3.2 Configuring the Optional Settings

The following table describes the optional settings that you can configure for Mac OS Client:

Setting

Description

disable_1N: true

To disable the automatic detection of username for Card and PKI methods. For more information, see Disabling 1:N.

tenant_name

To use Multitenancy, you must point Mac OS Client to a specific tenant. For more information, see Configuration Settings for Multitenancy.

logo_path: <custom_logo_path>

To customize a logo for Mac OS Client. For more information, see Customizing a Logo.

card.timeout: X

To change a default Card waiting time-out duration. For more information, see Configuring Time-Out for Card Waiting.

u2f.timeout: X

To configure the time-out duration for authentication with the U2F token. For more information see, Configuring Time-Out for the U2F Authentication.

event_name: <CustomEventName>

If you want to use both domain-joined and non-domain machines, you can use a custom event for the specific machines. For more information, see Selecting an Event.

verifyServerCertificate: true

To configure the verification of server certificates for LDAP connection. For more information, see Configuring to Verify Server Certificates.

authentication_agent_enabled: true

To enable the Authentication Agent chain in Mac OS X Client. For more information, see Enabling the Authentication Agent Chain.

forceCachedLogon: true

To enforce the cached login for unlocking the Client. For more information, see Configuring the Enforced Cached Logon.

NOTE:A separator between the setting and its value can be either equal (=) or colon (:).

Following are the other optional settings:

3.2.1 Disabling 1:N

You can disable the 1:N feature that allows you to detect the user name automatically while authenticating with the Card and PKI methods.

For example, Bob can place the card on the reader to log in to Mac system and authenticate with the Card method automatically without specifying his user name.

To disable the 1:N feature, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the file does not exist, create a new file.

  2. Add the parameter disable_1N: true in the file.

  3. Save the changes.

  4. Restart the operating system.

3.2.2 Configuration Settings for Multitenancy

If the Multi-tenancy option is enabled, you must add the parameter tenant_name with a tenant name in the aucore_login.conf file.

To configure a specific tenant name, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the configuration file does not exist, create a new file.

  2. Specify tenant_name: <name of tenant>

    For example, tenant_name: TOP for the TOP tenant.

  3. Save the changes.

  4. Restart the operating system.

NOTE:If you do not add the parameter tenant_name, an error message Tenant not found might be displayed.

3.2.3 Customizing a Logo

You can customize the logo of Mac OS Client according to your requirement. The format of the logo must meet the following requirements:

  • Image format: png, jpg, gif

  • Resolution: 400x400px

  • Maximum file size: 100Kb

To customize the logo, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the file does not exist, create a new file.

  2. Specify the path of the folder where the image file is stored, in the following format:

    logo_path: /Users/<username>/<path_of_the_file>/<file_name>.png

  3. Save the changes.

  4. Restart the operating system.

3.2.4 Configuring Time-Out for Card Waiting

You can configure the duration for which the card waiting dialog is displayed when the user authenticates using the card method. If the user does not present the card for the specified time-out period, the Hardware timeout message is displayed and the card waiting dialog is closed. Then, the user login selection screen is displayed.

By default, the card timeout is 60 seconds.

To configure time-out for card waiting, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the file does not exist, create a new file.

  2. Specify card.timeout: X. X is the timeout value in seconds.

  3. Save the changes.

  4. Restart the operating system.

3.2.5 Configuring Time-Out for the U2F Authentication

You can configure the duration after which the authentication fails if the user does not touch U2F token for authentication. The default timeout is 60 seconds.

To configure the timeout for U2F authentication, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the file does not exist, create a new file.

  2. Specify u2f.timeout: X in the file. X is the timeout value in seconds.

  3. Save the changes.

  4. Restart the operating system.

3.2.6 Selecting an Event

By default, Mac OS X Client uses the Mac OS logon event for authentication. However, in some scenarios you must create a separate custom event.

For example, when the predefined event is used for domain joined workstations, you can create a custom event with type Generic for the non-domain joined workstations.

To configure custom event for Mac OS X Client, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the file does not exist, create a new file.

  2. Specify event_name: <CustomEventName>

  3. Save the changes.

  4. Restart the operating system.

3.2.7 Configuring to Verify Server Certificates

You can secure connection between Mac OS X Client and Advanced Authentication servers with a valid self-signed SSL certificate. This prevents any attacks on the connection and ensures safe authentication.

To enable verification of the server certificates, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/open aucore_login.conf.

    If the file does not exist, create a new file.

  2. Specify verifyServerCertificate=true (default value is false).

  3. Save the changes.

  4. Place the server certificate in the Keychain Access.

    NOTE:Ensure that the server certificate is in the.p12 format.

    You must upload the SSL certificate in the Administration portal > Server Options. The SSL certificate provides high level of encryption, security, and trust. For more information about how to upload the SSL certificate, see Uploading the SSL Certificate.

3.2.8 Enabling the Authentication Agent Chain

You can enable the Authentication Agent chain in the Mac OS X Client to allow users to authenticate with the Authentication Agent on a Windows system. This helps users to get authorized access to the Mac OS X Client that does not support the external devices. To perform such authentication, users must select the Authentication Agent chain from the Chains list of Mac OS X Client to initiate the authentication process on the Windows system, where the Authentication Agent is installed.

To enable the Authentication Agent chain on the Mac OS X Client, perform the following steps:

  1. Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the file does not exist, create a new file.

  2. Specify authentication_agent_enabled:true.

  3. Save the changes.

  4. Restart the operating system.

3.2.9 Configuring the Enforced Cached Logon

When the network connection is slow or unstable, the client login or unlock process can take several minutes. A solution to this is to enforce the cached login. The Client connects to the Advanced Authentication server to validate the credentials in the background after the cached login. By default, the enforced cached login is disabled and the Client always connects to the Advanced Authentication server to validate the credentials.

To enforce cached login for Mac OS X Client, perform the following steps:

  1. Open the configuration file \Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

    If the file does not exist, create a new file.

  2. Specify forceCachedLogon: true (default value is false).

  3. Save the changes.

  4. Restart the operating system.

3.2.10 Binding Mac to Active Directory

You can bind a Mac to Active Directory to enable the Mac system to access user accounts in the Active Directory domain. Domain users can use credentials stored in the Active Directory to get authorized access to Mac system. Perform the following steps to bind Mac to Active Directory:

  1. Click Apple icon in the upper-left corner.

  2. Click System Preferences > Network.

  3. Click Advanced > DNS.

  4. Double click an existing record to edit it or click + in DNS Servers section.

  5. Specify the IP address of your DNS server.

    For example, 192.168.0.200.

  6. Click + in the Search Domains section.

  7. Specify the FQDN of your domain.

    For example, company.com.

  8. Click OK.

  9. Click Apply in the Network window.

  10. Click System Preferences > Users & Groups.

  11. Click Login Options in the left pane.

  12. Click the lock icon in lower-left of the screen to unlock and edit the settings.

  13. Specify Username and Password of the local administrator and click Unlock.

  14. Click Join adjacent to the text Network Account Server.

  15. Specify the IP address of Active Directory domain in Server.

    For example, company.com.

  16. Specify AD Admin User and AD Admin Password.

  17. Click OK.

    A green icon is displayed adjacent to your domain name indicating, that the Mac system is joined to the domain.

  18. Click Edit > Open Directory Utility.

  19. Click the lock icon in lower-left of the Directory Utility screen to unlock and edit the settings.

  20. Specify Username and Password of local administrator.

  21. Double click the Active Directory.

  22. Click the show options icon to view the hidden options.

  23. Click Administrative.

  24. Select Allow administration by to grant administrative privileges for members of the Active Directory on the local Mac.

  25. Click OK.

  26. Click the lock icon to prevent further changes.

  27. Close the Directory Utility and Users & Groups screens.

To verify the binding, perform the following steps:

  1. Open Terminal.

  2. Run the following command to log in as an Active Directory user:

    login <UsernameOfActiveDirectoryUser>

    For example, login pjones.

  3. Specify the password. The console switches to the logged in user.

  4. Run the command: exit to close the Terminal.

  5. Click the Apple icon in upper-left corner and select Log Out <username>.

  6. Click Other in the user selection screen to log in as a different domain user.

3.2.11 Enabling the Offline Mode

  1. Click the Apple icon in upper-left corner.

  2. Click System Preferences > Users & Groups.

  3. Select Login Options.

  4. Click the lock icon in lower-left of the window to unlock and edit the settings.

  5. Specify Username and Password of the local administrator and click Unlock.

  6. Click Edit next to Network Account Server.

  7. Click Open Directory Utility.

  8. Click the lock icon in lower-left of the window to unlock and edit the settings.

  9. Specify Username and Password of the local administrator and click Unlock.

  10. Double click Active Directory.

  11. Click the show options icon to view the hidden options.

  12. Select Create mobile account at login.

  13. Click OK.

NOTE:The users must create a mobile account to use Mac OS X Client in the offline (cached) mode. For more information about creating a mobile account, see Creating a Mobile Account for the Offline Mode.

3.2.12 Displaying Other User on the Login Screen in Non-Domain Mode

Open the terminal and run the following command to display Other User on the login screen of the non-domain mode:

sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool TRUE

3.2.13 Creating a Mobile Account for the Offline Mode

To use Mac OS X Client in the offline mode, you must create a mobile account for a domain user. Perform the following steps to create the mobile account for a domain user:

  1. Log in as a domain user.

  2. Click the Apple icon in the upper-left corner and select System Preferences.

  3. Click Users & Group.

  4. Click the lock icon in lower-left of the screen to unlock and edit the settings.

  5. Specify Username and Password of the local administrator and click Unlock.

  6. Select the preferred domain user.

  7. Select Create Mobile Account for the User.

  8. Click Create.

    The operating system gets logged off automatically.