IT's Guide to Managing Macs in the OS X Lion Era
Product mentioned in this article
No longer relegated to the fringe, Macs are fast becoming integral to today's business organization. As a result, IT can no longer rely on one or two dedicated "Mac guys" to maintain its Mac fleet. Instead, Mac management has become an issue that any CIO or systems administrator may be faced with on any given day.
Along the way, the tools and techniques of managing Macs have changed as well. Pushed beyond their traditional business niches, Macs can no longer be managed independent of other processes and infrastructure. They must be integrated with your existing directory service. They require an efficient, scalable deployment model that hooks into asset management. They require secure, auditable patch management and a device and user management solution that secures each Mac's core OS components and apps.
[ For an overview of mostly free tools for managing your Mac fleet, see "22 essential Mac tools for IT admins." | See InfoWorld's slideshow tour of Mac OS X Lion's top 20 features and test your Apple smarts with our Apple IQ test: Round 2. | Keep up with key Apple technologies with the Technology: Apple newsletter. ]
In other words, Macs take the same requirements that apply to every Windows PC in your organization, as well as to a growing number of mobile devices. This Mac management guide will help you extend your existing support strategies to Mac workstations, and provide tips and techniques for embracing Macs as they become more prevalent in your business environment.
Active Directory: The hub of modern Mac management
Integration with Active Directory is the foundation for Mac management in the modern enterprise, as the OUs (organization units) in Active Directory can be used as the backbone for nearly any enterprise task, from enabling access to resources to setting group policies to pushing out updates and monitoring workstations. Through Active Directory, Macs gain access to the wide range of Windows Server tools and third-party solutions that key off Active Directory to determine which objects to affect with a given task.
In Mac-only environments, Apple's own directory service, Open Directory, plays this role. But with Active Directory entrenched in today's enterprise, extending Active Directory to be the central directory service for your Mac fleet is your best bet. Fortunately, Apple and third-party developers have enabled Active Directory to perform many of the same functions for Macs that it does for Windows clients, whether directly or indirectly.
Apple's OS X directory service support is built around LDAP and includes a plug-in architecture. The company provides a small set of plug-ins that enable support for Open Directory, Active Directory, and generic LDAP services. The big advantage for enterprises, however, is that this approach allows third parties to create additional plug-ins that offer greater capabilities than what Apple includes with each OS X release.
Apple's Active Directory plug-in has steadily updated since it was introduced five OS X generations ago, with the most notable improvement in OS X Lion being support for DFS browsing. That said, Apple's Active Directory support has its limitations, as it is primarily aimed at providing authentication and, on its own, offers almost no client management capabilities.
A Mac joined to Active Directory will have a computer account and you can restrict access to that Mac as you would any PC. You can also grant members of certain AD groups, such as the various admin groups, local admin privileges. Beyond this, the only management capability relates to whether user credentials and home directory items are cached on Mac notebooks so that users can log in when they leave your network and sync automatically when they return.
Some versions of Apple's Active Directory plug-in have proved problematic in certain Active Directory environments. Because of the scalability and flexibility of Active Directory, troubleshooting these problems can be burdensome. Early versions of Lion displayed issues with Active Directory, though the 10.7.2 update appears to have resolved most of them.
Leveraging Active Directory for Mac client management
Apple has traditionally relied on Managed Preferences for client management. Often abbreviated as MCX, Managed Preferences act like Active Directory Group Policies, providing a powerful, granular system for configuring a complete user environment, including system settings and application preferences. Like Group Policies, Managed Preferences can also be used to restrict access to applications and system components.
Managed Preferences are stored as LDAP objects and attributes in a directory system. Any LDAP schema, including Active Directory, can be extended to support Managed Preferences without having to rely on Apple's OS X Server and Open Directory to provide client management via Managed Preferences.
There are three primary ways to implement Managed Preferences in an Active Directory environment:
Extend the Active Directory schema: Using Microsoft's Active Directory Schema Analyzer, you can scan Apple's Open Directory schema and create LDIF files that can extend the Active Directory schema with all the object data needed to support Managed Preferences data. You can then use Apple's Workgroup Manager (freely available as part of the OS X Server Admin Tools package) to populate and manipulate that data -- pointing to an Active Directory domain controller instead of an Open Directory server running on OS X Server. Workgroup Manager can also perform a handful of user management tasks for Active Directory, though the preferred (and safer) option is to use it only for client management.
OS X Server and augmented records: With Leopard and Leopard Server, Apple introduced what are known as augmented records. In this approach, OS X Server is installed and configured to connect to an existing directory, typically Active Directory. Once joined to Active Directory, the Mac server imports user data and groups from the primary directory into a secondary directory that it maintains. Mac clients connected to this secondary directory rely on the primary directory for authentication, single sign-on, and access to network resources, and the Mac server appends attributes to the primary directory's records to provide client management and Mac-specific services. Although effective, this approach is better suited for Mac-based departments that are isolated within a larger organization, as it doesn't scale well and limits administration to OS X Server's simplified admin tool set.
The magic triangle: This option also requires OS X Server. In this case, however, the server hosts a full secondary directory system that scales through use of Open Directory replication. That server is joined to Active Directory, and clients are joined to both Open Directory and Active Directory. Groups specific to Mac systems and users are created in the secondary directory, then are populated with Active Directory users. Managed Preferences are set using these groups. This solution, which is usually implemented using OS X Server's advanced administration tools, is more scalable than using augmented records. This scalability, however, is limited to Open Directory's replication parameters, which are adequate for most environments, but not on par with that of Active Directory.
Device-based management using Lion Server's Profile Manager
With Lion Server, Apple has introduced Profile Manager, a directory-independent alternative to Managed Preferences. Less of a client management solution than a mobile device management tool, Profile Manager offers the ability to manage both Mac workstations and iOS devices. However, as opposed to Managed Preferences, Profile Manager is device-focused. This enables IT to enroll devices (iPhones, iPads, Macs) and apply policies to them, but these policies are not applied based on user accounts or group membership -- just devices.
Being device-focused, Profile Manager doesn't allow anywhere near the granularity of Managed Preferences or third-party solutions. It simply covers the core needs of client management and allows for self-enrollment by users through a Web-based interface that supports SCEP. When policies are updated, Apple's push notification system alerts enrolled devices to download the update. This combination makes Profile Manager worth considering as part of a BYOD program, particularly if you will also be supporting employees' iOS devices.
Profile Manager is easy to implement. There's no need to worry about schema extensions or multiple directories. If your organization requires minimal Mac management beyond the integration offered by Apple's Active Directory plug-in, Profile Manager may be worth a look. Keep in mind that Profile Manager requires Lion Server, and it supports only Macs running Lion. Scalability is a factor of Web server implementation, and multiple Profile Manager servers can be used to distribute load. With Apple's cancelation of the 1U rack-mounted Xserve hardware last fall, ensuring a scalable solution may be difficult, limiting the capability of Profile Manager in many, but not all, environments.
Next Page: package and patch management...