UPN name (for example, jfoster, PRETENDCO \jfoster, or jfoster@pretendco.com). You should now be logged in as the Active Directory user. 8. If the login window “shakes” when authenticating, confirm that you have gone through the verify setting section above and validate the password. Also, try a different Active Directory user account. 9. If you receive a warning about not finding your home directory, open Directory Utility and look at the settings for your Active Directory configuration. If you have not selected “Force local home directory on startup disk,” there is an issue mounting your network home directory. For this module, make sure the “Force local home directory on startup disk” option is selected. © 2011 Apple Inc. 154 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 6 Security 6.1 Security Resources Security Configuration Guides The Apple website offers a section dedicated to the security of Apple products. The Apple Product Security page can be found at http://www.apple.com/ support/security, with a link to the security configuration guides at http://www.apple.com/support/security/guides. Apple has posted the security configuration guides to aid administrators of OS X and OS X Server for v10.3, v10.4, v10.5, and v10.6. Guides include checklists, scripts, and in-depth analysis on the security architecture and components. The security configuration guides provide best practices and are the byproduct of collaborative review and vetting with the National Security Agency. These guides can also be found at: http://www.nsa.gov/ia/guidance/security_configuration_guides/ operating_systems.shtml#AppleMac Security Updates Each Apple security update is posted on the Apple Support website at http://support.apple.com/kb/HT1222. Click the link for each update to view a description and corresponding CVE IDs referencing any vulnerabilities patched with each update. © 2011 Apple Inc. 316 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 6.2 Application Restrictions OS X Lion can restrict access to applications using Managed Preferences by whitelisting applications that have been signed or directories that contain applications (or both). In this module, we will do so using the Workgroup Manager, although this can also be achieved with Profile Manager (as outlined in Module 5.4.1.2). For the purposes of this example, we recommend using Workgroup Manager on a client computer that has all of the applications installed that a normal user would have. The restrictions can be configured for a local (non-administrative) account or for an account in a valid Open Directory domain. To use Workgroup Manager to limit users to opening only specifically allowed applications: 1. Open Workgroup Manager from /Applications/Server. 2. Click the test user account. Figure 6.2_1 © 2011 Apple Inc. 317 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 3. Click Preferences in the toolbar. Figure 6.2_2 4. Click the icon for Applications in the list of Managed Preferences. 5. Click the Applications button. 6. Change the Manage option to Always. 7. The “Restrict which applications are allowed to launch” checkbox is already selected. Use the Add (+) button to add applications to the list of allowed applications. 8. Add each application that a user should be allowed access to. Note: You can select multiple applications concurrently by holding down the command key when clicking them. In the following example, the user will be logged into a web kiosk workstation and will only be allowed to access the Safari application. Figure 6.2_3 © 2011 Apple Inc. 318 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 9. Once Managed Preferences are configured appropriately, click the Apply Now button. 10. Log in as the test user and verify that Managed Preferences are applied correctly. 11. To further restrict applications to specific folders, click the Folders button. 12. Navigate to and select each directory that users should be able to access. 13. Assuming the users are not administrators of the local computers, they will only be able to open applications that are in the directories you have included in the list. Click Apply to commit these changes to the directory service. Note: To restrict access to a specific software title, run Workgroup Manager on a system that has that application installed. Workgroup Manager can be copied to a USB drive and run from the drive to facilitate managing preferences from client systems. © 2011 Apple Inc. 319 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 6.3 Password Policies A variety of password policies are available to clients running in an Open Directory environment. These should conform to the requirements set forth by your organization’s security policy. In this example, configure Open Directory password policies globally and then specifically for the user Jimmy Foster. You can use a different account for testing if you choose to do so. To set up Open Directory password policies for a user: 1. Open Server Admin. 2. Click Open Directory in the Servers list. Figure 6.3_1 3. Click Settings for the Open Directory service in the Server Admin toolbar. Figure 6.3_2 © 2011 Apple Inc. 320 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 4. Click the Policies button. Configure the global password policies for the Open Directory Service. These policies are used to control login for accounts and set controls on passwords for all users in the directory service. Figure 6.3_3 5. Once satisfied with the password policies, click Binding. These options only apply to Mac computers using Open Directory, such as clients in a dual directory scenario. Figure 6.3_4 6. Once satisfied with the password policies, click the Authentication button. © 2011 Apple Inc. 321 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 7. Choose the hash method(s) to store passwords on the OS X Lion Server that hosts the Open Directory environment. Figure 6.3_5 8. To add other settings for specific users, open Workgroup Manager and authenticate to Open Directory. 9. Click the user in question (or select multiple users). 10. Click the Advanced button. 11. Click the Options button in the password section (located below the User Password Type menu). Figure 6.3_6 © 2011 Apple Inc. 322 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 12. Configure more granular settings for each user (or users). This includes controlling when to disable accounts and when to require users to change passwords. Figure 6.3_7 13. Once finished managing these settings, click OK. Note: When using Active Directory, the AD password policies are respected by OS X Lion. Clients are notified of expiring passwords and users can change their passwords in OS X Lion. © 2011 Apple Inc. 323 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 8.6 AirDrop AirDrop is the Apple implementation of the Wi-Fi Direct protocol. AirDrop enables users to find other nearby users (via Bonjour, Apple’s multicast DNS implementation) and transfer files directly to other client computers. To activate AirDrop on a supported Mac: 1. Click the AirDrop icon in the Finder sidebar. 2. If a nearby colleague wishes to exchange files, they click the AirDrop icon in their Finder sidebar. You will now see one another’s machines listed in the AirDrop window. 3. To transfer a file, drag and drop the file on the other person’s AirDrop icon. They will be prompted to accept the file. Transfer progress is indicated by the colored circle in their icon. 4. To deactivate AirDrop, simply close that Finder window, or click on another sidebar item. The intentional nature of activating AirDrop, coupled with the “accept” dialog, provides a strong measure of security and prevention from hijacking. Additional deliberate steps are required to accept transfers. © 2011 Apple Inc. 486 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 8.6.1 Deactivating AirDrop While AirDrop is a great feature for many environments, some organizations may wish to deactivate the AirDrop feature in OS X Lion to meet their information assurance guidelines. To deactivate AirDrop, enter the following command in Terminal. sudo defaults write /Library/Preferences/ com.apple.NetworkBrowser DisableAirDrop -bool YES To reenable AirDrop, simply send the same command with a boolean payload of NO: sudo defaults write /Library/Preferences/ com.apple.NetworkBrowser DisableAirDrop -bool NO To see AirDrop disappear, either restart the system or restart the Finder by running the following command. sudo killall Finder Default domains can be changed using Mobile Configuration (.mobileconfig) files. Environments running OS X Lion Server or a third-party Mobile Device Management (MDM) solution can use the Custom Settings feature to assign a value to the com.apple.NetworkBrowser defaults domain. To use the Custom Setting feature, follow these steps: 1. Open the Server application from an OS X Lion Server. 2. Click the Profile Manager service. 3. Click Open Profile Manager. 4. Authenticate when prompted. Figure 8.6.1_1 © 2011 Apple Inc. 487 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 5. To assign custom settings, click the relevant Device or Device Group. Figure 8.6.1_2 6. Click Edit. Figure 8.6.1_3 7. Click Custom Settings. 8. Enter com.apple.NetworkBrowser into the Preference Domain field. 9. Rename the initial key DisableAirDrop. 10. Choose Boolean from the Type menu. © 2011 Apple Inc. 488 IT Configuration Guide—For Your Mac Evaluation (Version 4.0) SAMPLE PAGES 11. Click the Value checkbox. Figure 8.6.1_4 12. Click OK. 13. Send the profile to the Mac running OS X Lion. Restart the Mac, and verify that the key is enforced. © 2011 Apple Inc. 489