The following table describes the optional settings that you can configure for Mac OS Client:
Setting |
Description |
---|---|
disable_1N: true |
To disable the automatic detection of username for Card and PKI methods. For more information, see Disabling 1:N. |
tenant_name |
To use Multitenancy, you must point Mac OS Client to a specific tenant. For more information, see Configuration Settings for Multitenancy. |
logo_path: <custom_logo_path> |
To customize a logo for Mac OS Client. For more information, see Customizing a Logo. |
card.timeout: X |
To change a default Card waiting time-out duration. For more information, see Configuring Time-Out for Card Waiting. |
u2f.timeout: X |
To configure the time-out duration for authentication with the U2F token. For more information see, Configuring Time-Out for the U2F Authentication. |
event_name: <CustomEventName> |
If you want to use both domain-joined and non-domain machines, you can use a custom event for the specific machines. For more information, see Selecting an Event. |
verifyServerCertificate: true |
To configure the verification of server certificates for LDAP connection. For more information, see Configuring to Verify Server Certificates. |
authentication_agent_enabled: true |
To enable the Authentication Agent chain in Mac OS X Client. For more information, see Enabling the Authentication Agent Chain. |
forceCachedLogon: true |
To enforce the cached login for unlocking the Client. For more information, see Configuring the Enforced Cached Logon. |
NOTE:A separator between the setting and its value can be either equal (=) or colon (:).
Following are the other optional settings:
To bind Mac to an Active Directory, see Binding Mac to Active Directory
.
To force offline login manually for users, see Enabling the Offline Mode
.
To display the user on the login screen in the non-domain mode, see Displaying Other User on the Login Screen in Non-Domain Mode
.
To create a mobile account, see “Creating a Mobile Account for the Offline Mode”.
You can disable the 1:N feature that allows you to detect the user name automatically while authenticating with the Card and PKI methods.
For example, Bob can place the card on the reader to log in to Mac system and authenticate with the Card method automatically without specifying his user name.
To disable the 1:N feature, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the file does not exist, create a new file.
Add the parameter disable_1N: true in the file.
Save the changes.
Restart the operating system.
If the Multi-tenancy option is enabled, you must add the parameter tenant_name with a tenant name in the aucore_login.conf file.
To configure a specific tenant name, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the configuration file does not exist, create a new file.
Specify tenant_name: <name of tenant>
For example, tenant_name: TOP for the TOP tenant.
Save the changes.
Restart the operating system.
NOTE:If you do not add the parameter tenant_name, an error message Tenant not found might be displayed.
You can customize the logo of Mac OS Client according to your requirement. The format of the logo must meet the following requirements:
Image format: png, jpg, gif
Resolution: 400x400px
Maximum file size: 100Kb
To customize the logo, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the file does not exist, create a new file.
Specify the path of the folder where the image file is stored, in the following format:
logo_path: /Users/<username>/<path_of_the_file>/<file_name>.png
Save the changes.
Restart the operating system.
You can configure the duration for which the card waiting dialog is displayed when the user authenticates using the card method. If the user does not present the card for the specified time-out period, the Hardware timeout message is displayed and the card waiting dialog is closed. Then, the user login selection screen is displayed.
By default, the card timeout is 60 seconds.
To configure time-out for card waiting, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the file does not exist, create a new file.
Specify card.timeout: X. X is the timeout value in seconds.
Save the changes.
Restart the operating system.
You can configure the duration after which the authentication fails if the user does not touch U2F token for authentication. The default timeout is 60 seconds.
To configure the timeout for U2F authentication, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the file does not exist, create a new file.
Specify u2f.timeout: X in the file. X is the timeout value in seconds.
Save the changes.
Restart the operating system.
By default, Mac OS X Client uses the Mac OS logon event for authentication. However, in some scenarios you must create a separate custom event.
For example, when the predefined event is used for domain joined workstations, you can create a custom event with type Generic for the non-domain joined workstations.
To configure custom event for Mac OS X Client, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the file does not exist, create a new file.
Specify event_name: <CustomEventName>
Save the changes.
Restart the operating system.
You can secure connection between Mac OS X Client and Advanced Authentication servers with a valid self-signed SSL certificate. This prevents any attacks on the connection and ensures safe authentication.
To enable verification of the server certificates, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/open aucore_login.conf.
If the file does not exist, create a new file.
Specify verifyServerCertificate=true (default value is false).
Save the changes.
Place the server certificate in the Keychain Access.
NOTE:Ensure that the server certificate is in the.p12 format.
You must upload the SSL certificate in the Administration portal > Server Options. The SSL certificate provides high level of encryption, security, and trust. For more information about how to upload the SSL certificate, see Uploading the SSL Certificate.
You can enable the Authentication Agent chain in the Mac OS X Client to allow users to authenticate with the Authentication Agent on a Windows system. This helps users to get authorized access to the Mac OS X Client that does not support the external devices. To perform such authentication, users must select the Authentication Agent chain from the Chains list of Mac OS X Client to initiate the authentication process on the Windows system, where the Authentication Agent is installed.
To enable the Authentication Agent chain on the Mac OS X Client, perform the following steps:
Open the configuration file /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the file does not exist, create a new file.
Specify authentication_agent_enabled:true.
Save the changes.
Restart the operating system.
When the network connection is slow or unstable, the client login or unlock process can take several minutes. A solution to this is to enforce the cached login. The Client connects to the Advanced Authentication server to validate the credentials in the background after the cached login. By default, the enforced cached login is disabled and the Client always connects to the Advanced Authentication server to validate the credentials.
To enforce cached login for Mac OS X Client, perform the following steps:
Open the configuration file \Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.
If the file does not exist, create a new file.
Specify forceCachedLogon: true (default value is false).
Save the changes.
Restart the operating system.
You can bind a Mac to Active Directory to enable the Mac system to access user accounts in the Active Directory domain. Domain users can use credentials stored in the Active Directory to get authorized access to Mac system. Perform the following steps to bind Mac to Active Directory:
Click Apple icon in the upper-left corner.
Click System Preferences > Network.
Click Advanced > DNS.
Double click an existing record to edit it or click + in DNS Servers section.
Specify the IP address of your DNS server.
For example, 192.168.0.200.
Click + in the Search Domains section.
Specify the FQDN of your domain.
For example, company.com.
Click OK.
Click Apply in the Network window.
Click System Preferences > Users & Groups.
Click Login Options in the left pane.
Click the lock icon in lower-left of the screen to unlock and edit the settings.
Specify Username and Password of the local administrator and click Unlock.
Click Join adjacent to the text Network Account Server.
Specify the IP address of Active Directory domain in Server.
For example, company.com.
Specify AD Admin User and AD Admin Password.
Click OK.
A green icon is displayed adjacent to your domain name indicating, that the Mac system is joined to the domain.
Click Edit > Open Directory Utility.
Click the lock icon in lower-left of the Directory Utility screen to unlock and edit the settings.
Specify Username and Password of local administrator.
Double click the Active Directory.
Click the show options icon to view the hidden options.
Click Administrative.
Select Allow administration by to grant administrative privileges for members of the Active Directory on the local Mac.
Click OK.
Click the lock icon to prevent further changes.
Close the Directory Utility and Users & Groups screens.
To verify the binding, perform the following steps:
Open Terminal.
Run the following command to log in as an Active Directory user:
login <UsernameOfActiveDirectoryUser>
For example, login pjones.
Specify the password. The console switches to the logged in user.
Run the command: exit to close the Terminal.
Click the Apple icon in upper-left corner and select Log Out <username>.
Click Other in the user selection screen to log in as a different domain user.
Click the Apple icon in upper-left corner.
Click System Preferences > Users & Groups.
Select Login Options.
Click the lock icon in lower-left of the window to unlock and edit the settings.
Specify Username and Password of the local administrator and click Unlock.
Click Edit next to Network Account Server.
Click Open Directory Utility.
Click the lock icon in lower-left of the window to unlock and edit the settings.
Specify Username and Password of the local administrator and click Unlock.
Double click Active Directory.
Click the show options icon to view the hidden options.
Select Create mobile account at login.
Click OK.
NOTE:The users must create a mobile account to use Mac OS X Client in the offline (cached) mode. For more information about creating a mobile account, see Creating a Mobile Account for the Offline Mode.
Open the terminal and run the following command to display Other User on the login screen of the non-domain mode:
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool TRUE
To use Mac OS X Client in the offline mode, you must create a mobile account for a domain user. Perform the following steps to create the mobile account for a domain user:
Log in as a domain user.
Click the Apple icon in the upper-left corner and select System Preferences.
Click Users & Group.
Click the lock icon in lower-left of the screen to unlock and edit the settings.
Specify Username and Password of the local administrator and click Unlock.
Select the preferred domain user.
Select Create Mobile Account for the User.
Click Create.
The operating system gets logged off automatically.