Integrating IT
Mac users are integrated into building society's network using
network authentication protocol 802.1x
A leading UK Building Society has a large estate of predominantly Microsoft client workstations. As with many large organisations, there is a small Mac contingent struggling to coexist in a secure Microsoft dominated environment. These users comprise the small design department, where the MacOS is essential for their requirements.
Clearly with any building society or financial organisation system, security is paramount and the implementation of enterprise level authentication and encryption, using the IEEE 802.1x authentication mechanism is standard practise.
The design department’s legacy iMacs were successfully participating within the secure network until a routine Apple security update resulted in a failure to authenticate via the EAP-TLS chosen EAP method. The consequences for the design department were catastrophic, resulting in a total network lockout and bringing production to a standstill.
Without experience of MacOS integration within an enterprise hybrid environment, the Building Society’s internal IT were unable to resolve the issue. A combination of aging iMacs and an organisational shift to hybrid working following the pandemic, drove the decision to replace the iMacs with portable MacBooks; the design team were supplied with new MacBooks, to facilitate hybrid working in the hope that the newer MacBooks would overcome the 802.1x authentication issues.
Unfortunately, upgrading the MacBooks did not resolve the issues. As an interim solution, and much to their dismay, the design team were issued with HP laptops running Windows 10, enabling them to work on the network. The internal IT team then approached cross-platform integration specialists Conformedia for assistance.
Most workforces predominantly operate Microsoft operating systems so naturally internal IT teams are geared up to support this platform; when organisations also have a small number of Mac users in the mix, such as design teams in banks, building societies and charities, cross-platform integrations can be problematic, especially within highly secure enterprise networking such as those implementing 802.1x.
The Building Society had initially approached large IT operations consultancies for help but were only offered solutions designed for a large estate of Mac users, involving creating a separately managed environment. These were excessive and expensive solutions and not fit for a small department of Mac users, where their integration into the existing environment was more appropriate.
Conformedia has experience working for large organisations similar to the Building Society, integrating small Mac teams into a predominately Microsoft secure environment. This included projects requiring the deployment of solutions in the UK and central Europe, so they were an ideal partner for this project.
Working with the Building Society’s infrastructure security team, Conformedia began to gather information to gain a comprehensive understanding of how the enterprise networking operated; this included the protocols, encryption type and authentication mechanisms in place for the 802.1x Ethernet and WIFI networks, in addition to the Cisco VPN for hybrid working.
A prototype MacBook was then built and tested within the Building Society’s secure build environment. Once the integration within the organisation directory was established, the certificate issues were resolved, laying the necessary foundation for the EAP-TLS 802.1x implementation.
802.1x authentication and encryption was established and tested, the remaining requirements for the users were considered, such as application installation, environment configuration, automatic domain binding, Anti-Virus, and data loss prevention – DLP policies.
A build workflow was then created, implementing OS installation, package management, and custom profiles.
Finally, a custom application was developed to customise the build, allowing the laptop to bind to the Active Directory, request and install the necessary certificates, build a secure a connection to the 802.1x network utilising EAP-TLS and finally customising the user’s environment.
The build workflow was then submitted for pen testing and once approved compiled onto a USB drive.
The USB drive allows for the boot and automatic building of the MacBooks, introducing seamless onboarding for new Macs; complete with domain binding, 802.1x authentication, Cisco VPN deployment and full DLP and auditing management.
The build workflow sits on a USB drive and can be used to build a new MacBook within 20 minutes by system administrators with limited MacOS expertise.
Ongoing support is provided to the Mac Users with a three-way arrangement with the Building Society’s IT team; End User, Internal IT team and Conformedia all work together to ensure smooth flow of information across the network between Mac and PC users.
David Rayner, Managing Director at Conformedia explains, “Enterprise organisations tend to implement a Microsoft centric environment, where all services and systems are built to accommodate users running Microsoft operating systems. However, there is often a small Mac team struggling to coexist in this world; this causes integration and support issues for busy internal IT teams, with limited MacOS expertise as well as frustration for the Mac users who feel isolated. Conformedia offers a specialist and unique service; we step in to provide the missing link, supporting both the Mac users and the organisations IT departments.
“If Macs aren’t integrated correctly within the organisation, companywide polices and protocols cannot be effectively rolled out to all users, which in turn can create a security risk.
“We work cross-platform, working with clients looking to include Macs into their primarily PC environment; we also provide day to day support to Mac users which helps avoid unnecessary production downtime and frees up the internal IT resource.
Onboarding a new designer is now simple task. A designer’s MacBook can be quickly rolled out, allowing complete integration onto the 802.1x network, with hybrid working provided by the Cisco VPN. Profiles and software are installed, customising the users’ working environment and implementing the organisations security and auding policies. This quick and secure process configures the user profile meaning the user can be working on their Mac within half an hour.
Ongoing support is provided to the Mac Users with a three-way arrangement with the Building Society’s IT team; End User, Internal IT team and Conformedia all work together to ensure smooth flow of information across the network between Mac and PC users.
Unlike larger IT service providers, Conformedia’s agile and flexible approach means a solution can be deployed which suits the organisation.
