The truth about Macs in the enterprise

Security, manageability, and lower TCO are why Macs should comprise 10 to 25 percent of your work PCs

new macbook primary
Jason Snell

When I said last week that Windows 10 won't save the PC, some Windows-addled IT folks said I was secretly suggesting that enterprises replace their PCs with Macs. That wasn't my intent, but those comments made me think about where the Mac fits in the enterprise and what causes so many IT organizations to be so emotionally opposed to having non-Windows PCs in their companies.

The truth is not black and white, but the following are true, even if many IT shops remain willfully ignorant to the facts and hang on to Mac realities and stereotypes from the 1990s:

  • Macs are more secure out of the box than Windows PCs.
  • Macs can be managed at scale.
  • Macs provide an operational recovery option that an all-Windows environment doesn't.
  • Macs do what most people need, though there are critical corporate needs that only Windows apps serve. 
  • Macs cost the same as business-class PCs, and their total cost of ownership (TCO) is usually lower.
  • An all-Mac environment is as unreasonable as an all-Windows one.
  • Windows PCs, running Windows 7 today and Windows 10 in a few years, will remain the standard computing device for the majority of users.

Who needs a Mac

The bottom line: Executives and road warriors are the best candidates for Mac use in a company, in addition to the historic Mac enclaves of application development and creative functions such as marketing and design. Why? Because Macs are better suited to thwarting phishing and other attacks on these sensitive users' systems and for operating outside your network.

"Regular" office workers should be given a choice as to whether to use Windows or OS X, if their job requirements are satisfied by either platform. Why? Because having a certain percentage of non-Windows users provides a fail-over capability in case of a malware or hacking meltdown, as well as lets some users work with devices they are more comfortable with.

A good metric is that about 15 to 25 percent of employees should be using a Mac, with the higher percentage aimed at companies that focus on software and creative work. For example, Cisco Systems, once adamantly an anti-Mac company, now has about 20 percent of its users on Macs (that's 35,000 Macs), a feat that turned out to be easily accomplished and did not increase IT resource needs. (I hear similar stats from CIOs I meet at conferences, though so few companies use Macs to any scale that all I can offer are such anecdotes, rather than statistical "proof.")

The Mac aids your security and recovery needs

It still shocks me how much time and money IT organizations spend on securing Windows PCs, such as for incessant antivirus updates and frequent infection-cleanup efforts, for managing backups and encryption, and for dealing with dozens of often problematic fixes every month in the infamous Patch Tuesday releases.

Windows has lots of security and management APIs, of course, which let IT go to town in securing and managing them using tools like System Center -- at a huge cost. Gartner estimates that IT organizations spend $2,000 to $2,300 per user per year to manage and secure their Windows PCs. Yikes!

Management tools. The good news is that you can manage Macs for the same or lower cost, depending on the approach you take. The more Windows-like your management approach, the more it will cost to manage your Macs. From high to low cost: 

  • Microsoft's System Center supports Macs running OS X Yosemite if running a Microsoft configuration client. There are also System Center add-ons to extend Mac management capabilities, such as from Centrify.
  • As of OS X Lion and moreso OS X Mountain Lion, Apple made most of its iOS management and security APIs available to OS X. Using a mobile device management (MDM) server you likely already have, such as those from MobileIron and VMware's AirWatch unit, for iPhones and iPads you can manage Macs' security and configuration remotely, based on Active Directory groups.
  • Smaller organizations can use the $20 OS X Server to do the same, as well as manage network backups via central Time Machine servers.

Because few IT pros I talk to are aware of this, you should know that Macs have full-disk encryption that you can manage through policies, controls over admin privileges, password-required login, lock a Mac's bootup to a specific drive (that requires hands-on setup at the Mac itself, though). For guest and shift workers, you can even set a Mac to work off a remote boot from an OS X Server or use the local multiple-accounts capability built into OS X that separates user data from each account (similar to Windows' approach).

Where the Mac has less security than Windows is in its hardware: There's no Trusted Platform Module to provide extra protection to encryption keys on the computer itself, and Macs don't use UEFI for secure boot, only the less-sophisticated EFI technology.

Backup and recovery. Backup becomes less critical as more corporate data moves to cloud services such as Microsoft's OneDrive, Box, or Dropbox. But automated backup is native to OS X, via its Time Machine tool. You can back up to a dedicated drive for each Mac or to departmental Time Machine server running on a Mac equipped with OS X Server. (Try that in Windows!) For broader-scale backup deployments, providers such as Acronis provide cross-platform backup.

Apple's backup approach creates a fully usable environment image that you can install to another Mac if needed, so you can get a user up and running fully intact on a new Mac, or on a new drive, or on a wiped Mac. It's quite easy to recover a Mac and mines downtime. By contrast, recovering Windows PCs takes much more time and effort.

Malware. Then there's malware, the bane of users and IT departments everywhere. Malware is so common in Windows that new variants rarely make the news any more, whereas IT security folks are still obsessing over a Mac Trojan from several years ago that affected some thousands of users. That should speak volumes.

If you're concerned about malware, you should use a Mac. Until malware creators figure out how to bypass OS X's native security -- it has a lot, including code-signing so that malware can't self-install -- the Mac is a safer platform. Plus, Apple updates the antimalware signatures automatically every day. Although no IT department believes me, you don't need antimalware software on a Mac -- but, hey, install it if it makes you feel better. It's your money.

The monoculture risk. I recommended that executives and road warriors be issued Macs mainly because Macs are more resistant to phishing and other malware attacks, so the usually critical information for these users is better protected. Also, the use of MDM to manage the Macs works easily whether a Mac is in the office or in a hotel or café.

I also recommend that every department have at least some Mac users, around 10 percent, so the company can keep operating if it gets nuked by a malware attack. This is a real possibility, as we saw with the Sony Pictures Entertainment attack last fall. The malware neutralized all the Windows PCs and servers at Sony, and the only computers that could function (because they were immune to the malware) were Macs and iPads. 

As any biologist will tell you, a monoculture is dangerous because a single pest or disease can wipe out an entire forest or field. You need diversity to increase the chances that some entities will survive. IT security should think the same way: You need technodiversity in case of a techno-pest or techno-disease. IT likes to standardize, to a fault. Operational recovery will be faster if not everything fails. Think of those Macs as your fail-over PCs.

Given that IT organizations have long known how to support both Linux and Windows servers, and in recent years have learned to support two or three mobile platforms, supporting two desktop platforms should be well within their capabilities.

Macs are not overpriced versus Windows PCs

There's no question that Macs are expensive, easily $2,000 for a business-class iMac, MacBook, or Mac Mini setup. That's usually cited as a reason to pooh-pooh Mac adoption. However, a comparable business-class PC from Dell, Hewlett-Packard, or Lenovo costs about the same -- maybe $200 less, maybe $100 more, depending on configuration and level of portability.

Comparing the cost of Macs to cheap PCs is misleading, as enterprises don't buy cheap PCs that home users do. It's a dishonest argument.

Macs are also more durable than PCs, so over time, you'll spend less on repairs and replacements. That's certainly my company's experience, where about a quarter of all computers are Macs, and I've heard the same from Cisco, Intel, and others.

Support costs are typically lower for Macs, mainly because OS X users need less support. That stat is somewhat misleading because in most companies the people who have Macs are the ones who choose to have Macs, and such people tend to be more computer-literate and self-supporting no matter what technology they use.

I'm sure that support costs, especially around training, for the typical users will be the same whether they use a Mac or Windows PC. But the malware remediation costs for Mac users will be much, much lower (close to nil).

The bottom line is that the TCO for Macs is no higher than for Windows PCs, and in most cases lower. IT organizations fretting over budgets should take note.

The applications mix is a key consideration

Macs integrate so easily with other Apple devices, such as iPhones, iPads, other Macs (like the ones at home), and Apple TVs -- especially if you use Apple's Mail, Calendar, and Contacts clients, as well as its iWork suite. Settings stay in sync, for example, and moving data around them is easy, as is making presentations in a conference room via AirPlay. 

The integration is a real convenience for users, but it often scares the bejesus out of IT, which (incorrectly) views that "liquid computing" flow as data leakage. IT will have to get over that fear, since Microsoft is also on that road with Office 365, which includes not only Office but Exchange, Azure Active Directory, OneDrive, SharePoint, and Windows settings synchronization.

The real question is whether you allow users to live in their platform's native app ecosystem (since files move pretty easily across them) or enforce a Microsoft-centric ecosystem across Windows and OS X (and iOS and Android). Microsoft is probably a year or two away from having its extended Office 365 suite work reasonably well on all four platforms, so you'll probably need to supplement it with Apple's own apps for a while.

The good news is that Office 2016 for Mac looks to be a reasonable subset of the Windows version, and although Microsoft's Outlook client has a clunky UI, it offers some capabilities not available to Apple's clients, like email delegation. Basically, IT can keep to the Microsoft standards for office and communications apps for good-enough functionality and give some users the discretion to go with Apple's clients where it doesn't conflict with legitimate management and security policies.

For browsers, the Mac has Safari, Chrome, and Firefox, which are equivalent to their Windows versions, so no real issues here. With Internet Explorer on its deathbed, the browser issue and related dependencies on ActiveX are no longer the operational problems they once were. And though the new Edge browser (aka Project Spartan) doesn't look like it will come to OS X, its greater support for HTML standards should help websites and Web apps on it fit well with the Mac's browsers.

The big issues come up for apps when you leave the office productivity realm. For every cross-platform business app like AutoCAD and Acrobat, there are more apps that are Windows-only, such as Statistica. And there are apps whose Mac versions lack core functionality available only on Windows, such as many Oracle and SAP client apps, Excel (for macros and Visual Basic support), and Intuit QuickBooks.

The increasing use of Web apps is minimizing the Mac's app isolation, but it remains a big issue for most specialty apps. Sure, you could run Windows via Parallels Desktop or VMware Fusion on a Mac for such Windows-focused apps, but if you use such apps routinely, you should cut out the middleman and opt for a Windows PC.

Saving Windows

For the record, my thesis last week was that although it fixes the gaping wound of Windows 8, Windows 10 doesn't do anything to inspire passion in users to cause them to reinvest time and money into new PCs. In contrast to the PC's four-year sales decline, Apple has managed to get Mac sales to grow for all but one quarter, showing a better approach to keeping users engaged in the platform.

I was suggesting Microsoft learn from Apple's incremental, no-radical-shift approach to OS X in evolving Windows from now on. In fact, Microsoft has noticed those lessons. Many aspects of Windows 10, including its shift to autoupdating and a subscription model, come straight from the Mac.

My conversations with Microsoft execs have made it clear that Microsoft also is trying to emulate the ecosystem approach that Apple has been so successful with in its OS X-iOS portfolio. Office 365 and the universal apps approach are Microsoft's two core drivers to creating that post-PC ecosystem.

Under new CEO Satya Nadella, Microsoft is clearly reinventing itself, forging a new path that isn't afraid to use successful ideas from rivals like Apple. Windows 10 isn't the end of that journey, only the beginning on the client OS side.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform