Review: Direct Control for administering Macs in a Windows world

Computerworld - Centrify's Direct Control for Mac is a complete solution for Active Directory environments in which you have to support Mac clients and need secure access to Mac OS X system components or must manage the user environment.

Direct Control allows you to join Mac OS X computers, as well as other versions of Unix/Linux, to Active Directory. You can organize them and delegate administration via organizational units known as zones. And you can manage them using a series of group policies specifically designed to work with Apple's managed preferences model.

Overview

Direct Control for Mac fulfills a common need. Although Macs typically make up a small fraction of the total number of PCs in a corporate network, they often still need access to the resources of that network. And they still need to be controlled and secured according to company policies and government regulations.

Apple does include some Active Directory support in Mac OS X. But that support is limited to letting users log into a Mac workstation using an Active Directory account. It provides very little support for securing local resources -- although, by default, it doesn't grant Active Directory users local administrator access, so there is some safeguard. But it provides no support for configuring a managed user environment.

Another major limitation is that Apple's Active Directory solution uses LDAP rather than Microsoft's ADSI protocol when authenticating users, and it doesn't support signed LDAP communication. This means that you must lower the domain security policy for Windows 2003 Server to support Mac clients, which can expose an Active Directory domain to increased risk of network attacks.

Direct Control for Mac offers full support for signed communication with Active Directory, although it does rely on Apple's variation of Samba to provide access to file shares and print queue, and this version of Samba doesn't support signed communication. Also, Directory Access uses the ADSI protocol. Further, Direct Control extends Active Directory's smart-card authentication support to work seamlessly with Mac OS X.

More important, Direct Control offers several server-side components that allow you to fully support Mac users by assigning the user ID (UID) and group ID (GID) attributes that Mac OS X relies upon for user identification and file permissions.

While all the above features make Direct Control for Mac a tempting solution, the fact that it includes a range for group policies that can be used to secure and manage the Mac OS X environment is what makes it an excellent solution.

Direct Control for Mac uses group policies that integrate with the client-side components of Apple's managed preference environment. The icing on the cake for Windows administrators is that Direct Control integrates well with Active Directory; managing Mac workstations has the same familiar feel as managing Windows PCs.