Case in point: An information technologist at a major Southern California municipality notes, "A small percentage of our users have Macs, but they're power users, in the sense that they're constantly reconfiguring their desktop environments. They authenticate to our network via Active Directory just like Windows users and access the Internet via the same Windows ISA server firewall, but we have less need to control their specific applications compared to Windows users." It's not a perfect world, but a workable one.
The technologist continues, "We bought anti-virus for Macs, but haven't had to deploy it because Macs aren't that vulnerable if configured correctly. We don't manage patches either, because users can self-manage and patches are less important to Macs from a security standpoint. We do have one issue with Mac FTP, which isn't compatible with our Windows ISA proxy; we have to route that traffic through a separate firewall."
Another tactic is to become OS-agnostic and manage applications rather than platforms. Occam Networks, a manufacturer of fiber-to-the-home infrastructure components, sees this path ultimately rendering desktop parochialism moot. Ted Smith, the company's information systems architect, describes Occam's application management approach: "We offer users their choice of desktop -- Mac, Unix, or Windows -- and let them customize it the way they see fit. We employ platform-agnostic application delivery using Citrix and Windows Terminal Services, in which applications reside in our datacenter, not on the desktop.
"Apps like finance, ERP, CRM, and sales run remotely, totally transparently to desktop users. There are fewer security issues because you're transporting all sensitive data over an encrypted tunnel. Who cares if a desktop blows up? Just give them a new one and they're back working where they left off," says Smith.
There are management tool sets for each of these three management perspectives. But all require that you exert some effort to understand the Mac's unique capabilities to avoid managing them out of existence.
Windows-centric managers have rich tool sets from which to choose
The past two years have seen dramatic improvements to Mac OS X's Windows management interoperability. First, Mac OS X Leopard makes the Mac a player in the Windows Active Directory authentication scheme, via a plug-in that joins Macs to an ActiveDirectory domain using Windows-hosted credentials. Macs participate in standard SMB file sharing via built-in Mac OS X connectors, and Leopard's cross-platform Directory Utility lets Macs cache credentials the same way Windows clients do and participate in resilient multiple-domain controller ActiveDirectory forests.
Both Leopard and its predecessor Mac OS X 10.4 Tiger support Apple's MP (Managed Preferences) architecture, which is akin to Windows GPO (Group Policy Object) scheme. Both MP and GPO let you centrally control what printers, file shares, and other resources users can access, as well as enforce common security policies such as automatic logout, password-protected screen savers, removable media restrictions, network and proxy configuration, application protection, software updates, and preference locking. Out of the box, however, MP and GPO don't communicate. And Mac OS X lacks support for one critical Microsoft information interface: the Windows DFS (Distributed File System).