Understanding group policies and system preferences

In many organizations, administrators who have both Windows and Mac computers in their organization want to manage settings for their Windows and Macintosh computers and users using a standard set of tools. In a Windows environment, the standard method for managing computer and user configuration settings is through Group Policy Objects applied to the appropriate site, domain, or organizational unit (OU) for different sets of computer and user accounts.

Centrify provides this capability for Mac computers and users through a group policy extension. The Centrify administrative template for Mac OS X (centrify_mac_settings.xml or centrify_mac_settings.adm) provides group policies that can be applied from a Windows server to control Mac OS X settings and behavior. These group policies can be applied to Mac OS X computers and to users who log on to those computers.

Through the Centrify administrative template for Mac OS X, Windows administrators using the Group Policy Management Editor can centrally access and control native Mac system preferences.

In the current Centrify administrative template for Mac OS X, Centrify group policies control settings for Personal, Hardware, Internet & Network, and System preferences, including:

  • Accounts, (General) Appearance, Desktop & Screen Saver, Dock, Energy Saver, Network, Security & Privacy, Sharing, Software Update, and so on.

When you enable a group policy in a Windows Group Policy Object, you effectively set a corresponding system preference on the local Mac computer where the group policy is applied. For example, if you enable the group policy Computer Configuration > Centrify Settings > Mac OS X Settings > Security > Require password to unlock each secure system preference, it is the same as selecting the General tab of the Security & Privacy system preference, then clicking the Require an administrator password to access system preferences with lock icons option on a local Mac OS X computer. Once the group policy is enabled in the Windows Group Policy Object and updated on the local Mac computer, the corresponding option is checked:

In addition to the system preferences that are typically set on individual computers, there are many Mac configuration settings that are typically set from a Mac OS X server using the Workgroup Manager. These workgroup policies control application or media access, synchronization rules for mobile user accounts, the look and operation of the Dock, and other settings. The Centrify administrative template for Mac provides centralized access to many of these Workgroup Manager settings, including Applications, Dock, Media Access, Mobility, Software Update. and System Preferences.

Note:   Not all group policies apply to all versions of the Mac operating environment or all computer models. If a particular system preference does not exist, is not applicable to the installed operating system, or is implemented differently on some computers, the group policy setting may be ignored or overridden by a local setting.

Group policies are available after you install the Centrify administrative template for Mac as described in Installing the administrative template. After you install the administrative template, the Windows administrator can use Active Directory MMC snap-ins or the Group Policy Management Console to create and link Group Policy Objects to sites, domains, or organizational units that include Mac computers that are joined to an Active Directory domain. Administrators can then use the Group Policy Management Editor to enable and configure the specific policies they want to enforce on Mac computers that are joined to the Active Directory domain.

For more information about using Active Directory Users and Computers or the Group Policy Management Console to create and link Group Policy Objects to sites, domains, or OUs, see the Group Policy Guide. You can also refer to the Group Policy Guide for more information about how to add other Centrify administrative templates to a Group Policy Object.