On Friday, Thursby Software Systems announced a new product, ADmitMac for PIV, a new addition to the company's line of Active Directory integration software for Mac OS X. ADmitMac for PIV provides Macs with a single sign-on environment using a U.S. government Personal Identity Verification (PIV) card instead of a password.
The software verifies a PIV card against a centralized network authority in Active Directory. It also lets Entourage 2004 or Outlook Web Access users access Exchange Server email with a PIV card instead of passwords. (Entourage 2008 has the ability natively.) ADmitMac for PIV includes Thursby's SMB/CIFS bidirectional file and printer sharing, which includes support for Microsoft's Distributed File System (DFS), common to all Thursby products.
Thursby described how ADmitMac for PIV (ADPIV) works:
When a PIV card is inserted into a Macintosh, ADmitMac for PIV changes the normal login screen and challenges the user to enter their PIV card PIN authorization. Upon verification of the user's PIN, ADPIV then obtains the proper network credentials from the Kerberos Key Distribution Center. ADmitMac for PIV includes its own PKINIT (Public Key Cryptography for Initial Authentication in Kerberos) that enables this secure integration
.With ADmitMac for PIV, the card itself is challenged to ensure that neither the card nor the privileges granted the user have been revoked.
ADmitMac for PIV obtains authorized Kerberos certificates, makes these cer_tificates available to Kerberized applications, locks the computer upon removal of a PIV card, and protects the computer from unauthorized wake from sleep modes.
Thursby's enterprise volume licenses include a two additional management tools:
- AD Commander allows an administrator to manage Active Directory user and group settings from a Macintosh.
- The ADmitMac Deployment Utility creates custom ADmitMac installation packages for multi-computer installations
Thursby Software is offering special introductory pricing for ADmitMac for PIV through August 31, 2009. Thursby also offers ADmitMac for CAC, a similar package for using U.S. Department of Defense Common Access Cards to log on to an Active Directory network. The original ADmitMac integrates Macs into Active Directory networks using standard password single-sign on along with DFS support.