Identity Finder DLP Endpoint for Mac supports management via the Identity Finder DLP Console. This management includes the application of policies, scheduling of tasks in user mode, and reporting of results and logs. Additionally, the client can be used interactively by end users and executed via the command line in a terminal window.
To configure DLP Endpoint for Mac to communicate with the console, it is necessary to install configuration information on each client that includes the location of the console as well as the encryption information necessary to securely communicate with the console.
Before a search can be executed by the client, It is necessary for each client to have license information that is provided via a license file (identityfinder.lic) or created via the activation process.
It is also possible to customize the automated execution and/or user experience through the use of policies, configuration settings (plist) files, or via command line configuration files (xml).
To detail the above, this article contains information about:
- Client/Console Communication
- License Files
- Activation Information
- Configuration Settings (Property List) Files
- Configuration Settings (XML) Files and Command Line Switches
- Endpoint Service, Tasks, and Policies (Enterprise Client v3.0 and later)
Finally, additional information about the operation of the client and storage locations for logs are also included.
To support these features, it is necessary to create a custom installation package using Identity Finder supplied build scripts and Apple's PackageMaker application.
To configure communication between the client and the console, it is necessary, at a minimum, to configure the settings to point to the enterprise console, establish the encryption key used for communication, and to enable communication. The easiest way to obtain these settings is to browse to http://consoleserver/Services where consoleserver is the name or IP address of the enterprise console. On that page, there is a link entitled, "Identity Finder for Mac." Clicking that link will provide a Property List (plist) file containing the aforementioned settings. This file should be included in the custom package that is created for deployment to all Mac systems. Alternatively, this file can be distributed to those systems via any exiting software distribution method; however, if a custom package is not created that deploys the endpoint service application and creates the launch agent, it will be necessary to execute the Mac client interactively at least once to establish the client/console communication.
To enable HTTPS/SSL communication between Mac clients and enterprise console, it is necessary to obtain a copy of the server's certificate, install that certification on each client, and set the caPath setting in a system plist to include the full path, including the file name, to the ca.pem file. Details are available here:
To use Identity Finder for Mac, either a license file must be supplied or an activation number must be used to activate the application. When using a license file, the user will not be prompted with an activation or licensing process as long as the license file has been placed on the system prior to the first execution of the application. The file must be named identityfinder.lic and can be placed in either of the locations listed below. When using the system area (recommended), ensure that the user context under which Identity Finder will be executed has read permissions to the specified folder. The license file should be included in the custom package.
/Library/Application Support/Identity Finder/identityfinder.lic
/Users/USERNAME/Library/Application Support/Identity Finder/Identity Finder Mac Edition/identityfinder.lic
To use Identity Finder for Mac, either a license file must be supplied or an activation number must be used to activate the application. When using an activation number, the user will be prompted to complete the activation process the first time the application is launched. Note that when using activation numbers, the client must be activated for scheduled tasks to execute successfully. After Identity Finder is activated, the activation information is stored in the following folder:
Under normal circumstances, this folder should never be modified or deleted. Refer to, "Identity Finder Does Not Allow Licensed Features" for additional information on when it may be necessary to delete activation information.
The Identity Finder for Mac application settings are stored in a Property List (plist) file named com.identityfinder.macedition.plist. After the first time the application is executed, the user plist will be created in the location noted below - the system plist and system firstrun plist will never be automatically created. Other than the settings necessary for client/console communication, it recommended that no additional settings are specified in the system plist included in the custom installation package as all other settings should be managed via policies from the enterprise console.
When settings are present in the system location (or included in a system policy), they are considered to be authoritative and the corresponding options in the UI will be disabled and therefore users will be unable to change those settings. To set alternate defaults, but allow the user to change those settings in the UI, use the system firstrun plist (or a user default policy). To set defaults that are different than the application defaults, allow the user to change those settings in the UI, but reset those custom defaults each time Identity Finder is launched, use the system firstrun plist (or user default policy) and ensure that the setting Initialization\Configuration\AlwaysUseFirstRun is set to "Always reset settings" (1).
When using the system area, ensure that the user context under which Identity Finder will be executed has read permissions to the specified folder.
Note: When Identity Finder is started, by default, FirstRun is set to 1. After a search is successfully completed, a value of 0 for FirstRun is written to the user plist. Whenever the value of FirstRun is set to 1 or AlwaysUseFirstRun is set to 1, the settings will be read from the firstrun plist. Only when the value of FirstRun is 0 (after a successful search) are the firstrun plist settings ignored.
The plist file is an xml file that can be visually edited with the Property List Editor which is installed with the Mac development environment. However, it can also be easily edited as text with any text editor that supports UTF-8 encoding such as:
- http://www.barebones.com/products/TextWrangler/download.html (free)
PlistEditPro allows xml and visual editing but is a commercial application:
- http://www.apple.com/downloads/macosx/development_tools/plisteditpro.html (shareware/commercial)
Other utilities are also available.
The value names and values are the same on the Mac as on Windows (though only a subset of the Windows features are implemented) and the full list of settings may be obtained by viewing the policy editor within Identity Finder Enterprise Console version 4.5 or later or via the Identity Finder Settings Viewer.
When creating a customized plist, the easiest thing to do is to execute the Mac client once and exit - this will create a plist file in the user location. That file can then be edited to add/remove the desired settings. Once completed, this file can be added to the installation package.
Settings can be supplied to the client via the --configurationfile command line switch. When settings are present in an xml configuration file, they are considered to be authoritative and the corresponding options in the UI will be disabled and therefore users will be unable to change those settings. Creating a configuration file from scratch is possible, but it is recommended that an existing file is modified with the desired information to ensure proper formatting.
More information is available in the article, Enterprise Client Command Line Switches
When Identity Finder for Mac v3.0 or later is used with Identity Finder Enterprise Console 4.5 or later, an endpoint service application is used to communicate with the console to obtain tasks and policies. The endpoint service application must be deployed by the custom installation package. If the endpoint service binary does not exist in the specified location, as noted below, the client will be unable to communicate with the enterprise console. In versions 3.0-3.6, the endpoint service application is launched periodically by a launch agent. Beginning with version 3.7, the service is automatically started by a launch daemon at system start-up and is always running. Communication with the console is conducted according to the specified polling interval.
In version 3.7 and later, the application binary is located here:
/Library/Application Support/Identity Finder/EndpointService
The supporting files for the endpoint service (including downloaded tasks and policies) as well as the pre 3.7 endpoint service binary are located here:
In version 3.7 and later, the endpoint service log file, endpointservice.log, is located here:
In version 3.7 and later, the endpoint service is automatically launched at system start-up by the launch daemon located here:
Version 5.0 and later
A launch agent is used to start and maintain the execution of the UserAgent, which is required to run a scheduled task in the user context. The launch agent is deployed when a custom installation package is executed and no other methods of deploying the launch agent are supported. The agent will be launched for each user when that user logs in. The launch agent is located in the system LaunchAgents folder:
If it is ever necessary to stop the launch agent for troubleshooting purposes, it can be unloaded using launchctl as follows:
launchctl unload -S Aqua /Library/LaunchAgents/com.identityfinder.launchagent.plist
To load the launch agent, use launchctl as follows:
launchctl load -S Aqua /Library/LaunchAgents/com.identityfinder.launchagent.plist
To determine if the launch agent is currently running, obtain a list of all launch agents and verify whether com.identityfinder.launchagent is included or not:
This section is not relevant to Identity Finder for Mac version 3.7 or later. When versions 3.0-3.6 is used with Identity Finder Enterprise Console 4.5 or later, a launch agent is used to execute the endpoint service binary every 5 minutes. This interval is not user configurable. The launch agent must be deployed by the custom installation package for the user running the installer. If the launch agent does not exist, the client will attempt to create it when it is executed. The launch agent is located in the LaunchAgents folder for each user:
If it is ever necessary to stop the launch agent to prevent the endpoint service from executing automatically, execute the launchctl command in a terminal window, as follows:
launchctl unload /Users/USERNAME/Library/LaunchAgents/com.identityfinder.launchagent.plist
To verify that the launch agent has been unloaded, obtain a list of all launch agents and verify that the Identity Finder launch agent is not included in the list by executing launchctl as follows:
The Identity Finder profile consists of Settings and UserData. The settings are stored in the user property list while the UserData is stored on disk in the following locations:
Settings (user property list)
UserData on disk
/Users/USERNAME/Library/Application Support/Identity Finder/Identity Finder Mac Edition/identityinfo.dat
The UserData consists of lists or individual pieces of information added to Identity Finder in the Custom Folder list, OnlyFind Identity list, and Ignore list. With the exception of folder names, all of the UserData information is AES-256-bit encrypted with the user profile password; if the user Profile password is lost or forgotten, the contents of this file cannot be recovered. Editing of this file is not supported. To add UserData information to Identity Finder, supply it via a configuration (XML) file or use the Profile\Admin settings. To obtain properly formatted UserData information for use in a configuration file or the Profile\Admin settings, use the Windows client to add the information to the relevant list in the client application GUI and then export the current profile.
By default, client logs are stored under the Application Support folder for each user.
/Users/USERNAME/Library/Application Support/Identity Finder/Identity Finder Mac Edition
Client logs can be moved to any local path to which the user has write access and by default are stored in the /logs subfolder of the folder noted above:
/Users/USERNAME/Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs
For tasks run as system, the search is run as root. The root home directory is /var/root and the log files are stored in:
/var/root/Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs
Note: /var/root can only be accessed as root, so it is necessary to log in as root or su root to access the log files.