KB Article | Forcepoint Support

Problem Description

What configuration steps are needed to authenticate or identify users of Apple computers, IPhones, and iPads for user- or group-based filtering?
 

Resolution

The authentication or identification of Mac and iPhone/iPad users for user or group-based filtering is possible. However, Mac computers and iPhone/iPad devices use significantly different operating systems and therefore, configuration is explained as separate sections in this article. This article also includes an FAQ section below.

Mac computers

Limitations:

  • Authentication and identification require that the mac users belong to an Active Directory.
  • Protocol block messages cannot be displayed on Macs.
  • Remote Filtering Client and Web Endpoint are not supported on certain Mac OS X systems.

If your organization uses DC Agent for transparent user identification, see Enabling transparent identification of Mac users with DC Agent below.

If your organization uses Content Gateway to authenticate users, see Authenticating Mac users with Content Gateway below.

Manual authentication can also be used to enable user and group-based filtering of Mac users, provided the mac book is joined with your domain.

iPhones and iPads

  • User identification through DC Agent is not supported. Filtering can be provided to those devices based on source IP address or network range.
  • Proxy-based manual user authentication is supported and user or group-based filtering is possible.
  • Transparent authentication is not supported. ​

Content Gateway manual user authentication has the following features and restrictions:

  • Users must belong to the associated user directory.
  • Supports the Safari browser. Other browsers may not work as expected.
  • The user is always prompted for credentials.
  • Works in transparent proxy and explicit proxy (Content Gateway) deployments.
  • Many iPhone and iPad apps do not work well with Content Gateway (or any Web proxy) because they are not well programmed to handle proxy user authentication.

Explicit proxy settings can be configured in the iOS Network settings area.

User-added image
User-added image
 

Enabling transparent identification of Mac users with DC Agent.

NOTE:  The following instructions are valid for v8.3 and earlier. With v8.4 and later, Mac users must be domain users in Windows Active Directory but no further set up is required.

If the Mac user logs on to the machine with domain credentials without mounting a file share as stated below, DC Agent will not identify the user. In order for DC Agent to identify the user on a Mac workstation, one of the following options will need to be completed.

  1. Configure the Mac to use a file share on the domain controller machine as the user’s home directory.
    1. On the MacOS X, click System Preferences > Accounts > Network account server > Join > Open Directory Utility
    2. Make sure the active directory is enabled.
    3. Click the pencil icon enable Use UNC path from Active Directory to derive network home location.
  2. Mount a windows file share hosted in the domain controller onto the Mac computer. Enable that file share to reconnect at logon. Refer to Apple documentation for the detailed procedure.
Configuration summary:
  • Ensure that each participating Mac user is a member of a common Active Directory. See your Active Directory documentation.
  • Create a home folder for each Mac user, and make sure that it is accessible to the user.

When the user logs on to the properly configured MacOS X system, the Mac mounts a network directory as the user’s home directory. Then the DC Agent user map is populated and user and group-based policies can be applied to user requests. When requests are blocked, browser-based block pages are displayed normally.

Authenticating Mac users with Content Gateway

Content Gateway is the web proxy component of Forcepoint Web Security.

Using the Integrated Windows Authentication feature of Content Gateway, Mac users can be transparently authenticated when the user is a member of an Active Directory domain and the Mac computer is joined to the Active Directory domain.

Configuration summary:

  • Ensure that each Mac computer is joined to the Active Directory domain. (See Typical steps for joining a Mac to an Active Directory domain)
  • Ensure that each participating Mac user is a member of a common Active Directory. See your Active Directory documentation.  
  • Ensure that the Content Gateway is joined to the Active Directory domain.
Note If Content Gateway is not configured for Integrated Windows Authentication, open the Integrated Windows Authentication online help document. Apply the configuration instructions. If Content Gateway is already configured for Integrated Windows Authentication and your Mac users belong to the currently joined domain, there is nothing to do. 
 
If Content Gateway is already configured for Integrated Windows Authentication and your Mac users belong to a different Active Directory domain, use the Rule-based Authentication method. 
  • If Content Gateway is a transparent proxy, no additional Mac system or browser configuration is required.
    Safari users may be prompted for credentials the first time they use their browser. They should enter their credentials and select the Remember password in keychain box. They should not be prompted again.

    Safari prompt for credentials


Typical steps for joining a Mac to an Active Directory domain

  1. Using an account with Administrator privileges, log on to the Mac computer you want to join to an Active Directory domain.
  2. Open the Directory Utility. On MacOS X, click system preferences > accounts > Network account server > Join > Open Directory Utility.
  3. Select the box next to Active Directory to enable Active Directory support. 
User-added image  
  1. Highlight Active Directory and click the pencil icon to configure the Active Directory connection.
  2. Under Domain, enter the Fully Qualified Domain Name (FQDN).
  3. Under Computer ID, enter the computer name. 
User-added image
 
  1. Click Bind. You are prompted for network credentials and a computer OU.
  2. Type the OU admin account and password, and the computer OU location. For example:
ou=computers,ou=orgthings,dc=ad,dc=example,dc=com
Your machine will be bound to the specified Active Directory.  
  1. Click Apply in the Directory Utility to save your changes and restart the machine.

FAQs

Q: What Websense Web Security functionality is supported?
A: Monitoring, logging, and blocking of Internet requests. Note that protocol block messages cannot be displayed when users are prevented from accessing non-browser-based information (for example, chat tools or streaming media players). The requests are blocked as expected, but no explanatory message is displayed. 

Q: Do Mac computers provide Websense log entries for normal logging and reporting?
A: Yes. 

Q: What user identification and authentication methods work for users on Mac OS X systems?
A: Manual authentication, DC Agent transparent identification for macbook only, and Content Gateway Integrated Windows Authentication (Kerberos with Active Directory) work correctly on Macs for end-user identification and authentication. 

Q: If an organization is using Macs within a Windows-based network, will DC Agent or Logon Agent work correctly for transparent user identification?
A: DC Agent can identify users on Mac clients. See Enabling transparent identification of Mac users with DC Agent for details. Logon Agent is supported in Microsoft AD environment, however, it does not work with Mac clients running the Websense logon app versions prior to 8.x. Forcepoint 8.x supports logon Agent for different MacOS versions.




keywords:
mac; apple; safari; iphone; user identification; deployment; kerberos; dcagent; domain; AD; ipad; transparent; xid; logon agent

Article Feedback



Thank you for the feedback and comments.