In our 16.6 Centrify Identity Service release we are introducing a new Centrify Agent for Macs specifically geared to enhancing management for Macs enrolled in the Centrify Identity Service in the cloud. This new agent will serve as a foundational component for Centrify to deliver additional Mac management capabilities beyond what we can currently accomplish without an agent. This first release of the new Centrify Agent for Mac will deliver the following features and improvements
- Simplified Mac cloud enrollment
- The new agent delivers a cleaner user experience for enrolling a Mac for management with Centrify.
- Location tracking for Macs
- Users will now see the location of their Macs in the Centrify User Portal in the same way they can currently see the location of their enrolled mobile devices. As in the case of location for mobile devices, this location is currently only available for end users to view. Location is important not only for when you have misplaced your Mac, but will also be used to help determine where an application or resource is being accessed from.
- True Single Sign-On for Macs
- As a part of the installation of the new Mac agent, we are deploying a user specific certificate that will allow for a true single sign-on experience when users are accessing the Centrify User Portal or any resource or application that has federated authentication to Centrify.
- This means you don’t have to go through the Centrify User Portal to experience seamless authentication, you can open your favorite browser and just type the URL of the service, or click a link in a document or email. Once that service has identified your service domain or user, it will forward to its configured Identity Provider authentication page where we will discover the configured certificate which tells us that the device is managed and secured by Centrify and allow the user to go straight through to the desired resource.
Enabling Mac Enrollment and the new Mac Agent
The new Centrify Mac agent replaces our existing web enrollment for Macs. This feature is optional and can be enabled in our cloud policy by enabling Mac enrollment. Users can be prompted to enroll their Macs whenever they visit the user portal from a Mac that is not currently enrolled.
An Important Note for Already Enrolled Users
If you have a Mac that was previously enrolled for management with the Centrify Identity Service without the new Centrify Mac Agent, upon running the new agent you will see a message that says you are already enrolled. The user will need to unenroll first before proceeding with the new agent enrollment. This step of unenrolling can be initiated by the end user as a part of the new agent, or via the user portal or admin portal as a device action. See the screen shot below for what the user will see when the agent is run.
Centrify Mac Agent End User Experience
(Note: You can see a video capture of the end user experience of the enrollment process here: https://www.youtube.com/watch?v=W4UJ3tumBQA)
If you have enabled the policy to prompt users to enroll their device, the next time they visit the Centrify User Portal from a Mac they will see the following:
If the user chooses to proceed with enrollment, they will be reminded that this is intended for personal systems only and not intended for shared systems.
Upon continuing with the enrollment process, the new Centrify Mac Agent will be downloaded to the user’s system in the form of a .dmg file.
Once they have completed the download and run it they will begin the new enrollment process. The user will be asked to enter their username and password and any additional factors of authentication required. This will follow the same rules that apply for the user to access the Centrify User Portal.
Upon successful authentication, the user will be asked if the accept the EULA, and would like to proceed with enrollment. The user will be prompted to enter credentials for an administrative account in order to complete the enrollment.
Once enrollment has completed, there is just one more step required to configure Safari appropriately to leverage the newly provisioned ZSO certs (Zero Sign-on).
Once enrollment has completed the user will notice the management profiles and certificates under the “Profiles” section of System Preferences.
Once complete the user will have a new application installed which is a shortcut to the Centrify User Portal and one for the Centrify Apps for enterprise Apps. Following these shortcuts and or accessing any other applications that federate authentication to the Centrify Identity Service should result in access without the need for additional authentication, unless the application or portal has been specifically configured to require MFA. This experience will be true for Safari, Chrome and Firefox browsers.