Server Suite for Mac 2022.1 Release Notes
Server Suite for Mac provides Active Directory-based authentication, single sign-on, and group policy support for the macOS platform.
Server Suite for Mac is a part of Delinea software and is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962.
What's Included in this Release
-
CentrifyDC-5.9.1-mac10.15.dmg: A macOS disk image for macOS 14.x, 13.x, 12.x, 11.x, and 10.15that contains contains the following:
AD Check.app: A graphical application to perform environment checks before installing Server Suite on macOS 14.x, 13.x, 12.x, 11.x, and 10.15CentrifyDC-5.9.1.pkg: A graphical installer of Server Suite for Mac (valid on both Intel and Apple Silicon) on macOS 14.x, 13.x, 12.x, 11.x, and 10.15
Supported Platforms and System Requirements
The Server Suite for Mac in the applicable package can be installed on the following versions of the macOS operating system:
-
macOS 14.x on both Intel and Apple Silicon
-
macOS 13.x on both Intel and Apple Silicon
-
macOS 12.x on both Intel and Apple Silicon
-
macOS 11.x on both Intel and Apple Silicon
-
macOS 10.15.x on Intel
Installing on macOS 14 Sonoma
If you are running the current release of Server Suite, you MUST UPGRADE Server Suite BEFORE upgrading your Mac to macOS 14 Sonoma.
Follow these steps:
- Download the Server Suite package for macOS.
- Upgrade Server Suite for macOS using the package you downloaded.
- Upgrade to macOS 14 Sonoma.
Make sure to set the Full Disk Access for the DirectControl Agent (for more information see the instructions listed below) before joining the domain. After joining the domain make sure to restart your Mac.
Setting Full Disk Access for the DirectControl Agent
Due to a limitation of macOS 11.x, macOS 12.x, macOS 13.x, and macOS 14.x,"Full Disk Access" is required for the DirectControl Agent for Mac. You can configure this yourself if you're an administrator on the computer, or you can set it by way of your MDM (Mobile Device Management) provider.
The setting must be done before joining the domain, if not, you must leave the domain, finish the setting, and then join the domain again.
-
To configure full disk access as an administrator:
-
Log in to the Mac as an admin user.
-
Open System Preferences.
-
Click Security & Privacy.
-
Click Privacy.
-
Click the Lock button to input password or use TouchID to unlock.
-
Scroll down a little bit on the left list, find and select Full Disk Access.
-
Click the Plus button.
-
Press and hold these three keys together: shift + command + G.
-
Input the path
/usr/local/sbin/adclientand click GO, then click Open to add it. -
Repeat step g and h, then input the path
/Applications/Utilities/Centrify/AD Join Assistant.appand click GO, then click Open to add it. -
Repeat step g and h, then input the path
/Applications/Utilities/Centrify/Smart Card Assistant.appand click GO, then click Open to add it. -
Click the Lock button again to lock.
-
-
Configure full disk access through your MDM provider. Contact your MDM provider for more information.
Your MDM provider will need the following information:
Copy% codesign -dv /usr/local/sbin/adclient
Executable=/usr/local/sbin/adclient
Identifier=adclient
...
% codesign -dr - /usr/local/sbin/adclient
Executable=/usr/local/sbin/adclient
designated => identifier adclient and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "64CT837G5Z"
% codesign -dv /Applications/Utilities/Centrify/AD\ Join\ Assistant.app
Executable=/Applications/Utilities/Centrify/AD Join Assistant.app/Contents/MacOS/AD Join Assistant
Identifier=com.centrify.cdc.centrifyjoinassistant
...
% codesign -dr - /Applications/Utilities/Centrify/AD\ Join\ Assistant.app
Executable=/Applications/Utilities/Centrify/AD Join Assistant.app/Contents/MacOS/AD Join Assistant
designated => identifier "com.centrify.cdc.centrifyjoinassistant" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2. 6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "64CT837G5Z"
% codesign -dv /Applications/Utilities/Centrify/Smart\ Card\ Assistant.app
Executable=/Applications/Utilities/Centrify/Smart Card Assistant.app/Contents/MacOS/SCTool
Identifier=com.centrify.cdc.smartcardassistant
...
% codesign -dr - /Applications/Utilities/Centrify/Smart\ Card\ Assistant.app
Executable=/Applications/Utilities/Centrify/Smart Card Assistant.app/Contents/MacOS/SCTool
designated => identifier "com.centrify.cdc.smartcardassistant" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2. 6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "64CT837G5Z"
Feature Changes and Notable Fixes in this Release (Release 2022.1 Component Update)
- This release supports macOS 14 "Sonoma". (Ref: 534144)
- This release supports macOS 13 "Ventura". (Ref: 486761)
- DirectControl now natively supports Apple Silicon. Rosetta 2 is no longer needed. (Ref: 486761)
Known macOS Issues
-
There is a known issue with macOS 14 Sonoma, 'Network' users from AD cannot unlock the screen after changing the password. If you are using a 'Network' user and change the user password and then lock the screen, you will not be able to unlock the screen. This bug has been reported to Apple: FB13269239
The workaround is that on the lock screen press the Esc key on your keyboard and then click a different user icon, then press the Esc key again and click the 'Network' user icon again. Then you can enter the password to unlock the screen.
This issue does not occur if you are using a 'Mobile' user.
There is a similar issue if you are using a 'smart card' user. The workaround is that on the lock screen remove your smart card from the Mac and then press the Esc key and click another user icon, then insert your smart card to the Mac again, then you can enter the pin to unlock the screen.
-
As of macOS Big Sur, Apple no longer permits to silently install configuration profiles. It affects the following group policies and they will not work on macOS Big Sur and higher:
- Group policy "Install MobileConfig Profiles"
- Group policy "Enable Profile Custom Settings"
- Group policy "Require password to wake this computer from sleep or screen saver"
- Group policy "Enable Machine Ethernet Profile"
- Group policy "Enable Machine Wi-Fi Profile"
- Group policy "Enable User Ethernet Profile"
- Group policy "Enable User Wi-Fi Profile"
-
Before upgrading Mac from macOS 10.14 or lower to macOS 10.15 or higher, you must install the new agent first. You don't need to leave the domain or uninstall the old DirectControl agent.
-
Network users with network shared home directories are no longer supported on macOS 10.15 and higher. We suggest using a mobile user or network users without network shared home directories instead.
-
When a mobile user logs in for the first time on macOS Big Sur and higher, in some cases they cannot set up Touch ID with their fingerprints. They just need to re-login in order for Touch ID to work.
Apple Support has provided the following resolutions:
Notice of Termination of Support
Server Suite has discontinued support for Mac OS 10.14.x, 10.13.x, 10.12.x, and 10.11.x starting with the 2022 release of Server Suite for Mac.
Additional Information and Support
In addition to the documentation provided with this package, see the Delinea Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact Delinea Support directly with your questions through the Delinea Web site, by email, or by telephone.
The Delinea Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Delinea products. For more information, see the Delinea Resources web site.
You can also contact Delinea Support directly with your questions through the Delinea Web site, by email, or by telephone. To contact Delinea Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating Delinea products, send email to info@delinea.com.
