Configure mobile account options

Enable this group policy to configure mobile account options, including FileVault settings and home folder location.

Mobile account options will only take effect when a new mobile user is being created during login. This policy will not affect an existing mobile user.

=== FileVault ===

you can use FileVault to encrypt the local home folders for their mobile accounts. FileVault encrypts the user's local home folder using the Advanced Encryption Standard with 128-bit keys (AES-128). The home folder content is safe even if the user's computer is stolen or if an intruder attempts to use the computer while the user is not logged in.

The user's login password is used to decrypt and give the user access to his or her FileVault-protected account. If the user forgets the login password and a computer administrator has set a master password, the administrator can use the master password to unlock all local accounts.

You can choose whether to require master passwords when enabling FileVault protection for mobile accounts:

* If you don't require a master password and there is no master password, local computer administrators can't unlock the account.

* If you require a master password and there is no master password, the user can't enable a mobile account.

* If you select 'Require confirmation before creating mobile account' in "Create mobile account when user logs in to network account" policy, the user can log in with a network account. Network accounts don't have local home folders (preventing intruders from accessing home folder content).

If a mobile account is protected with FileVault, the user must be logged in to share files using File Sharing.


- Use master password, if available

If you select this option, the mobile account uses FileVault regardless of whether there is a master password already set.


- Require computer master password
If you select this option and there is no master password set, the user might be able to log in with a network account, depending on whether you selected 'Require confirmation before creating mobile account' in "Create mobile account when user logs in to network account" policy.


- Restrict size

If you enable FileVault, you can restrict the size of the local home folder.

By restricting the size of the local home folder, you prevent the user's local home folder from using more space than is available in the user's network home folder. This ensures that the home folders can sync without requiring more space than is available in the network home folder.

=== Home folder location ===

You can select the location of a mobile account's local home folder or you can let the user select the location. If you select the location, choose from one of the following.


- on startup volume

The local home folder is located on the startup volume in /Users/. This is the default location where the local home folders of mobile accounts on computers with Mac OS X v10.4 and earlier are stored.


- at path specified below

The local home folder is located at the path you specify.

You can specify a different volume by entering /Volumes/DriveName/Folder/, where DriveName is the name of the volume, and Folder is the folder in the volume.

If you don't specify a volume, the location is on the startup volume.


- user chooses ...

When users with mobile accounts log in, a window appears that allows them to choose a location for the local home folder. After they choose a location, the window only appears when a mobile account is being created. You can choose which types of volumes the user is allowed to choose from:

* any volume - volumes on internal or external hard disks
* any internal volume - volumes on internal hard disks
* any external volume - volumes on external hard disks

Supported on:

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
Value NameMobileAccountOptions
Value TypeREG_SZ
Enabled Value1
Disabled Value0

--- FileVault ---

Encrypt contents with FileVault
Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
Value NameEnableFileVault
Value TypeREG_SZ
Default Value0
True Value1
False Value0
Configure mobile account options


  1. Use computer master password, if available
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
    Value NameRequireMasterPassword
    Value TypeREG_SZ
    Value0
  2. Require computer master password
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
    Value NameRequireMasterPassword
    Value TypeREG_SZ
    Value1

--- Size ---

Restrict size
Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
Value NameRestrictSize
Value TypeREG_SZ
Default Value0
True Value1
False Value0
Enable policy:
Registry PathValue NameValue TypeValue
Software\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105cachedaccounts.create.maxSizeREG_SZfixed
fixed size (MB):

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
Value Namecachedaccounts.create.maxSize.fixedSize
Value TypeREG_DWORD
Default Value250
Min Value4
Max Value2147483647
Home folder location:


  1. on startup volume
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
    Value Namecachedaccounts.create.location
    Value TypeREG_SZ
    Valuestartup
  2. at path specified below
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
    Value Namecachedaccounts.create.location
    Value TypeREG_SZ
    Valuepath
  3. user chooses any volume
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
    Value Namecachedaccounts.create.location
    Value TypeREG_SZ
    ValueuserPicksVolume
  4. user chooses any internal volume
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
    Value Namecachedaccounts.create.location
    Value TypeREG_SZ
    ValueuserPicksInternalVolume
  5. user chooses any external volume
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
    Value Namecachedaccounts.create.location
    Value TypeREG_SZ
    ValueuserPicksExternalVolume

Path:

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\MacMCX\Mobility\105
Value Namecachedaccounts.create.location.path
Value TypeREG_SZ
Default Value

centrify_mac_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)