|
Authentication While Mac computers can be configured to authenticate users to Active Directory (AD) by obtaining and managing Kerberos tickets in much the same way Windows clients do, Mac computers themselves don't typically authenticate to the directory. This creates a disconnect between the management capabilities between Windows and Macs, and can significantly impact the ability to create a single sign-on environment. Mac computers may have to authenticate multiple times in multiple-domain environments, and maintain their own local user accounts used to secure resources on the Mac computer. Both first- and third-party solutions exist to better integrate Macs into AD. Utilities from Apple, included in Mac OS 10.5 and later, focus primarily on user authentication. Many third-party utilities also focus entirely on authentication and don't extend many AD benefits to Macs. For example, they may not support access control or password policy; in some cases, they may not even permit users to change domain passwords from a Mac. They also may not work in complex, multi-forest environments. Some third-party solutions do provide broader capabilities than authentication, but are often just as Mac-specific as Apple's utilities. If Macs are your only non-Windows platforms, these third-party solutions may be acceptable. However, if you also want to integrate Unix and Linux systems, then having a single "non-Windows integration system" that accepts all of these types of computers can significantly reduce management overhead and cost. The importance of achieving a single sign-on capability cannot be overemphasized. Maintaining a single credential for each user vastly simplifies not only identity management (which in turn simplifies overall security, compliance, and maintenance), but also simplifies users' lives, helps prevent forgotten passwords (and the resulting help desk calls), and improves both user productivity and satisfaction. Policy-based Management Microsoft's solution for policy-based management is Group Policy, an integrated part of Active Directory that requires significant client-side support from within the Windows operating system. Apple offers a parallel technology called Apple Workgroup Manager; it requires at least one Mac OS X Server-based computer and requires Mac clients to authenticate to that server in order to obtain policy information. Neither of these systems natively addresses Linux or Unix computers, so you may wind up maintaining two distinct policy-based management infrastructures-one for Windows and one for Mac-and still not address your entire computing base. In addition, Apple and Microsoft handle different settings in different ways, so your two-policy systems will never be exactly equal. And simply having two parallel systems opens significant room for error and inconsistency; for example, it is easy to make a change on one system but forget to make the corresponding change in the other system. These errors and inconsistencies can negatively impact security, compliance and stability. Of the two systems, Group Policy is definitely superior. It is a tiered system that ties to existing AD hierarchies and groups, and many first- and third-party systems extend Group Policy to include versioning, change control, and other manageability benefits. Moreover, Windows environments natively have AD, making Group Policy a free side benefit, but environments with Mac clients do not necessarily have a Mac OS X Server computer. This means additional effort is required to implement Workgroup Manager. In the event that your network card fails, you could Change MAC Address and continue to use software that is dependant on your network card's MAC address.
Related Articles -
MAC address, Change MAC Address, software, Mac, computer,
| 
