PBIS Mac OS X Administration Guide - beyondtrust.com · Security 13 Firewall 14 Bluetooth 14 EnergySaver 14 MacDSPluginSettings 15 ApplyingGroupPoliciesfromApple'sProfileManager 17

PowerBroker Identity ServicesMac OS X Administration Guide

Revision/Update Information: March 2018

Corporate Headquarters5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000

COPYRIGHT NOTICECopyright © 2018 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and whenapplicable, is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc.(“BeyondTrust”) or BeyondTrust’s authorized remarketer, if and when applicable.

TRADE SECRET NOTICEThis software and/or documentation, as and when applicable, and the information and know-how they contain constitute theproprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer orauthor, and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/ordocumentation, as and when applicable, have been provided pursuant to an agreement that contains prohibitions againstand/or restrictions on copying, modification and use.

DISCLAIMERBeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warrantiesexpressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULARPURPOSE.

LIMITED RIGHTS FARS NOTICE (If Applicable)If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights.This software and/or documentation, as and when applicable, may be reproduced and used by the Government with theexpress limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the followingpurposes: manufacture, duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))

LIMITED RIGHTS DFARS NOTICE (If Applicable)If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government issubject to limited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause atDFARS 252.227-7013.

TRADEMARK NOTICESPowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Desktops,PowerBroker Virtualization, PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBrokerWindows Desktops, and PowerBroker Identity Services are trademarks of BeyondTrust.ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. TheSSH logo, Tectia and tectia logo are trademarks of SSH Communications Security Corp and may be registered in certainjurisdictions.This application contains software powered by PKAIP®, the leading solution for enabling efficient and secure data storage andtransmission. PKAIP® is provided by PKWARE, the inventor and continuing innovator of the ZIP file format. Used withpermission.

OTHER NOTICESIf and when applicable the following additional provisions are so noted:The PowerBroker Identity Services Open software is free to download and use according to the terms of the Limited GPL 2.1for client libraries and the GPL 2 for daemons. The licenses for PowerBroker Identity Services Enterprise and for PowerBrokerIdentity Services UID-GID Module are different. For complete information on the software licenses and terms of use forBeyondTrust products, see www.beyondtrust.com.

Contents

Introduction 4

Conventions Used in This Guide 4Documentation Set for PBIS Enterprise 4

Contacting Support 5

Install the Agent on a Mac OS X Computer 6

Install the Agent on aMac in Unattended Mode 6

Joining an Active Directory Domain 8

Before Joining a Domain 8Joining aMac Computer Using the GUI 8Join Active Directory from the Command Line 10

Joining aMac Computer 10Turn Off OS X Directory Service Authentication 11

Migrate a User Profile on aMac 11

Leave a Domain 12

Remove the Computer Account in Active Directory 12Remove aMac from a Domain 12Remove aMac from a Domain from the Command Line 12Uninstall PBIS 12

Configuring GPO Mac Settings 13

Mac System Preferences 13Accessing Mac System Preferences 13Security 13Firewall 14Bluetooth 14Energy Saver 14

Mac DS Plugin Settings 15

Applying Group Policies from Apple's Profile Manager 17

Requirements 17Importing a Policy 17Removing the Policy 17

Contents

Mac OS X Administration Guide 3 © 2018. BeyondTrust Software, Inc.

IntroductionThis guide shows system administrators and security administrators how to use BeyondTrust PowerBroker IdentityServices Enterprise Edition (PBIS).

PBIS ships with a number of documents that help you to use the various features of the product. See the followingsection for a list of the guides.

Conventions Used in This GuideSpecific font and linespacing conventions are used in this book to ensure readability and to highlight importantinformation such as commands, syntax, and examples.

Font ConventionsThe font conventions used for this document are:

• Courier New Font is used for program names, commands, command arguments, directory paths,variable names, text input, text output, configuration file listings, and source code. For example:

C:\Documents and Settings\All Users

• Courier New Bold Font is used for information that should be entered into the system exactly asshown. For example:

pbdeploy.exe

• Courier New Italics Font is used for input variables that need to be replaced by actual values. In thefollowing example, the variable MyServer, must be replaced by an actual environment server name and thevariable MyFolder must be replaced by an actual folder name:

\\MyServer\MyFolder\pbdcl32.msi

• Bold is used for Windows buttons. For example:

Click OK.

Documentation Set for PBIS EnterpriseThe complete PowerBroker Identity Services Enterprise Edition documentation set includes the following:

• PBIS Enterprise Installation Guide

• PBIS Enterprise Administration Guide

• PBIS Enterprise Linux Administration Guide

• PBIS Enterprise Group Policy Administration Guide

• PBIS Mac OS X Administration Guide

• PBIS Release Notes

• Report Book

• Troubleshooting Guide

• Best Practices (go to the BeyondTrust web site)

Introduction


Contacting Support

For support, go to our Customer Portal then follow the link to the product you need assistance with.

The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.

Telephone

Privileged Account Management SupportWithin Continental United States: 800.234.9072

Outside Continental United States: 818.575.4040

Vulnerability Management SupportNorth/South America: 866.529.2201 | 949.333.1997

+ enter access code

All other RegionsStandard Support: 949.333.1995

+ enter access code

Platinum Support: 949.333.1996

+ enter access code

Onlinehttp://www.beyondtrust.com/Resources/Support/

Introduction


http://www.beyondtrust.com/Resources/Support/

http://www.beyondtrust.com/Resources/Support/

Install the Agent on a Mac OS X ComputerTo install the PBIS agent on a computer running Mac OS X, you must have administrative privileges on the Mac.

1. Obtain the PBIS agent installation package for your Mac from BeyondTrust Software, Inc., and save it to yourdesktop.

2. Log on to the Mac with a local account that has administrative privileges.

3. On the Apple menu , click System Preferences.4. Under Internet & Network, click Sharing, and then select the Remote Login check box.

Turn on Remote Login to access the Mac with SSH after you install PBIS.

5. On the Mac computer, go to the Desktop and double-click the PBIS .dmg file.6. In the Finder window, double-click the PBIS .pkg file.7. Follow the instructions in the installation wizard.

After the agent is installed, you are ready to join the Mac computer to an Active Directory domain.

Install the Agent on a Mac in Unattended ModeThe PBIS command-line tools can remotely deploy the shell version of the PBIS agent to multiple Mac OS Xcomputers. You can automate the installation of the agent using the installation command in unattended mode.

The commands in this procedure require administrative privileges. Replace x.x.x.xxxx with the version andbuild number indicated in the file name of the SFX installer.

1. Use SSH to connect to the target Mac OS X computer and then use SCP to copy the .dmg installation file to thedesktop of the Mac or to a location that can be accessed remotely.This procedure assumes that you copied the installation file to the desktop.

2. On the target Mac, open Terminal and then use the hdiutil mount command to mount the .dmg fileunder Volumes:/usr/bin/hdiutil mount Desktop/pbis-enterprise-x.x.x.xxxx.dmg

3. Execute the following command to open the .pkg volume:/usr/bin/open Volumes/pbis-enterprise

4. Execute the following command to install the agent:sudo installer -pkg /Volumes/pbis-enterprise/pbis-enterprise-x.x.x.xxxx.pkg-target LocalSystem

Note: For more information about the installer command, in Terminal execute the man installercommand.

5. To join the domain, execute the following command in the Terminal, replacing domainName with the FQDNof the domain that you want to join and joinAccount with the user name of an account that has privilegesto join computers to the domain:sudo /opt/pbis/bin/domainjoin-cli join domainName joinAccount

Example: sudo /opt/pbis/bin/domainjoin-cli join example.com Administrator

Terminal prompts you for two passwords:

– The user account on the Mac that has admin privileges;

Install the Agent on aMac OS X Computer


– The user account in Active Directory that you set in the join command.

Note: You can also add the password for joining the domain to the command, but it is recommended thatyou do not use this approach because another user could view and intercept the full command thatyou are running, including the password:

sudo /opt/pbis/bin/domainjoin-cli join domainName joinAccount joinPassword

Example: sudo /opt/pbis/bin/domainjoin-cli join example.com AdministratorYourPasswordHere

Install the Agent on aMac OS X Computer


Joining an Active Directory DomainYou can join the Mac OS X to a domain using either the command line or a GUI.

Before Joining a DomainTo join a domain ensure the following are in place:

• The computer's name server can find the domain.

Run the command:

nslookup domainName

• The computer can reach the domain controller.

Run the command:

ping domainName

Joining a Mac Computer Using the GUITo join a computer running Mac OS X 10.6 or later to an Active Directory domain, you must have administrativeprivileges on the Mac and privileges on the Active Directory domain that allow you to join a computer.

Important: Apple's built-in service for interoperating with Active Directory must not be bound to any previousdomains for PBIS to work properly. If you are migrating from Open Directory or Active Directory see Turn Off OS XDirectory Service Authentication.

1. In Finder, click Applications. In the list of applications, double-click PBIS Utilities, and then click Domain Join.2. Enter a name and password of a local machine account with administrative privileges.3. In the Computer name box, type the local hostname of the Mac without the .local extension.

The local hostname cannot be more than 15 characters (this is a limitation with Active Directory).

Note that localhost is not a valid name.

To find the local hostname of a Mac, on the Apple menu , click System Preferences, and thenclick Sharing. Under the Computer Name box, click Edit. Your Mac's local hostname is displayed.

4. In the Domain to join box, type the fully qualified domain name of the Active Directory domain.5. To join the computer to an OU in the domain, selectOU Path and then type a path in the OU Path box.

Note: To join the computer to an OU, you must be a member of the Domain Administrator security group.

To join the computer to the Computers container, select Default to "Computers" container.

6. Click Join.7. After you join the domain, you can set the display login window preference on the Mac: On the Apple menu

, click System Preferences, and then under System, click Accounts.

8. Click the lock and enter an administrator's name and password to unlock it.9. Click Login Options, and then under Display login window as, selectName and password.

Joining an Active Directory Domain


With PBIS Enterprise, the domain join utility includes a tool to migrate aMac user's profile from a local useraccount to the home directory specified for the user in Active Directory. For more information, see Migrate aUser Profile on aMac.



Join Active Directory from the Command LineThe location of the domain join command-line utility is as follows: /opt/pbis/bin/domainjoin-cli

When you join a domain by using the command-line utility, PBIS uses the hostname of the computer to derive afully qualified domain name (FQDN) and then automatically sets the FQDN in the /etc/hosts file.

You can also join a domain without changing the /etc/hosts file. See Join Active Directory Without Changing/etc/hosts.

Joining a Mac ComputerUsing sudo, execute the following command in Terminal:

sudo /opt/pbis/bin/domainjoin-cli join domainName joinAccount

Terminal prompts you for two passwords:

• A Mac user account with administrative privileges.

• The Active Directory account that you are using in the join command.



Turn Off OS X Directory Service AuthenticationIf you are migrating from Open Directory or Active Directory and you had set authentication from the commandline with dsconfigad or dsconfigldap, you must run the following commands to stop the computer fromtrying to use the built-in directory service even if the Mac is not bound to it:

dscl . -delete /Computersdscl /Search -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainControllerdscl /Search -delete / CSPSearchPath /Active\ Directory/All\ Domainsdscl /Search/Contacts -delete / CSPSearchPath /Active\ Directory/All\ Domainsdscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/FQDNforYourDomainController

Migrate a User Profile on a MacOn aMac OS X computer, the PBIS domain join utility includes a tool to migrate a user's profile from a local useraccount to the home directory specified for the user in Active Directory.

When you migrate the user's profile, you can either copy or move it from the local account to the user's ActiveDirectory account. Copying the profile leaves a copy of the user's files in their original location, but doubles thespace on the hard disk required to keep the user's files.

You can migrate a user by using the GUI or by using the command line. In addition, you can customize the migrationshell script to suit your requirements.

Important: To migrate a user's profile, you must have a local or AD account with administrative privileges. Theaccount that you use must not be the account that you are migrating.



Leave a DomainWhen you remove a computer from a domain, PBIS retains the settings that were made to the computer'sconfiguration when it was joined to the domain.

Remove the Computer Account in Active DirectoryBy default, when you remove a computer from a domain, the computer account in Active Directory is not disabledor deleted.

To disable but not delete the computer account, include the user name as part of the leave command. Note thatyou will be prompted for the password of the user account:domainjoin-cli leave userName

Example:domainjoin-cli leave brsmith

Remove a Mac from a DomainNote: For Mac OS 10.8 and later, the GUI is no longer supported.

For PBIS 7.0 and later, GUI on any Mac is not supported.

Use the CLI commands. See Remove aMac from a Domain from the Command Line.

To leave a domain on aMac OS X computer, you must have administrative privileges on the Mac.

1. In Finder, click Applications.2. In the list of applications, double-click PBIS Utilities, and then click Domain Join.3. Click Leave.

Remove a Mac from a Domain from the Command LineExecute the following command with an account that allows you to use sudo:sudo /opt/pbis/bin/domainjoin-cli leave

Uninstall PBISExecute the following command from the Command Line:sudo /opt/pbis/bin/macuninstall.sh

Leave a Domain


Configuring GPO Mac SettingsWhen you install the GPMC component during the PBIS install, the following Mac features are available in GPMC.

Use the features to manage your Mac OS X targets that are managed by PBIS.

• Mac System Preferences - Offers a subset of the System Preferences available with the native Mac tools.

• DS Plugin Settings - Policies that can be applied if you are using Apple's directory services tools to manageusers.

• Workgroup Manager Settings - For more information, see Setting MCX Policies with Workgroup Manager.

• Profile Manager Settings - For more information, see Using GPOs to Apply Profile Manager Settings.

Mac System PreferencesUsing GPMC, you can deploy certain Mac System Preferences to your target Mac OS X systems that are managed byPBIS.

Accessing Mac System PreferencesTo access the Mac system preference in GPMC:

1. Create or edit a group policy for the organizational unit that you want, and then open it with the Group PolicyManagement Editor.

2. Expand Computer Configuration, Policies, Unix and Linux Settings,Mac Settings.3. ExpandMac System Preferences, and then configure a policy.

– Security

– Firewall

– Bluetooth

– Energy Saver

SecurityThe policies in Security preferences are inherited. The policies will merge with Local policies.

To set Security preferences:

1. Go to the Mac System Preferences folder, and expand the Security folder.2. Double-click the system preference that you want to set:

Configuring GPO Mac Settings


– Secure system preferences with password - Enable the policy to lock system preferences on targetcomputers so that only administrators with the password can change the preferences.

– Automatic logout from user inactivity - Turn on to automatically log a user off a target computer when itis idle. Use this policy to prevent unauthorized access to Mac computers that have been inactive for a setperiod of time.

If a document with unsaved changes is open on a target computer running Mac OS X 10.5 (and possibleother versions), the application cancels logout.

FirewallThe policies in Firewall preferences are inherited. The policies will merge with Local policies.

To set Firewall preferences:

1. Go to the Mac System Preferences folder, and expand the Firewall folder.2. Double-click the system preference that you want to set:

– Use firewall protection - Turn on the built-in firewall on target computers.

– Block all incoming connections - Turn on to set the built-in firewall on target computers to block UDPtraffic. Blocking UDP traffic can help secure target computers.

– Use firewall stealth mode - Turn on stealth mode to cloak the target computer behind its firewall:Uninvited traffic gets no response, and other computers that send traffic to the target computer get noinformation about it.

BluetoothTo set Bluetooth preferences:

1. Go to the Mac System Preferences folder, and expand the Bluetooth folder.– Turn Bluetooth on or off - Turn on or turn off Bluetooth power on target computers.

When Bluetooth power is off, other Bluetooth devices, such as wireless keyboards and mobile phones,cannot connect to the computer.

– Open Bluetooth Setup Assistant at startup when no input device is present - Turn on to open theBluetooth Setup Assistant if an input device (such as a keyboard or mouse) is not detected when thecomputer starts. This setting is helpful when you manage computers that use Bluetooth devices.

This setting works with computers running Mac OS X 10.5.

Energy SaverYou can configure Sleep and Options preferences.

Sleep Preferences

To set Sleep preferences:

1. Go to the Mac System Preferences folder, and expand the Energy Saver folder.2. Select Sleep, and then double-click the system preference that you want to set:

– System Sleep Timer - Turn on to put a target computer to sleep after it has been idle for a set period.

In the Minutes box, enter the period of inactivity that passes before the computer sleeps.

To set the computer to never sleep, enter 0.



– Display Sleep Timer - Turn on to put the screen of a target computer to sleep after it has been idle for aset period.

In the Minutes box, enter the period of inactivity that passes before the computer sleeps.

To set the screen to never sleep, enter 0.

– Disk Sleep Timer - Turn on to put the hard disk on a target computer to sleep when it is not in use.

Options Preferences

To set Options preferences:

1. Go to the Mac System Preferences folder, and expand the Energy Saver folder.2. SelectOptions, and then double-click the system preference that you want to set:

– Wake on modem ring - Turn on to wake up a target computer when its modem rings.

– Wake on LAN - Turn on to wake up a target computer when a network administrator accesses it through alocal area network Ethernet connection.

– Sleep on Power button - Turn on to set the power button to put a target computer to sleep. When thepower button is pressed, the computer goes to sleep instead of shutting down.

– Automatic restart on power loss - Turn on to automatically restart a target Mac OS X computer after itloses power. This policy can help recover a workstation or server after a power failure.

Mac DS Plugin SettingsIf you are using Apple's directory services tools to manage users, you can use the DS Plugin Settings to applypolicies on home directory and local administration settings.

To configure a DS plugin policy:

1. Go to the Mac Settings folder, and then select DS Plugin Settings:

2. Double-click one of the following policies, and then enable the policy as needed:– Use UNC path from Active Directory to create home location - Connects the computer to the network

share defined in the Active Directory user account. The UNC path is converted to the selected protocol:

– SMB protocolwhen the target file server is running Windows.



– AFP protocolwhen the target file server is running Mac OS X.

If the policy for forcing the home directory on the startup disk is enabled, the UNC path is used to create afolder in the user's dock and the home directory is set to the user's local home directory path.

To set the path for the home directory, go to the Profile tab of the user's properties in ADUC and underHome folder select Connect, choose a drive letter (which is ignored by aMac OS X computer), and then inthe To box type the UNC path.

Path format: \\server\share\folder

Example: \\lwdemo01\homes\fanthony

– Force home directory on startup disk - Sets a computer to use a local home directory path. When a userwith a home folder connection defined in Active Directory logs on, the connection is created in the dockunder /Network/Servers/homeFolderName.

The Home Directory is set on the PowerBroker Cells Settings tab in Active Directory.

– Allow administration by - Set the administrators included in the local admin group (GID: 80) on a targetcomputer. Local entries are overwritten unless you also set the policy to Allow admins local entries in theadmin group.

Select the Active Directory users and groups to add to the list of administrators. You can select users andgroups or you can type a comma-separated list of short domain names with Active Directory accountnames or group names.

Note: The users and groups that you select must be enabled in the PowerBroker cell containing the targetcomputer.

– Allow admins group local entries - Preserves members of the admin group who are defined locally butare not specified in the Allow administration by policy.



Applying Group Policies from Apple's Profile ManagerYou can upload Profile Manager configuration settings to GPMC and deploy the settings to your Mac OS Xcomputers. When the Mac OS X computer joins the domain, then the policies defined in the Profile Managersettings are deployed to the computer.

Profile Manager polices are applied on computers running Mac OS X version 10.7 and later. If both Profile Managerand Workgroup Manager policies are in place, then the group policy agent tries to apply both types of policy.

Note: It is not recommended that you use Workgroup Manager and Profile Manager in the same PBISenvironment. Results might not be reliable.

Requirements• Windows Server 2008

• Windows Server 2012

• Windows Server 2012 R2

Importing a PolicyNote that only 1 mobileconfig file is permitted per group policy.

To import a mobileconfig file:

1. In GPME, go to the Mac Settings, and then select Profile Manager Settings.2. Double-click the policy.3. Select the Define this policy check box.4. Click Import, and then navigate to the file.5. Click Apply.

Note: If the policy is deployed but not applied, try the following:

– Restart the computer

– Restart gpagent

Removing the PolicyTo remove the policy:

1. In GPME, go to the Mac Settings, and then select Profile Manager Settings.2. Double-click the policy.3. Clear the Define this policy check box, and then click Apply.

The next time you open the policy the mobileconfig contents are no longer displayed.

You can import a new or updated mobileconfig file if needed.

Applying Group Policies from Apple's Profile Manager
