Managing Macs

Macs as desktops and servers are increasing their penetration in business, even in enterprises. Power users like Mac OS X's interface, bundled apps, and desktop and notebook hardware build quality. Application developers, marketers, and engineers appreciate the tool sets. Datacenter managers approve of Apple's Xserve reliability and versatility as a virtualization platform. But it's not all roses. IT managers, who ultimately must serve these communities' legitimate needs, are faced with some Mac-specific challenges.

The key to successful Mac management in the enterprise is recognition of its unique capabilities and knowing when not to treat it as just another Windows box.

“Apps like finance, ERP, CRM, and sales run remotely, totally transparently to desktop users. There are fewer security issues because you're transporting all sensitive data over an encrypted tunnel. Who cares if a desktop blows up? Just give them a new one and they're back working where they left off,” says Smith.

There are management tool sets for each of these three management perspectives. But all require that you exert some effort to understand the Mac's unique capabilities to avoid managing them out of existence.

Windows-centric managers have rich tool sets from which to choose

The past two years have seen dramatic improvements to Mac OS X's Windows management interoperability. First, Mac OS X Leopard makes the Mac a player in the Windows Active Directory authentication scheme, via a plug-in that joins Macs to an ActiveDirectory domain using Windows-hosted credentials. Macs participate in standard SMB file sharing via built-in Mac OS X connectors, and Leopard's cross-platform Directory Utility lets Macs cache credentials the same way Windows clients do and participate in resilient multiple-domain controller ActiveDirectory forests.

Both Leopard and its predecessor Mac OS X 10.4 Tiger support Apple's MP (Managed Preferences) architecture, which is akin to Windows GPO (Group Policy Object) scheme. Both MP and GPO let you centrally control what printers, file shares, and other resources users can access, as well as enforce common security policies such as automatic logout, password-protected screen savers, removable media restrictions, network and proxy configuration, application protection, software updates, and preference locking. Out of the box, however, MP and GPO don't communicate. And Mac OS X lacks support for one critical Microsoft information interface: the Windows DFS (Distributed File System).

That's where third-party tools come in. Two packages provide mapping services from GPO to MP: Thursby's ADmitMac and Centrify's DirectControl. Both have client-side components that replace Apple's Active Directory plug-in, and both supplant Apple's SMB file sharing with their own enhanced equivalents. DirectControl has a more straightforward mapping of GPO to MP, and it stores that mapping within AD itself, while ADmitMac keeps mappings in a non-ActiveDirectory file server. However, only ADmitMac's file sharing includes full support for Windows DFS, which is a key requirement in many enterprise environments. Thursby also offers DFS support in its lightweight Dave file-sharing utility.

GPO propagation is just one aspect of Windows-centric administration. Others include asset tracking, patch management, and OS image generation and deployment. Neither ADmitMac nor DirectControl address these, but other third-party products do. JAMF offers two client management suites: Casper and Recon. Casper performs hardware and software enumeration and tracking — including software license and data encryption management — as well as staged imaging and secure remote control. It sports a customer service portal for user self-administration, in addition to a centralized admin console with an iPhone interface. Recon is a stripped-down version of Casper, with just the asset tracking, centralized console, and iPhone components.

Avocent's LANDesk is another Windows-oriented management tool with Mac capabilities, focusing on asset tracking and OS deployment. LANDesk uses Mac OS X Server to spin out OS deployment images via Netboot or HTTP, and it can even deploy Windows OS images to Mac-hosted virtual machines. This capability is central to any platform-agnostic desktop strategy where application, rather than device, management is the goal. LANDesk lets you distribute standardized OS images pre-configured for centrally hosted applications, à la Citrix.

Symantec is a less-known player in the Mac desktop asset tracking/deployment niche with its Altiris Client Management Suite, which hasn't seen significant Mac enhancement since 2007. The Altiris Inventory Solution for Mac performs hardware and software discovery and asset tracking, while its Deployment Solution performs OS imaging via Mac OS X Server in the same way LANDesk does. Its Management Agent for Mac provides remote script scheduling, software update management, and limited policy enforcement.

Managing Macs using native tools may be a better approach

For enterprises that don't feel the need for Windows-based management, Apple's native Mac OS X management tools offer nearly an equivalent level of control that can still integrate with Windows Active Directory authentication infrastructure. In this management model, you use Mac OS X's built in Active Directory plug-in for domain authentication and SMB support for file and printer sharing, but depend on Mac OS X's Open Directory and Managed Preferences (MP) architectures for policy enforcement. You run one or more instances of Mac OS X Server, which provides MP controls in its Workgroup Manager interface. You must manually synchronize user groups between ActiveDirectory and Open Directory, but then ActiveDirectory user accounts automatically populate their corresponding Open Directory groups.

Alternatively you can configure the Open Directory server as an ActiveDirectory “stub,” which eliminates the group synchronization chore but limits your MP choices to those that have a corresponding ActiveDirectory policy.

Apple's Screen Sharing service provides a convenient remote control interface for Mac OS X support. Screen Sharing is essentially VNC under the covers, so you can readily share screens from a Windows box via free VNC clients such as TightVNC, although you lose some of Screen Sharing's fancier features like scaling and autoscrolling.

Similarly, Apple's Time Capsule provides a sophisticated centralized backup system, with users able to retrieve files at will through Mac OS X's powerful Time Machine graphical browser. Alternatively, traditional backup products support Macs as well: Symantec Backup Exec, which backs up xServe storage that in turn contains desktop backups, and EMC Retrospect, an end-to-end desktop backup product. The future, however, may belong to cloud backup tools like Jungle Disk, which saves to Amazon's Simple Storage Service.

The future of management may not revolve around the desktop

If Occam's Ted Smith is on the right track, desktop-oriented administration may be nearing the end of its life as a management strategy. Occam's application virtualization approach reduces desktop management chores to basic security and patch control, with application security and configuration residing in the datacenter. Desktops are little more than disposable terminals to those applications, with users free to tailor their individual workstation with personal productivity tools. Another possible future is full desktop virtualization, in which the user's access device is a mere thin client with the desktop stored and executed on a datacenter-resident virtual machine.

That future is still a few years distant, though, and Mac proliferation is not waiting for it. To service user demand for Macs in the near term, avoid treating the Mac as just another Windows box. By recognizing the Mac's unique advantages — which is what draws users to it in the first place — you'll be better positioned to select from the rich and growing palette of Mac management tools.

Previous ArticleNext Article

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


The free newsletter covering the top industry headlines