Macs as desktops and servers are increasing their penetration in business, even in enterprises. Power users like Mac OS X's interface, bundled apps, and desktop and notebook hardware build quality. Application developers, marketers, and engineers appreciate the tool sets. Datacenter managers approve of Apple's Xserve reliability and versatility as a virtualization platform. But it's not all roses. IT managers, who ultimately must serve these communities' legitimate needs, are faced with some Mac-specific challenges.
The key to successful Mac management in the enterprise is recognition of its unique capabilities and knowing when not to treat it as just another Windows box.
Fortunately, as the Mac has doubled its enterprise presence over the last two years, it's added new management options as well. Much of that growth occurred with Apple's Mac OS X 10.5 Leopard OS, but a good deal of the credit goes to third-party tool vendors.
Your management perspective informs your Mac management strategy
Your best bet for handling Macs depends on your enterprise management perspective. Most organizations fall into one of three: strictly controlling, flexible based on user capability, and application-centric rather than platform-centric. There's a Mac management strategy for each option.
A Windows-centric management philosophy often aims to control every desktop and server at a very fine-grained level, using Windows Group Policy Objects and unified management console. The Mac can play in this arena, but only with third-party tools.
Windows' strict management posture comes from the need to tightly enforce patch management and security policies to prevent virus and other intrusions, for which Windows has a famously large attack surface. The scope of vulnerability for Macs is demonstrably much smaller, and thus Macs don't necessarily require the same detailed control. (However, the Mac does have its own security issues that you should understand.) Many organizations can take a looser approach to management for their Macs.
Case in point: An information technologist at a major Southern California municipality notes, "A small percentage of our users have Macs, but they're power users, in the sense that they're constantly reconfiguring their desktop environments. They authenticate to our network via Active Directory just like Windows users and access the Internet via the same Windows ISA server firewall, but we have less need to control their specific applications compared to Windows users." It's not a perfect world, but a workable one.
The technologist continues, "We bought anti-virus for Macs, but haven't had to deploy it because Macs aren't that vulnerable if configured correctly. We don't manage patches either, because users can self-manage and patches are less important to Macs from a security standpoint. We do have one issue with Mac FTP, which isn't compatible with our Windows ISA proxy; we have to route that traffic through a separate firewall."
Another tactic is to become OS-agnostic and manage applications rather than platforms. Occam Networks, a manufacturer of fiber-to-the-home infrastructure components, sees this path ultimately rendering desktop parochialism moot. Ted Smith, the company's information systems architect, describes Occam's application management approach: "We offer users their choice of desktop -- Mac, Unix, or Windows -- and let them customize it the way they see fit. We employ platform-agnostic application delivery using Citrix and Windows Terminal Services, in which applications reside in our datacenter, not on the desktop.
"Apps like finance, ERP, CRM, and sales run remotely, totally transparently to desktop users. There are fewer security issues because you're transporting all sensitive data over an encrypted tunnel. Who cares if a desktop blows up? Just give them a new one and they're back working where they left off," says Smith.
There are management tool sets for each of these three management perspectives. But all require that you exert some effort to understand the Mac's unique capabilities to avoid managing them out of existence.
Windows-centric managers have rich tool sets from which to choose
The past two years have seen dramatic improvements to Mac OS X's Windows management interoperability. First, Mac OS X Leopard makes the Mac a player in the Windows Active Directory authentication scheme, via a plug-in that joins Macs to an ActiveDirectory domain using Windows-hosted credentials. Macs participate in standard SMB file sharing via built-in Mac OS X connectors, and Leopard's cross-platform Directory Utility lets Macs cache credentials the same way Windows clients do and participate in resilient multiple-domain controller ActiveDirectory forests.
Both Leopard and its predecessor Mac OS X 10.4 Tiger support Apple's MP (Managed Preferences) architecture, which is akin to Windows GPO (Group Policy Object) scheme. Both MP and GPO let you centrally control what printers, file shares, and other resources users can access, as well as enforce common security policies such as automatic logout, password-protected screen savers, removable media restrictions, network and proxy configuration, application protection, software updates, and preference locking. Out of the box, however, MP and GPO don't communicate. And Mac OS X lacks support for one critical Microsoft information interface: the Windows DFS (Distributed File System).
That's where third-party tools come in. Two packages provide mapping services from GPO to MP: Thursby's ADmitMac and Centrify's DirectControl. Both have client-side components that replace Apple's Active Directory plug-in, and both supplant Apple's SMB file sharing with their own enhanced equivalents. DirectControl has a more straightforward mapping of GPO to MP, and it stores that mapping within AD itself, while ADmitMac keeps mappings in a non-ActiveDirectory file server. However, only ADmitMac's file sharing includes full support for Windows DFS, which is a key requirement in many enterprise environments. Thursby also offers DFS support in its lightweight Dave file-sharing utility.
GPO propagation is just one aspect of Windows-centric administration. Others include asset tracking, patch management, and OS image generation and deployment. Neither ADmitMac nor DirectControl address these, but other third-party products do. JAMF offers two client management suites: Casper and Recon. Casper performs hardware and software enumeration and tracking -- including software license and data encryption management -- as well as staged imaging and secure remote control. It sports a customer service portal for user self-administration, in addition to a centralized admin console with an iPhone interface. Recon is a stripped-down version of Casper, with just the asset tracking, centralized console, and iPhone components.
Avocent's LANDesk is another Windows-oriented management tool with Mac capabilities, focusing on asset tracking and OS deployment. LANDesk uses Mac OS X Server to spin out OS deployment images via Netboot or HTTP, and it can even deploy Windows OS images to Mac-hosted virtual machines. This capability is central to any platform-agnostic desktop strategy where application, rather than device, management is the goal. LANDesk lets you distribute standardized OS images pre-configured for centrally hosted applications, à la Citrix.
Symantec is a less-known player in the Mac desktop asset tracking/deployment niche with its Altiris Client Management Suite, which hasn't seen significant Mac enhancement since 2007. The Altiris Inventory Solution for Mac performs hardware and software discovery and asset tracking, while its Deployment Solution performs OS imaging via Mac OS X Server in the same way LANDesk does. Its Management Agent for Mac provides remote script scheduling, software update management, and limited policy enforcement.
Managing Macs using native tools may be a better approach
For enterprises that don't feel the need for Windows-based management, Apple's native Mac OS X management tools offer nearly an equivalent level of control that can still integrate with Windows Active Directory authentication infrastructure. In this management model, you use Mac OS X's built in Active Directory plug-in for domain authentication and SMB support for file and printer sharing, but depend on Mac OS X's Open Directory and Managed Preferences (MP) architectures for policy enforcement. You run one or more instances of Mac OS X Server, which provides MP controls in its Workgroup Manager interface. You must manually synchronize user groups between ActiveDirectory and Open Directory, but then ActiveDirectory user accounts automatically populate their corresponding Open Directory groups.
Alternatively you can configure the Open Directory server as an ActiveDirectory "stub," which eliminates the group synchronization chore but limits your MP choices to those that have a corresponding ActiveDirectory policy.
Apple's Screen Sharing service provides a convenient remote control interface for Mac OS X support. Screen Sharing is essentially VNC under the covers, so you can readily share screens from a Windows box via free VNC clients such as TightVNC, although you lose some of Screen Sharing's fancier features like scaling and autoscrolling.
Similarly, Apple's Time Capsule provides a sophisticated centralized backup system, with users able to retrieve files at will through Mac OS X's powerful Time Machine graphical browser. Alternatively, traditional backup products support Macs as well: Symantec Backup Exec, which backs up xServe storage that in turn contains desktop backups, and EMC Retrospect, an end-to-end desktop backup product. The future, however, may belong to cloud backup tools like Jungle Disk, which saves to Amazon's Simple Storage Service.
The future of management may not revolve around the desktop
If Occam's Ted Smith is on the right track, desktop-oriented administration may be nearing the end of its life as a management strategy. Occam's application virtualization approach reduces desktop management chores to basic security and patch control, with application security and configuration residing in the datacenter. Desktops are little more than disposable terminals to those applications, with users free to tailor their individual workstation with personal productivity tools. Another possible future is full desktop virtualization, in which the user's access device is a mere thin client with the desktop stored and executed on a datacenter-resident virtual machine.
That future is still a few years distant, though, and Mac proliferation is not waiting for it. To service user demand for Macs in the near term, avoid treating the Mac as just another Windows box. By recognizing the Mac's unique advantages -- which is what draws users to it in the first place -- you'll be better positioned to select from the rich and growing palette of Mac management tools.