Agent Integration with Users Catalog Solution Architecture

The Users Catalog integrates with enterprise identity providers (such as Microsoft Entra ID (Azure AD), Okta, and others) to ingest user-related information, including group memberships.

See Users Catalog.

The endpoint agent leverages this integration to retrieve enriched user data (e.g., group memberships, risk score, and other attributes).

Data Flow

The following describes the data process flow of the Users Catalog and the endpoint Agent. This process runs periodically to ensure data remains up to date.

• The Users Catalog synchronizes with the organization’s identity provider.

  • The endpoint agent collects user identity data from the device. (On macOS, identity extraction requires the Kerberos SSO extension.)

• The agent sends user identity attributes (username + domain) to the Users Catalog.

• The Users Catalog correlates the user with directory data.

• Enriched attributes (e.g., groups, risk score) are returned to the agent.

• The agent enforces prevention rules using this enriched context.

By default, user and group objects are synchronized every 12 hours, and group memberships every 24 hours. If Entra ID Audit Logs are enabled, directory changes are processed much sooner and are typically reflected within minutes, rather than waiting for the next scheduled synchronization cycle.

Identity Service Integration with Users Catalog

Identity services (e.g., Azure/Entra ID, Okta) can be integrated with the Users Catalog. The following integration methods enable synchronization of user.s and group memberships into the Users Catalog.

• Cloud application connector

  Cloud Applications | Connected Apps

• SCIM / SAML identity provider integration

  Using Okta as SCIM/SAML IdP

 

 

Identity Services and Kerberos (Windows vs. macOS)

In enterprise environments, identity services are central to managing access across both Windows and macOS devices. Organizations rely on Kerberos as a foundational protocol to integrate these platforms into a unified authentication framework.

Windows systems natively leverage Kerberos through Active Directory, enabling seamless and transparent authentication to enterprise resources.

macOS devices, however, require explicit integration to participate in the same ecosystem. This is typically achieved using the Kerberos SSO extension, which enables macOS to interoperate with enterprise identity services.

The Kerberos SSO extension allows Macs to automatically obtain and renew Kerberos tickets based on the user’s login, enabling secure, password-free access to corporate services such as file shares, internal websites, and email. This approach reduces authentication prompts, enhances security, and ensures a consistent single sign-on experience across platforms.

 

macOS Agent and Kerberos SSO Extension

On macOS, the Kerberos SSO extension connects the device to the identity service and provides the foundation for user identification. The endpoint agent integrates with this extension to extract key identity attributes, such as username and domain, from the Kerberos ticket. These attributes are then used to accurately identify and correlate the user within the Users Catalog. (See Agent Integration with Users (Identity) Catalog Configuration. )

 

Kerberos SSO Extension Resources

• Apple Documentation: Kerberos Single Sign-on extension with Apple devices

• Mac Agent/Bundle and Auto Updater- Configuration Profile

 

Related Topic:

User Catalog IDs and Cross-Identifier Activity Tracking