Verify Privilege Server Suite for Mac 2022 Release Notes
Verify Privilege Server Suite for Mac, Active Directory-based authentication, single sign-on and group policy support for the Macintosh platform.
Verify Privilege Server Suite for Mac is a part of Delinea software and is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962.
What's Included in this Release
-
CentrifyDC-5.9.0-mac10.15.dmg– A Mac disk image for macOS 12.x, 11.x, and 10.15 containing the following:
- AD Check.app – Graphical application to perform environment checks before installing Verify Privilege Server Suite on macOS 12.x, 11.x, and 10.15
- CentrifyDC-5.9.0-x86_64.pkg – Graphical installer of Verify Privilege Server Suite for Macs (valid on both Intel and M1) on macOS 12.x, 11.x, and 10.15
Supported Platforms and System Requirements
The Verify Privilege Server Suite for Mac in the applicable package can be installed on the following versions of the macOS operating system:
-
macOS 12.x on both Intel and M1
-
macOS 11.x on both Intel and M1
-
macOS 10.15.x on Intel
Installing on macOS 12 Monterey
If you are running the current release of Verify Privilege Server Suite, you MUST UPGRADE Verify Privilege Server Suite BEFORE upgrading your Mac to OS 12 Monterey.
Follow these steps
- Download the Verify Privilege Server Suite package for macOS.
- Upgrade Verify Privilege Server Suite for macOS using the package you downloaded.
- Upgrade to macOS 12.
Setting Full Disk Access for the DirectControl Agent
Due to a limitation of macOS 11.x and macOS 12.x, “Full Disk Access” is required for the DirectControl Agent for Mac. You can configure this yourself if you're an administrator on the computer, or you can set it by way of your MDM (Mobile Device Management) provider.
-
To configure full disk access as an administrator:
-
Log in to the Mac as an admin user.
-
Open “System Preferences”.
-
Click “Security & Privacy”.
-
Click “Privacy”.
-
Click the “Lock” button to input password or use TouchID to unlock.
-
Scroll down a little bit on the left list, find and select “Full Disk Access”.
-
Click the “Plus” button.
-
Press and hold these three keys together: shift + command + G.
-
Input the path "/usr/local/sbin/adclient" and click “GO”, then click “Open” to add it.
-
Repeat step 7 and 8, then input the path "/Applications/Utilities/Centrify/AD Join Assistant.app" and click “GO”, then click “Open” to add it.
-
Repeat step 7 and 8, then input the path "/Applications/Utilities/Centrify/Smart Card Assistant.app" and click “GO”, then click “Open” to add it.
-
Click the “Lock” button again to lock.
-
-
Configure full disk access through your MDM provider. Contact your MDM provider for more information.
Your MDM provider will need the following information:
% codesign -dv /usr/local/sbin/adclient
Executable=/usr/local/sbin/adclient
Identifier=adclient
...
% codesign -dr - /usr/local/sbin/adclient
Executable=/usr/local/sbin/adclient
designated => identifier adclient and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "64CT837G5Z"
% codesign -dv /Applications/Utilities/Centrify/AD\ Join\ Assistant.app
Executable=/Applications/Utilities/Centrify/AD Join Assistant.app/Contents/MacOS/AD Join Assistant
Identifier=com.centrify.cdc.centrifyjoinassistant
...
% codesign -dr - /Applications/Utilities/Centrify/AD\ Join\ Assistant.app
Executable=/Applications/Utilities/Centrify/AD Join Assistant.app/Contents/MacOS/AD Join Assistant
designated => identifier "com.centrify.cdc.centrifyjoinassistant" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "64CT837G5Z"
% codesign -dv /Applications/Utilities/Centrify/Smart\ Card\ Assistant.app
Executable=/Applications/Utilities/Centrify/Smart Card Assistant.app/Contents/MacOS/SCTool
Identifier=com.centrify.cdc.smartcardassistant
...
% codesign -dr - /Applications/Utilities/Centrify/Smart\ Card\ Assistant.app
Executable=/Applications/Utilities/Centrify/Smart Card Assistant.app/Contents/MacOS/SCTool
designated => identifier "com.centrify.cdc.smartcardassistant" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "64CT837G5Z"
Feature Changes and Notable Fixes in this Release
- The application “Centrify Join Assistant” is renamed “AD Join Assistant”.
Known macOS Issues
Known macOS 12.x Monterey and macOS 11.x Big Sur Issues
-
As of macOS Big Sur, Apple no longer permits to silently install configuration profiles. It affects the following GPs and they will not work on macOS Big Sur:
- GP "Install MobileConfig Profiles"
- GP "Enable Profile Custom Settings"
- GP "Require password to wake this computer from sleep or screen saver"
- GP "Enable Machine Ethernet Profile"
- GP "Enable Machine Wi-Fi Profile"
- GP "Enable User Ethernet Profile"
- GP "Enable User Wi-Fi Profile"
-
When upgrading Mac from macOS 10.14 or lower to macOS 10.15 or higher, the CentrifyDC must be reinstalled, no need to leave the domain or uninstall the old CentrifyDC.
-
Network user cannot work on macOS 10.15 and higher. We suggest using mobile user or general AD user instead.
-
When mobile user first-ever login on macOS Big Sur and higher, maybe cannot set up Touch ID for adding fingerprints. Just need to re-login to work.
Apple Support has provided the following resolutions:
- Reset the SMC of Mac: https://support.apple.com/en-us/HT201295
- Reset NVRAM or PRAM on Mac: https://support.apple.com/en-us/HT204063
Known macOS 10.15 Catalina Issues
-
When upgrading Mac from macOS 10.14 or lower to macOS 10.15 or higher, the CentrifyDC must be reinstalled, no need to leave the domain or uninstall the old CentrifyDC.
-
Network user cannot work on macOS 10.15 and higher. We suggest using mobile user or general AD user instead.
Notice of Terminiation of Support
Verify Privilege Server Suite has discontinued support for Mac OS 10.14.x, 10.13.x, 10.12.x, and 10.11.x from this release on of Verify Privilege Server Suite for Mac.
Additional Information and Support
In addition to the documentation provided with this package, see the IBM Security Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone.
The IBM Security Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of IBM Security products. For more information, see the IBM Security Resources web site.
You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone. To contact IBM Security Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating IBM Security products, send email to info@delinea.com.