Authenticating or identifying Apple users for user or group-based filtering
- Article Number: 000005102
- Products: Forcepoint URL Filtering, Forcepoint Web Security, TRITON AP-WEB, Web Filter & Security
- Version: 8.5, 8.4, 8.3
- Last Published Date: February 12, 2021
What configuration steps are needed to authenticate or identify users of Apple computers, IPhones, and iPads for user- or group-based filtering?
The authentication or identification of Mac and iPhone/iPad users for user or group-based filtering is possible. However, Mac computers and iPhone/iPad devices use significantly different operating systems and therefore, configuration is explained as separate sections in this article. This article also includes an FAQ section below.
If your organization uses DC Agent for transparent user identification, see Enabling transparent identification of Mac users with DC Agent below.
If your organization uses Content Gateway to authenticate users, see Authenticating Mac users with Content Gateway below.
Manual authentication can also be used to enable user and group-based filtering of Mac users, provided the mac book is joined with your domain.
iPhones and iPads
Content Gateway manual user authentication has the following features and restrictions:
Explicit proxy settings can be configured in the iOS Network settings area.
NOTE: The following instructions are valid for v8.3 and earlier. With v8.4 and later, Mac users must be domain users in Windows Active Directory but no further set up is required.
When the user logs on to the properly configured MacOS X system, the Mac mounts a network directory as the user’s home directory. Then the DC Agent user map is populated and user and group-based policies can be applied to user requests. When requests are blocked, browser-based block pages are displayed normally.
Content Gateway is the web proxy component of Forcepoint Web Security.
Using the Integrated Windows Authentication feature of Content Gateway, Mac users can be transparently authenticated when the user is a member of an Active Directory domain and the Mac computer is joined to the Active Directory domain.
Note If Content Gateway is not configured for Integrated Windows Authentication, open the Integrated Windows Authentication online help document. Apply the configuration instructions. If Content Gateway is already configured for Integrated Windows Authentication and your Mac users belong to the currently joined domain, there is nothing to do.
If Content Gateway is already configured for Integrated Windows Authentication and your Mac users belong to a different Active Directory domain, use the Rule-based Authentication method.
Your machine will be bound to the specified Active Directory.
Q: What Websense Web Security functionality is supported?
A: Monitoring, logging, and blocking of Internet requests. Note that protocol block messages cannot be displayed when users are prevented from accessing non-browser-based information (for example, chat tools or streaming media players). The requests are blocked as expected, but no explanatory message is displayed.
Q: Do Mac computers provide Websense log entries for normal logging and reporting?
Q: What user identification and authentication methods work for users on Mac OS X systems?
A: Manual authentication, DC Agent transparent identification for macbook only, and Content Gateway Integrated Windows Authentication (Kerberos with Active Directory) work correctly on Macs for end-user identification and authentication.
Q: If an organization is using Macs within a Windows-based network, will DC Agent or Logon Agent work correctly for transparent user identification?
A: DC Agent can identify users on Mac clients. See Enabling transparent identification of Mac users with DC Agent for details. Logon Agent is supported in Microsoft AD environment, however, it does not work with Mac clients running the Websense logon app versions prior to 8.x. Forcepoint 8.x supports logon Agent for different MacOS versions.
mac; apple; safari; iphone; user identification; deployment; kerberos; dcagent; domain; AD; ipad; transparent; xid; logon agent