CyberArk Identity Mac Device Trust

This is an early access feature. Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features. Contact your account representative to enable this feature.

This topic describes the use case and deployment procedure for the CyberArk Identity Mac Device Trust, which is a light-weight version of the Mac Cloud Agent.

The Mac Device Trust prevents untrusted Mac computers from accessing CyberArk Identity or launching sensitive web apps by deploying an authentication certificate, which enables policy settings specifying conditional access based on the presence of that certificate. This improves security and decreases friction for users by allowing passwordless authentication. The Mac Device Trust is installed by Jamf Pro on Jamf-managed devices.

The primary difference between Mac Device Trust and the Mac Cloud Agent is the Mac Cloud Agent supports endpoint authentication, while Mac Device Trust is only for CyberArk Identity access and application launches. Use Mac Device Trust if your primary concern is securing the CyberArk IdentityUser Portal and sensitive applications, but you don't want to enforce adaptive MFA for users authenticating to their endpoints.

The following table provides an overview of the feature differences.

Feature Mac Device Trust Mac Cloud Agent

Jamf deployment

Yes

No

Certificate-based authentication (CBA)

Yes

Yes

Passwordless authentication

Yes - for CyberArk Identity

Yes - for CyberArk Identity and the Mac endpoint

Endpoint authentication

No

Yes

Support for AD users on domain-joined devices

Yes

Yes

Support for AD users on devices that are not domain-joined

Yes

Yes

Support for CyberArk Cloud Directory users

Yes

Yes

The following workflow diagram illustrates an overview of the deployment and management of Mac Device Trust.

Requirements

The Mac Device Trust requires the following.

  • macOS 10.15, 11, 12

  • Macs managed by Jamf Pro

  • a Jamf Pro account with the following admin rights, used to verify that other users are enrolled:

    • Jamf Pro Server Objects > Computers > Read

    • Jamf Pro Server Settings > Activation Code > Read

Configure Jamf to deploy Mac Device Trust

The following procedure describes how to integrate your CyberArk Identity tenant with your Jamf tenant so that Jamf deploys Mac Device Trust on managed Mac devices.

Step 1: Enable macOS Device Trust in the CyberArk Identity Admin Portal

  1. Go to Settings > Endpoints > Device Trust > Jamf Pro, then click Enable macOS Device Trust with Jamf Pro.

  2. Complete the following fields, then click Test connection.

    Field Description

    Integration User Name

    The user name that you use to sign in to your Jamf tenant.

    Integration Password

    The password that you use to sign in to your Jamf tenant.

    Jamf URL

    The URL of your Jamf tenant.

  3. Click Save after a successful test.

Step 2: Download the Mac Device Trust installer from the CyberArk Identity Admin Portal.

  1. Go to Downloads, then download CyberArk-Device-Trust.dmg.

  2. Mount the .dmg, then extract the CyberArk-Device-Trust.pkg file.

    This is the file you will upload to Jamf Pro later.

Step 3: Generate an enrollment code.

You need a randomly generated enrollment code to enroll machine. You must be a member of the System Administrator role to generate enrollment codes.

  1. Log in to the Admin Portal.

  2. Click Settings > Endpoints > Enrollment Codes.

  3. Click the Add button.

    The Generate Bulk Enrollment Codes window appears.

  4. (Optional) Select the details to be used to generate the enrollment code.

    • Set an expiration date if the code should expire.

    • Specify the maximum number of devices that can be enrolled or leave Unlimited selected.

    • Enter a description.

  5. Click Save to generate the enrollment code.

  6. Click Copy to copy it to the clipboard.

Step 4: Create the deployment script.

Create a shell script using the following template, updating variable definitions to match your environment as described below.

 
#!/bin/bash 

# REQUIRED 

# TENANT_URL - tenant url (i.e. "https://pod0.idaptive.app") 

# ENROLLMENT_CODE - enrollment code for use for enrolling device 

# Can be found in Admin Portal -> Settings -> Endpoings -> Agents -> Enrollment Codes 

TENANT_URL="https://example.my.idaptive.app" 

ENROLLMENT_CODE="HAQ0E93JOESVPY9OHGUEYRL0ER9MN1ZI073PEB1_FXC1" 

loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }') 

/bin/launchctl asuser $(id -u ${loggedInUser}) \ 

sudo -u ${loggedInUser} \ 

/Applications/Mac\ Device\ Trust.app/Contents/MacOS/Mac\ Device\ Trust \ 

--tenant ${TENANT_URL} \ 

--enrollmentCode ${ENROLLMENT_CODE} \ 

--force 
Variable Description

TENANT_URL

Your CyberArk Identity tenant URL. For example, the default tenant URL is https://pod0.idaptive.app. Yours might use your company name in the URL - https://mycompany.my.idaptive.app.

ENROLLMENT_CODE

The enrollment code generated in Generate an enrollment code.

Step 5: Create target users in Jamf Pro and assign them to computers.

You can skip this step if your Jamf Pro tenant is AD bound and you use LDAP.

If you are not using an AD binding, you have to add the target users to Jamf Pro and assign them to computers manually. The users in Jamf Pro must have the same username as the target user in your directory source. For example, if you have a user "testuser@example" in the CyberArk Cloud Directory, the user in Jamf Pro should be "testuser@example".

The local user logged in on the Mac receives the certificate deployed by Mac Device Trust. For example, if the user@example.com is an AD account, and user1 is the local user logged in to the Mac, then user1 receives the certificate in the keychain because user1 did the Jamf enrollment using user@example.com credentials.

Refer to https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/User_Assignments.html for more information about manually creating users and assigning them to computers.

Step 6: Add the deployment script to Jamf Pro.

  1. Go to Management Settings > Computer Management > Scripts, then click New.

  2. Complete the fields on the General tab, then select the Script tab, set the default mode to Shell, then paste the contents of the deployment script.

    Make sure you remember to change the variable definitions for TENANT_URL and ENROLLMENT_CODE.

  3. Complete script information on Options and Limitations tabs as needed, then click Save.

Step 7: Upload Mac Device Trust to Jamf Pro as a package.

  1. Go to Management Settings > Computer Management > Packages, then click New.

  2. Complete the package information as required, then click Upload Manifest File and select the .pkg file extracted in Download the Mac Device Trust installer from the CyberArk Identity Admin Portal. and click Save after the upload finishes.

Step 8: Create the policy in Jamf Pro.

  1. Go to Computers > Policies, then click New.

  2. On the General page of Options tab, enter a Display Name for the policy and select desired Triggers and set Execution Frequency to Once per computer.

  3. Go to the Packages page, then add the package uploaded in Upload Mac Device Trust to Jamf Pro as a package.

  4. Go to the Scripts page, then Add the deployment script from Create the deployment script.

  5. Go to the Scope tab, then select the computers and users to deploy the policy to.

    The Mac Device Trust can only be deployed for one user per computer.
  6. Go to the Self Service tab and select Make this policy available in Self Service.

    This provides your users an additional chance to access the policy if for some reason it isn't deployed through selected triggers.

  7. Click Save to finish configuring the policy.

Mac Device Trust enrollment changes

Enrolling an endpoint for a user issues an authentication certificate to that user. This certificate is stored in a custom keychain. In addition, the installer adds a light-weight daemon. This daemon fetches the authentication certificate if any of the following triggers happen:

  • The daemon is created or modified (for example, Mac Device Trust installation or update)

  • The user logs on to the endpoint

  • There is a network change

  • 12:00 local time each day

Configure Certificate-Based Authentication (CBA)

You can create authentication rules that allow access to CyberArk Identity or sensitive applications, conditional on the presence of an authentication certificate. The authentication certificate is distributed on Windows and Mac machines by a Cloud Agent or Device Trust installer, or on mobile devices through enrollment (mobile devices must be enrolled in the CyberArk Identity MDM solution for CBA). You can also use 3rd-party certificates, such as certificates deployed by MDMs like Airwatch or InTune, for CBA on Windows, Mac, and mobile devices; however, CBA does not work with native apps.

CBA does not work with native apps, on any platform, or any type of certificate.
  1. Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  2. Click Authentication Policies > CyberArk Identity.

  3. Select Yes in the Enable authentication policy controls drop-down.

  4. Click Add Rule.

    The Authentication Rule window appears.

  5. Click Add Filter on the Authentication Rule window.

  6. Select Certificate Authentication from the Filter drop-down menu and set the Condition to Is Used, then click Add.

  7. Select the authentication profile that you want applied if Certificate Authentication is true.

    In this example, certificate authentication will bypass other authentication rules and the default profile, so the selected profile is not important.

  8. In the Default Profile (used if no conditions matched) drop-down, select a default profile to apply if certificate authentication is not available.

    The authentication profile is where you define the authentication methods. If you don't have an appropriate authentication profile yet, select Add New Profile to create one. See Create authentication profiles for more information.

  9. Under Other Settings, select Use certificates for authentication and Certificate authentication bypasses authentication rules and default profile.

  10. Click Save.

Users can now access CyberArk Identity using the authentication certificate instead of entering a password.

  1. Click Policy in the Admin Portal.

  2. (Optional) Click Add Rule to specify conditional access.

    The Authentication Rule window appears.

  3. Click Add Filter on the Authentication Rule window.

  4. Select Certificate Authentication from the Filter drop-down menu and set the Condition to Is Used, then click Add.

  5. Select the authentication profile that you want applied if Certificate Authentication is true.

  6. In the Default Profile (used if no conditions matched) drop-down, select a default profile to apply if certificate authentication is not available.

    The authentication profile is where you define the authentication methods. If you don't have an appropriate authentication profile yet, select Add New Profile to create one. See Create authentication profiles for more information.

  7. Click Save.

Manage authentication certificates deployed by Mac Device Trust

Enrolled endpoints appear in the Admin Portal Endpoints tab. Click a device for the following information:

Tab Description
Details Shows the device ID, the agent or app version, and enrollment method.
Activity Shows the previous 30 days of certificate-related activity.
Certificates Shows details of the certificate distributed to the device user. You can manage certificates from this tab.

To manage authentication certificates issued through enrollment

  1. Go to Endpoints, then click an enrolled endpoint.

  2. Go to the Certificates tab, then select a certificate.

  3. Click Actions to see available actions, then take an action.

    Available actions depend on the current status of the certificate, as described in the following table.

    Status Status description Available actions for this status Effect of the action
    Active The certificate is active and can be used for certificate-based authentication Revoke Deletes the certificate from CyberArk Identity; CBA no longer works for that user. You need to delete the certificate on the client manually. A new certificate can be issued.
    Revoked The certificate has been revoked (deleted from the cloud). It needs to be issued and then installed again. Issue Issues the certificate, changing the status to Issued. The certificate is issued in the cloud, but not yet installed in the workstation. The user needs to sign in again for the certificate to get installed.
    Expired The certificate has expired. It needs to be issued and then installed again. Revoke Deletes the certificate from CyberArk Identity. The certificate on the client will need to be deleted manually. Once the certificate is revoked auto-renewal doesn’t work.
    Issued The certificate is issued but not yet installed by the agent. The user needs to sign in again for the certificate to get installed. Revoke The certificate gets deleted from the cloud. You need to delete the certificate on the client manually.

Set the lifetime and renewal window for CyberArk Identity authentication certificates deployed by Mac Device Trust

You can set the lifetime and renewal window of certificates issued by through device enrollment or installation of Device Trust.

To set the lifetime and renewal window of CyberArk Identity issued authentication certificates

  1. Go to Settings > Endpoints > Device Trust > Certificate Authentication.

  2. Set the certificate lifetime and renewal window for authentication certificates issued by CyberArk Identity.

    The value for the renewal window should always be less than the certificate lifetime.

    If the endpoint is offline CyberArk Identity renews the certificate when the endpoint is back online.
    If you don't want to renew the certificate, you can revoke the expired certificate by selecting the endpoint from Endpoints and sending the Revoke action.

Update Mac Device Trust

You can update Mac Device Trust on users' computers using Jamf.

Step 1: Get the latest version of Mac Device Trust

Sign in to the CyberArk Identity Admin Portal and download the latest version of Mac Device Trust.

Step 2: Upload the latest version of Mac Device Trust to Jamf Pro.

  1. Go to Management Settings > Computer Management > Packages, then click New.

  2. Complete the package information as required, click Upload Manifest File and select the .pkg file extracted from the latest version of Mac Device Trust, then click Save after the upload finishes.

Step 3: Flush the policy logs.

The policy runs once per computer. You need to flush the policy logs so Jamf Pro will run the policy again and deploy the updated Mac Device Trust package. If you do not flush the logs, the logs indicate that the policy already ran, and Jamf Pro will not deploy the updated Mac Device Trust package.

  1. Go to Computers > Policies, then select the policy created in Create the policy in Jamf Pro.

  2. In the bottom right of the Policies page, click Logs.

  3. In the bottom right of the Logs page, Click Flush All to flush the policy logs for all computers affected by the policy.

    After you flush the policy logs, the policy will run the next time a user logs out and logs back in. This will deploy the updated Mac Device Trust package.

Remove Mac Device Trust

The following procedure describes how to remove Mac Device Trust from a user's Mac using Jamf Pro.

To remove Mac Device Trust

  1. Remove the CA Certificate and MDM Profiles on the target Mac.

    You can either manually remove them through System Preferences, or write a script to remove them and deploy the script using Jamf Pro.

  2. Revoke the certificate in the CyberArk Identity Admin Portal.

  3. In Jamf Pro, go to Policies, then select the appropriate policy and click Edit.

  4. Go to the Scope tab, and remove the target user from the policy scope.

  5. Click Save.

  6. Wait for the next trigger event, or manually trigger the policy.

    Refer to https://docs.jamf.com/10.31.0/jamf-pro/administrator-guide/Policy_Management.html for more detail.

Troubleshooting CyberArk Identity Mac Device Trust

If your users are unable to authenticate with certificates deployed by Mac Device Trust and you need to contact CyberArk support, include the log file when you contact CyberArk support.

To get the Mac Device Trust log file

  1. On the Mac Device Trust enrolled device, open CyberArk Identity Mac Device Trust.

  2. Go to Help > Get Logs, then save a copy of the log file to include in your correspondence with CyberArk support.