IT's Guide to Managing Macs in the OS X Lion Era
Product mentioned in this article
Monolithic imaging vs. package-based Mac deployment
There are two core ways to roll out and update Mac workstations, as there are with Windows PCs. The first is to capture a snapshot of a system to a disk image file, then push that image out to each workstation, either over a network or locally by a connected drive. The advantage of this monolithic-imaging approach is that, once a machine has had an image deployed to it, all software is installed and all configurations are preset.
The other option is package based. You start with a base system (either a stock system from Apple or a minimally configured system image), then deploy additional software or configuration files after the fact. This approach is advantageous when deploying Macs with a variety of application and configuration needs, as it eliminates the need to maintain a large number of images. It also allows you to simply add packages to an install workflow without having to edit or re-create your original system image.
Macs offer one distinct advantage over Windows-based PCs when it comes to monolithic imaging: Because Apple produces both the operating system and hardware, OS X is highly portable. A single image can be rolled out to a variety of Macs and be perfectly functional without further adjustment, providing that the hardware is not significantly newer than the OS X release in the image.
Package installation and patch management
OS X relies on specific file types to install software and updates, much like Microsoft's .msi format. These package (.pkg) or metapackage (.mpkg) files are read by the OS X Installer service, which installs the bundled executables and support files in the requiste file system directory, usually /Library or /System/Library. This can occur manually, when package files are opened on a Mac, or it can occur unattended or in the background using a variety of tools.
Of course, some applications are installed without the use of package files. These apps often do not require support files, or they create them at first launch. As such, they can be installed simply by copying them to a Mac's Applications folder or the Applications folder inside a user's home directory to limit access to just that user.
Other applications, most notably software from Adobe, may use a proprietary installer. For these cases, you can use package file tools to take snapshots before and after installation to create an appropriate package file for the application, if needed. You can also include such files in a monolithic image or use a deployment tool that supports the proprietary format.
Note that package files can simply include files and no actual applications. This makes them an ideal way to mass deploy updated configuration files or documents to specific file system locations.
Apple's deployment and patch management tools
Apple provides a number of deployment and installation tools. These include Disk Utility for creating system images and Apple Software Restore for deploying images locally or using a unicast or multicast network connection. Package Maker, available as part of Apple's developer tools, can be used to build package files and code the installer command to install package files in the background, even via SSH. All of these features are available free of charge. (For an overview of these and other mostly free Mac management tools, see "22 essential Mac tools for IT admins.")
As far as commercial tools available from Apple, OS X Server's NetBoot, NetInstall, and NetRestore can be used to streamline monolithic image deployment, enabling you to set up a network-based deployment operation for installing a variety of specific package files. This option allows you to combine a small number of base images with specific packages to automatically customize your Mac fleet during deployment. NetInstall can even be configured to roll out nonsystem package collections.
OS X Server also includes a Software Update Server feature that mirrors the contents of Apple's update servers. This offers two advantages. First, by mirroring updates locally, it improves update performance while reducing the load on your organization's Internet connectivity. Second, it allows administrators to vet updates for problems before making them available. It does not, however, provide a mechanism for ensuring updates are distributed, and it cannot be used to provide non-Apple updates.
As mentioned above, the scalability of OS X Server functions has become limited due to Apple's decision to stop producing enterprise-grade server hardware. For mass deployments using only Apple technology, the ideal solution is Apple Software Restore running in a multicast configuration -- with Apple's NetRestore to automate deployment completely or a series of bootable drives (even small flash drives) with a technician touching each machine to initiate the deployment process.
Finally, there's Apple Remote Desktop, which can be used to remotely deploy package files, run scripts, and perform other user support and administrative functions, including hardware and software inventory, to ease license management. Apple Remote Desktop is the Swiss Army knife of Mac management, an invaluable tool that every organization should consider purchasing even when supportly just a handful of Macs.
What makes the OS X Lion era different
Although most of the concepts and tools discussed in this article aren't new or specific to Lion, the latest version of Mac OS X represents a new chapter in Mac management and Apple's enterprise strategy.
Until last year, when Apple announced it was discontinuing the Xserve, the company continued to position its server and related technologies as a core option for Mac management and support in business environments of all sizes. There was native support for enterprise standards like Active Directory, and OS X Server had begun to offer simplified setup for small businesses, but Apple continued to push its enterprise-specific products.
That approach seems to have drastically changed. Apple no longer produces data center-ready hardware. The company has gutted many of the advanced admin tools in Lion Server, leading to a product that seems to be a transitional release. Most enterprise features are still present, but in a manner that strongly suggests they're included for legacy support and likely to disappear in a future revision that will focus solely on small business.
At the same time, Apple seems to be building better enterprise support directly into the consumer platforms. This enables enterprises to implement them with no Apple-provided intermediary in many cases. Given Apple has never acted like a true enterprise vendor, this seems a more logical approach and will likely support and accelerate the influx of iOS devices and Macs into the workplace.
Where these products don't offer enough enterprise abilities on their own, Apple seems content to let third-party vendors fill the void. While a better approach on some levels, it remains clear that understanding the basic concepts and Apple's original approaches to integrating its products in the enterprise is still useful when it comes to evaluating the available solutions.