Device-based management using Lion Server's Profile Manager
With Lion Server, Apple has introduced Profile Manager, a directory-independent alternative to Managed Preferences. Less of a client management solution than a mobile device management tool, Profile Manager offers the ability to manage both Mac workstations and iOS devices. However, as opposed to Managed Preferences, Profile Manager is device-focused. This enables IT to enroll devices (iPhones, iPads, Macs) and apply policies to them, but these policies are not applied based on user accounts or group membership -- just devices.
Being device-focused, Profile Manager doesn't allow anywhere near the granularity of Managed Preferences or third-party solutions. It simply covers the core needs of client management and allows for self-enrollment by users through a Web-based interface that supports SCEP. When policies are updated, Apple's push notification system alerts enrolled devices to download the update. This combination makes Profile Manager worth considering as part of a BYOD program, particularly if you will also be supporting employees' iOS devices.
Profile Manager is easy to implement. There's no need to worry about schema extensions or multiple directories. If your organization requires minimal Mac management beyond the integration offered by Apple's Active Directory plug-in, Profile Manager may be worth a look. Keep in mind that Profile Manager requires Lion Server, and it supports only Macs running Lion. Scalability is a factor of Web server implementation, and multiple Profile Manager servers can be used to distribute load. With Apple's cancelation of the 1U rack-mounted Xserve hardware last fall, ensuring a scalable solution may be difficult, limiting the capability of Profile Manager in many, but not all, environments.
Monolithic imaging vs. package-based Mac deployment
There are two core ways to roll out and update Mac workstations, as there are with Windows PCs. The first is to capture a snapshot of a system to a disk image file, then push that image out to each workstation, either over a network or locally by a connected drive. The advantage of this monolithic-imaging approach is that, once a machine has had an image deployed to it, all software is installed and all configurations are preset.
The other option is package based. You start with a base system (either a stock system from Apple or a minimally configured system image), then deploy additional software or configuration files after the fact. This approach is advantageous when deploying Macs with a variety of application and configuration needs, as it eliminates the need to maintain a large number of images. It also allows you to simply add packages to an install workflow without having to edit or re-create your original system image.
Macs offer one distinct advantage over Windows-based PCs when it comes to monolithic imaging: Because Apple produces both the operating system and hardware, OS X is highly portable. A single image can be rolled out to a variety of Macs and be perfectly functional without further adjustment, providing that the hardware is not significantly newer than the OS X release in the image.
Package installation and patch management
OS X relies on specific file types to install software and updates, much like Microsoft's .msi format. These package (.pkg) or metapackage (.mpkg) files are read by the OS X Installer service, which installs the bundled executables and support files in the requiste file system directory, usually /Library or /System/Library. This can occur manually, when package files are opened on a Mac, or it can occur unattended or in the background using a variety of tools.