Securing Macs with smart cards in a Windows environment
28 April, 2009
category: Corporate, Digital ID, Government, Library
As government agencies and corporations embrace Macs, software lets CAC, FIPS 201 and .NET cards secure login via Active Directory
Making Mac computers work in a Windows world has never been easy. But as more private-sector companies and U.S. government agencies add Macs into their environment, there’s a growing need for tools that enable them to operate easily and securely in a PC world. The challenges are particularly difficult in Windows-centric environments with heightened security requirements, such as the need to enforce two-factor authentication via smart cards in order to log in to a personal computer.
Sunnyvale, Calif.-based Centrify Corp. offers a solution that enables IT administrators to leverage the same management tools and security policies for Macs that they have for Windows users, says David McNeely, director of product management at Centrify.
Centrify is seeing an increasing number of corporations and government agencies using Mac computers, McNeely says. A company’s vice president comes in with a MacBook and wants her IT staff to support it. But instead of having different staff handle PCs and Macs, especially in tough economic times, there is a need to have one system administrator for both operating systems.
Using Centrify’s DirectControl for Mac OS X, organizations can add Mac computers to their existing Microsoft Windows Active Directory infrastructure. This enables them to centrally manage the authentication, authorization and configuration of Mac OS X systems as well as to lock down the user’s desktop environment. DirectControl has been available for more than three years, McNeely says. It has been installed at Fortune 1000 companies and is used by federal customers.
Centrify is hosting a webinar on May 7 to talk about DirectControl and how it can be used for strong authentication with smart cards, including the U.S. Department of Defense’s Common Access Card along, other FIPS 201 credentials and the .NET cards favored by private-sector companies. For more information on the free webinar, click here.
Apple does offer a plug-in so Macs can run in Windows Active Directory, but in order to manage the security settings, preferences and application controls, PC administrators need to use a separate set of Apple tools, McNeely says. “DirectControl enables the PC administrators to use the same Active Directory administrative tools on the Macs that they do on Windows,” he says.
While Centrify has the capability to manage both PCs and Macs in a typical security environment where only a user name and password is used for authentication, it also enables smart cards, such as those required by HSPD-12, to be used on Macs too, McNeely says.
In a PC environment, the smart card is inserted into a reader, the PIN is entered and the domain controller validates the PKI certificate and enables the user to log in and seamlessly access other Active Directory-integrated systems, McNeely says. DirectControl allows the same functionality with a Mac.
“The user experience is the same,” he says. “The PC administrator only needs to install DirectControl on the Mac and turn on a Group Policy to enable smart card login to Active Directory to work.” The Group Policy sets up smart card login as well as the Mac keychain trust for the Certificate Authorities stored in Active Directory, McNeely says, enabling both online and offline login to Active Directory with a smart card.
