Discovering Privileged Accounts on Mac Devices
You can discover and add Mac devices and the accounts present in each of the devices. Navigate to Accounts >> Add >> Discover Accounts and then click Mac under Servers in the GUI to perform this step.
Note
Securden uses SSH for connecting to Mac devices. Hence, you should configure the firewall on your target devices to keep port 22 open.
Discovering from Mac devices is a two-step process.
Step 1: Establishing Connectivity¶
To discover computers in your network, you initially need to establish connectivity between Securden and the Mac device. For Securden to connect with Mac-based devices and discover the accounts present in them, you need to specify the IP address range of the devices and the channel through which the discovery needs to be performed.
You can discover devices from a single computer or a set of computers in an IP range.
If you choose Single Computer, you need to specify the Hostname/IP address of the target machine.
If you choose Computer in IP Range, you need to specify the IP Range of the target devices. I.e., you need to specify the Start IP and End IP of the range of devices to be scanned.
Once the IP addresses of the devices have been specified, you need to provide the following details.
1. Connection timeout: The maximum time in seconds Securden can attempt to establish connectivity with the devices before terminating the process.
2. Retry discovery process again: If connectivity to one or more devices cannot be established at present, Securden can attempt to connect with the devices later. You need to specify the time (in hours) after which the attempt to connect should be made.
Discovering through Remote Gateway¶
If the devices belong to a different network than that of the Securden server, you can route the connection through a remote gateway.
You need to select the appropriate remote gateway from the drop-down and the discovery will happen through the selected gateway.
Step 2: Enter Credentials and Discover¶
Once you've established connectivity with the devices, Securden needs to authenticate connection to perform discovery of accounts present in the devices. For this purpose, you need to specify the root account credentials or sudo (Superuser Do) user credentials. Securden will also use the administrator credentials for performing remote actions like password verification and reset apart from account discovery.
You typically need to supply two sets of credentials—one for remote login and the other to fetch the accounts and onboard it to Securden.
1. Supply remote login credentials¶
You need to provide the login credentials of an administrator user on the target device for Securden to log in securely. You can choose between a Password or a Public Key Infrastructure (PKI file) as the authentication type.
If you choose a password-based authentication method, you need to specify the Account Name along with the corresponding Password.
If you choose to authenticate using a PKI file, you have two options.
- Using an SSH key stored in Securden: Choose an SSH key file from the available list keys from the drop-down menu.
- Uploading key file from your computer: If you choose to upload a file from your computer, you need to provide the passphrase required to access the file.
2. Supply privileged credentials to fetch accounts¶
Once the credentials for remote login are supplied, you need to specify the privileged credentials required to fetch the accounts present in the devices.
If the credentials required to fetch the accounts are the same as the credentials used for remote login, then you can select the checkbox named Use remote login credentials as specified above.
You can choose between sudo and root as the authentication type.
If you are using separate credentials for fetching accounts, you need to specify the account name and password for the same.
Important Note:
When choosing to use the same remote login credentials for fetching accounts:
-
For root authentication, you need not specify the account name or the password.
-
For sudo authentication:
a. If you chose password authentication for remote login, you need not specify your account name or password. b. If you chose to authenticate with a PKI file in the previous step, you need to specify the password for fetching accounts.
Advanced Options¶
You have the options to add all the discovered accounts into a specific folder and assign them a specific account type. This will help mitigate the efforts required for classifying the accounts at a later time.
-
If you want to assign all the imported accounts a specific account type, you can select one from the drop down.
-
If you want to add all the imported accounts to a folder, you can select one from the drop down. If you want to create a new folder for this purpose, you need to click on [Add Folder].
-
You have the option to assign strong and unique passwords to the accounts immediately after discovery.
If you choose this option, Securden generates passwords based on the password policy specified and assigns them to the accounts on target devices
Note
The credentials used for authentication will not be randomized if this option is chosen.
-
Once all the required parameters have been specified, click Discover. The process takes a few minutes to complete.
Once it is completed, a complete result with a list of accounts and their status is displayed. You can view how many accounts were successfully imported.