Deploying and supporting Macs presents distinct challenges, particularly in organizations where Macs are in the minority or are being introduced for the first time. As with many aspects of IT, having the right tool for the job is the key to managing a new or existing population of Apple desktops and notebooks.
The good news is that there are many tried and true solutions for handling common Mac deployment and management tasks. The better news is that many of the best are available for free, whether from Apple, as open source projects, or as free/donationware creations of other Mac administrators and IT professionals.
Here you will find the top 22 tools -- most of them free -- for managing the Macs in your IT environment. As you'd expect, the list focuses on the core areas of systems administration: deployment, client management, and directory integration. If I missed a favorite free Mac tool, please highlight it in the comments below.
If you have more than a couple of Macs to deal with, you'll need an easy way to configure them. For monolithic imaging, the process by which you create a snapshot of one workstation and copy it to others, nothing beats Apple's Disk Utility and Apple Software Restore, both of which are included free with every Mac OS X install.
Disk Utility comes as both a GUI tool and the diskutil command-line option. It is equipped with plenty of local disk management functions, including partitioning, formatting, integrity checking, and repair. It also offers the ability to clone volumes and create disk images using the .dmg format, which makes it perfect for capturing a configured volume for monolithic imaging.
Apple Software Restore, which is available only from the command line as asr, allows you to locally or remotely deploy disk images to one or more clients. It can be used to image a Mac from a disk image on a local drive, a network share, or a multicast stream (the best option for mass deployments). When used for multicast streaming, one Mac hosts the stream via asr commands for others to join. As you might expect, any client imaged using asr must be booted from a source other than the destination volume, such as an external hard drive, a flash drive, or a bootable network volume.
While Disk Utility and ASR provide the backbone for Mac deployment, either individually using an external drive/unicast network connection or a multicast stream, there are several tools to speed up, automate, and improve your workflow for capturing a source image, preparing it for use with ASR, and initiating deployment. Be sure to check out SuperDuper and Carbon Copy Cloner for image capture and basic single-Mac deployment, and Blast Image Config for setting up ASR sessions.
Building off of Apple's free image-based offerings are two features of the company's Mac OS X Server: NetInstall and NetRestore.
Network booting has been a staple since OS X Server debuted, and Apple has built off the NetBoot concept with NetInstall and NetRestore, both of which allow servers to host boot volumes, thereby enabling clients to boot directly from the network based on your deployment options.
NetInstall is designed for booting into the OS X installer utility and allows admins to configure options for a traditional OS X install. (It is not monolithic imaging per se, though that is possible.) It also performs pre- and post-install tasks such as disk partitioning, directory binding, and application installation.
NetRestore is designed around ASR and provides a broader range of options for monolithic imaging. It can be configured to automatically deploy specific images or to allow clients to select from available images. As with NetInstall, many deployment-related tasks can be included in the NetRestore process.
Both NetInstall and NetRestore come with the current release of Lion Server and require no client or usage license beyond the cost of Lion Server (a $49 add-on to the $29 Lion).
Heterogeneous organizations looking to standardize on a single deployment tool should check out DeployStudio, a freeware monolithic imaging solution for Mac and Windows clients.
DeployStudio offers local disk deployment, network deployment, and multicasting. It comes equipped with solid image management and client selection tools, integrates with Apple's NetBoot, and provides excellent deployment monitoring, all of which make it a great deployment workflow management solution. The biggest drawback -- if you can consider it a drawback -- is that it relies on OS X Server to create a complete network-based solution, including both boot and deployment.
Apple's package (.pkg) and metapackage (.mpkg) files are the primary software installation mechanisms in OS X. While these are typically installed by a user, OS X supports package deployment without user intervention -- for example, by adding packages to a NetInstall workflow.
Organizations looking to deploy packages over a network should check out donationware StarDeploy and open source Munki. These network-based solutions, along with the commercial Apple Remote Desktop, allow admins to deploy packages in the background; they're excellent updating tools as well.
Because packages are simply a series of files along with instructions for their ultimate location in a Mac's file system, you can easily configure non-application packages for deploying configuration files and documents. Coupled with StarDeploy or Munki, this method makes it easy to add, remove, or update almost any item over the network, including browser bookmarks, security certificates, and default system or application settings.
(Note: Adobe doesn't use Apple's package format, but Munki does support remote install of Adobe applications.)
If you're going to deploy non-application packages, you'll need a tool to create them. Apple's PackageMaker is a great tool for this, and it is included with the company's Xcode developer suite, which is free and available via the Mac App Store.
Intended for use by developers to create install packages, PackageMaker provides admins with an easy way to build packages to push out to clients on their network. As noted above, these packages can be almost anything you want to deploy to a range of client devices, including documents.
Two free alternatives are openly available, but not quite as developer-friendly: the open source Iceberg and the free InstallEase, which was developed as a companion to the Absolute Manage client management suite.
Admins looking to edit system and applications preferences will want to turn to Property List Editor, a GUI tool for editing the XML .plist preference files. A similar free tool, Plist Editor, is available for modifying these files from Windows machines. You may, however, find modifying preferences from within an app and copying the resulting .plist files an easier process than using these tools.
File Distributor is a slightly different form of deployment tool. It allows admins to replace files at various locations within a file system. You can even make use of wild cards to specify multiple locations. This is particularly helpful if you are using network home directories and need to deploy documents or configuration files across multiple user accounts.
Another deployment tool worth investigating is the commercial FileWave. This Mac/Windows tool can be used to dynamically manage application installations across your network. FileWave's approach has advantages for license compliance and reclamation, as well as flexibly deploying and redeploying applications as needed.
Creating a functional, secure environment requires more than just rolling out computers and software. Global accounts stored in a secure directory service, single sign-on, the ability to secure network and local resources, and the ability to preconfigure and manage the user experience on any workstation is critical. The undisputed leader in directory services, even in Mac environments, is Microsoft's Active Directory. Thankfully, many worthwhile tools for integrating with Active Directory are available, beginning with Apple's Active Directory client and Directory Utility.
OS X's built-in Active Directory client allows you to join an Active Directory domain, and it supports secure access to resources and single sign-on via Kerberos. Moreover, it doesn't require downgrading security levels, and it allows account synchronization for off-network access.
The client can be accessed using the Users and Groups pane of OS X Lion's System Preferences app (called the Accounts pane in older OS X releases). Detailed configuration, including account and home directory sync, preferred domain controllers, and so forth, can be performed using the included Directory Utility.
It's worth noting, however, that Apple's AD client has limitations. For example, it doesn't support client management of any kind beyond basic password policies. It also doesn't support DFS browsing. There are some issues specific to various releases, including Lion.
OS X may support Active Directory, but Apple's native directory is an LDAP-based solution called Open Directory.
Open Directory domains, hosted by OS X Server, afford centralized accounts all the advantages that Active Directory delivers for Windows, including secure Kerberos single sign-on and client management. This system, referred to as Managed Preferences (or abbreviated MCX), is entirely LDAP-based and allows for user/group/computer-based client management that rivals the capabilities of Group Policies in Active Directory for Mac clients.
In a dual-directory setup, Mac clients can be joined to both Open Directory and Active Directory, allowing for secure access to AD accounts and resources but with complete Open Directory client management applied.
In Lion Server, Apple introduced a new Profile Manager feature that supports iOS device management and Mac client management without the need for a directory service. This alternative offers the core security client management features with a simplified setup, though it is device/client-specific rather than more granular at the user or group level.
If adding a second directory isn't an option (it can often be a challenge), the fact that Apple's MCX architecture is completely LDAP-based offers an alternative: extend the Active Directory schema to support the Apple-specific attributes.
Microsoft's Active Directory Schema Analyzer is a great tool for generating the needed LDIF files. Once the schema is extended, Apple's free Workgroup Manager tool (part of OS X Server's administration utilities) can be installed on a Mac and pointed to an Active Directory domain, where it can manage some basic user account details and configure the full range of Apple's Managed Preferences.
Apple's solutions are good for Active Directory integration, but they aren't perfect. In some cases, Apple's AD client may have issues with a specific Active Directory environment, while in others, some features just don't have full parity or may not even be available (DFS is a great example). For these situations, there are worthwhile third-party options, some of which are available for free.
If you want to integrate client management capabilities without the complexity of using either a dual-directory setup or schema extensions, Centrify's Direct Control and PowerBroker Identity Services Enterprise Edition are worth considering, along with Thursby's ADMit Mac. ADMit may be particularly appealing for small Mac populations because it is a solely client-side solution that includes DFS support.
Apple Remote Desktop is the Swiss Army knife of Mac IT tools. Its robust feature list includes the ability to monitor the use of remote Mac computers (overall status, current application and user, full- or thumbnail-screen viewing), share screens for troubleshooting and user assistance, control a Mac without allowing users to see your actions, send global message alerts, message with users, deploy packages and individual files in the background, send Unix commands in the background, and remote startup/shutdown.