Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Mac Launcher Deep Dive: What You Need To Know

Written by Ben Yoder

May 10th, 2016

One of the most requested features on our feature vote tracker of all time has been native support for a Mac OSX session launcher with the same capabilities and functionality as the Windows launchers. You asked and we answered, Secret Server 9.0 includes the first version of the Mac launchers. Here’s everything you need to know about getting started with Mac Launchers in your environment.

Mac Session Launchers

The session launchers for Mac are very similar to the Windows session launchers. The architecture consists of a protocol handler client that has to be installed on the OSX workstation that recognizes when a user clicks a launcher in Secret Server and opens the session.

If you don’t have the protocol handler, Secret Server will detect that the launcher didn’t work and will prompt you to download.

Protocol Handler Failer to Launch Notification in Secret Server

Download and run the OS X application, and the wizard will guide you through step by step on installing the protocol handler.

After installation, you should be able to open SSH and Remote Desktop Sessions from Secret Server. Just like on the windows side, there shouldn’t be any additional software needed for SSH and RDP sessions. Secret Server will open up SSH sessions in Terminal, and the protocol handler packages a version of the FreeRDP utility for remote desktop connections.

Secret Server SSH session in Terminal

When connecting to a server or the Secret Server proxy for the first time, you will get prompted to trust the host key as a security measure to prevent connecting to an unrecognized server.

Trust host key notification in Secret Server

Once you trust the host key, it will be placed in your authorized keys file, and you won’t be prompted again for that server.

You can use the mac session launchers the same way as windows launchers, including session proxying, session recording, and session monitoring.

Custom Launchers

One area that requires additional configuration is with custom launchers. On the Windows side these can be configured by either passing in command line arguments or running an application as an identity, such as an MMC snapin or a PowerShell script as a domain user.

With the Mac custom launchers you can pass in parameters, or upload a shell script to run. So for example if you wanted to run Secure CRT as your preferred SSH launcher, you would specify the application path, and then the process arguments for the application. You can set different ways to launch the app between Windows and Mac, so both environments can use Secure CRT, and Secret Server knows how to start it on each platform.

Mac Settings in Secret Server

Shell scripting is another option to run custom processes on the Mac. Just create a shell script, and specify the shebang identifier such as #!/bin/sh or #! /usr/bin/python and the Mac will run the script using the specified program. So you can create a python script to run a utility or call out to AppleScript to automate a login to a GUI.

Going forward we will be adding new features and enhancements to the Mac launcher based on user feedback. If there are built in launchers you’d like to see please let us know in the comment section below.

Curious about enhancing security by enforcing least privilege on Unix/Linux root admin accounts? Learn more about our Thycotic Privilege Manager