Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication > Mac and iPhone/iPad authentication
Mac and iPhone/iPad authentication
TRITON AP-WEB solutions can be used to authenticate or identify Mac and iPhone/iPad users for user- or group-based filtering.
For Mac computers, see:
*
Authentication for Mac computers
*
Enabling transparent identification of Mac users with DC Agent
*
Authenticating Mac users with Content Gateway
*
Typical steps for joining a Mac to an Active Directory domain
For iPhones/iPads, see:
*
Authentication for iPhones and iPads
For a list of Frequently Asked Questions regarding Mac and iPhone/iPad authentication, see this article.
Authentication for Mac computers
TRITON AP-WEB solutions can be used to authenticate or identify Mac users for user- or group-based filtering. These restriction apply:
*
Authentication and identification require that users belong to an Active Directory.
*
Protocol block messages cannot be displayed on Macs.
If your organization uses DC Agent for transparent user identification, see Enabling transparent identification of Mac users with DC Agent.
If your organization uses Logon Agent for transparent user identification, see Deploying the logon application for Mac clients.
If your organization uses Content Gateway to authenticate users, see Authenticating Mac users with Content Gateway.
Manual (prompted) authentication can also be used to enable user and group-based filtering of Mac users.
Enabling transparent identification of Mac users with DC Agent
In order for DC Agent to identify the user on a Mac workstation, the Mac must mount a file share on the domain controller. This can be done by configuring the Mac to use a file share on the domain controller machine as the user's home directory, or by mounting another share with the domain controller.
* 
Note 
If the Mac only logs to the domain without mounting a file share, it will not be visible to DC Agent.
Configuration summary:
*
Ensure that each participating Mac user is a member of a common Active Directory. See your Active Directory documentation.
*
Create a home folder for each Mac user, and make sure that it is accessible to the user. See the first paragraph of this section.
When the user logs on to the properly configured Mac OS X system, the Mac mounts a network directory as the user's home directory, the DC Agent user map is populated, and user and group-based policies can be applied to user requests. When requests are blocked, browser-based block pages are displayed normally.
Authenticating Mac users with Content Gateway
Using the Integrated Windows Authentication (IWA) feature of Content Gateway, Mac users can be transparently authenticated when the user is a member of an Active Directory domain and the Mac computer is joined to the Active Directory domain. For more information see Integrated Windows Authentication.
Configuration summary:
*
Ensure that each Mac computer is joined to the Active Directory domain. See Typical steps for joining a Mac to an Active Directory domain.
*
Ensure that each participating Mac user is a member of a common Active Directory. See your Active Directory documentation.
*
Ensure that Content Gateway is joined to the Active Directory domain.
*
If Content Gateway is not configured for IWA, see Integrated Windows Authentication and apply the configuration instructions.
*
If Content Gateway is already configured for IWA and your Mac users belong to the currently joined domain, there is nothing to do.
*
If Content Gateway is already configured for IWA and your Mac users belong to a different Active Directory domain, use the Rule-Based Authentication feature. See Rule-Based Authentication and follow the configuration instructions.
*
When Content Gateway is an explicit proxy, configure participating Mac systems and browsers to send HTTP, HTTPS, and FTP requests to the Fully Qualified Domain Name (FQDN) of Content Gateway. Alternatively, specify the IP address of Content Gateway if NTLM is adequate.
If Content Gateway is a transparent proxy, no additional Mac system or browser configuration is required.
 
* 
Important 
Safari users may be prompted for credentials the first time they open a browser. The user should enter their credentials and check the "Remember password in keychain" check box.
FireFox users may receive an "Proxy Authentication Required" error message. This is a known issue in FireFox (http://support.mozilla.org/en-US/questions/926378) and is easily corrected by changing the browser configuration. In About:Config set the following options to false:
*
network.automatic-ntlm-auth.allow-proxies
*
network.negotiate-auth.allow-proxies
Typical steps for joining a Mac to an Active Directory domain
1.
Using an account with Administrator privileges, log on to the Mac computer that you want to join to an Active Directory domain.
2.
Open the Directory Utility. On OS X 10.6 (Snow Leopard), go to:
/System/Library/CoreServices
3.
If necessary, click the padlock icon and enter your password to unlock the Directory Utility.
4.
Select the box next to Active Directory to enable Active Directory support.
5.
Highlight Active Directory and click on the Pencil icon to configure the Active Directory connection.
6.
Under Domain, enter the Fully Qualified Domain Name (FQDN).
7.
Under Computer ID, enter the computer name.
8.
Click Bind. You are prompted for network credentials and a computer OU. Enter your OU admin account and password, and the computer OU location. For example:
ou=computers,ou=orgunits,dc=ad,dc=example,dc=com
Your machine will be bound to the specified Active Directory.
9.
Click Apply in the Directory Utility to save your changes and restart the machine.
Authentication for iPhones and iPads
Proxy-based user authentication is supported by the Content Gateway (proxy) component of TRITON AP-WEB, resulting in user- or group-based filtering.
User identification via DC Agent is not supported and, therefore, there is no user- or group-based filtering solution with Web Filter & Security or TRITON AP-WEB. Filtering can be provided to those devices based on IP address or network range.
Content Gateway user authentication has the following features and restrictions:
*
Works with the authentication method configured in Content Gateway. Users must belong to the associated user directory.
*
Supports the Safari browser. Other browsers may not work as expected.
*
Transparent authentication is not supported. The user is always prompted for credentials.
*
Works in transparent and explicit Content Gateway deployments.
*
Many iPhone and iPad apps do not work well with Content Gateway (or any Web proxy) because they are not well programmed to handle proxy user authentication.
Explicit proxy settings can be configured in the iOS Network settings area.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication > Mac and iPhone/iPad authentication
Copyright 2016 Forcepoint LLC. All rights reserved.