Essential admin tips: How to blend Macs into your business
This past fall, for example, Apple and IBM highlighted the growing number of Macs used by employees of Big Blue, with IBM committing to 50,000 new MacBooks, a purchase order that saw IBM deploying about 1,900 Macs each week.
Though the size and speed of IBM's Mac deployment are significant, the more noteworthy numbers involve the costs to deploy and support Macs: According to CFO Luca Maestri, IBM has been saving roughly $270 for each MacBook its employees use instead of a traditional PC, and IBM VP Fletcher Previn has said that only 5 percent of IBM employees using MacBooks have called the help desk for support, as compared with 40 percent of PC users.
Initiating a major Mac deployment is becoming a more attractive option for many organizations because of the potential cost savings on support, more robust security, and reliable (if premium) hardware, as well as for reasons of user demand and/or satisfaction. Integration with Apple's larger ecosystem, particularly where it relates to the iPhone, which still dominates as the enterprise smartphone, provides an additional argument for Macs in business.
The following is the first of three articles aimed at helping you make the best of your Mac fleet.
With a solid suite of major business and productivity apps and the ability for Macs to easily integrate into major enterprise systems, there are far fewer barriers to Mac adoption in the enterprise today than compared to even a few years ago.
One barrier that still exists: the fact that OS X is architecturally different from Windows. As a result, IT departments adopting Macs must understand these differences and ensure that they have the skills to adequately and efficiently support, manage, and deploy Macs at scale.
The operative word here is "scale" because effectively supporting a handful of Macs isn't particularly challenging. Help desk and support staff will need to get up to speed on supporting Mac OS and its hardware, but that isn't particularly difficult as Apple provides training, self-study, and certification options for gaining those skills. Scaling Mac deployments, however, means being able to automate many processes, particularly around implementation and configuration, and knowing how to apply management policies for a large number of Macs across an organization. Those skills go well beyond simply setting up and troubleshooting individual Macs, just as the skills of Windows systems administrators go well beyond those of help desk agents.
Mac management in the enterprise consists of three major components:
Much as with PC management, these areas combine into an overall workflow, though they tend to be somewhat more discrete processes. This article will look at the first of these areas: integrating Macs with enterprise systems. The following two articles in this series will look at understanding policy options for managed Macs and deployment methods, respectively.
There are multiple tools and mechanisms to accomplish the various tasks related to Mac management. Using the tools built into OS X itself is the most basic option. Although effective, this can be limiting when managing a large-scale Mac deployment. Another option is to make use of additional enterprise-oriented solutions from Apple, such as OS X Server, Apple's Device Enrollment Program (DEP), and its Volume Purchase Program (VPP), to streamline and enhance various parts of the process. There is also a range of third-party solutions that significantly expand on what Apple offers.
Active Directory is a critical piece of enterprise computing for virtually every organization. Joining PCs to an Active Directory environment provides all manner of critical functionality, including user authentication, access controls, audit logs, management of the Windows environment, and integration with a range of additional systems like Exchange. Acting as a central source of information about almost everything within an organization, Active Directory also goes beyond PCs. It is essentially the glue that makes much of enterprise computing possible.
The good news is Macs can be joined to Active Directory. On an individual Mac, the process is fairly straightforward. Launch System Preferences, go to Users & Groups, select Login Options in the sidebar, click the Join button next to Network Account Server, and enter the appropriate information for the domain and authenticate using an account that has privileges to join a PC to the domain. Once that's done, users will be able to log into that Mac with their Active Directory credentials pretty much the same as on a PC. Single sign-on is also supported for many services such as network browsing or file sharing.
Joining a Mac to Active Directory primarily enables user authentication and adherence to password policies. Some functionality common when a PC is joined to Active Directory doesn't automatically occur. Configuration based on Group Policies or automatic configuration for access to services such as Exchange based on a user's account are two examples. These can be automated using policies, but those policies generally aren't directly tied to a Mac's Active Directory membership. Basic attributes about the Mac itself are stored in Active Directory as they would be for a PC, however.
It's worth noting that a series of options can be specified when joining a Mac to Active Directory. These options can be manually adjusted, though in many environments the defaults work well. To make changes, click the Open Directory Utility button in the Network Account Server dialog described above. Later in this series, I will discuss how to automate these changes when deploying a fleet of Macs.
The manual adjustments are broken down into three areas:
User experience options include the user's network home directory and the default Unix shell users will encounter if they launch OS X's Terminal app (unless otherwise specified, /bin/bash is the default).
When it comes to home directories, OS X supports the creation of a local home directory on a user’s Mac (the default behavior, similar to how a home directory is created on a stand-alone Mac), a network home directory that allows a user to access files and settings across multiple Macs, and the option to allow access to a network home directory mounted as a folder in the OS X Dock. There is also the option to create a mobile account, which is a local account (and local home directory) that syncs/mirrors the Active Directory account (and network home directory) for offline access. Mobile accounts can be created automatically, which can lead to confusion and sync issues if a user has mobile accounts on multiple Macs, or the feature can be made optional by requiring user confirmation of mobile account creation when they log into a new Mac.
Attribute mappings relate to integration with Apple's own LDAP-based directory service similar to Active Directory called Open Directory, which is included with OS X Server. Each Mac contains a local directory node for local account information based on the Open Directory attributes. Although Open Directory provides the same functionality as Active Directory, some account attributes differ between the two. A Mac joined to Active Directory automatically maps the Open Directory attributes it requires to equivalent Active Directory attributes (uniqueID, primaryGroupID, and gidNumber). If the Active Directory schema has been modified, it is possible to create alternate mappings, though this isn't needed in the vast majority of environments.
There are three administrative options that can be set when a Mac is joined to Active Directory. The first is to prefer a specific domain controller. By default a Mac will search for the most available domain controller much like a PC. It is possible to override this and instead specify a specific domain controller to be accessed first.
The second is the ability to allow members of Active Directory groups to have administrator access to a Mac when logged in using their Active Directory accounts. This is the same functionality that can be granted to PCs. This option is disabled by default. When enabled, any Active Directory group can be specified, though domain admins and enterprise admins are enabled by default.
The final option, which is enabled by default, is to allow authentication using accounts from any domain in an Active Directory forest rather than only the domain to which the Mac is joined.
Additional information on integrating Macs with Active Directory is available from Apple.
Next to Active Directory, Exchange is one of the most commonly used enterprise services. There are two options for integrating Macs with Exchange: use the native PIM apps in OS X or deploy Office for Mac, which includes Outlook for Mac. Neither option is configured automatically based on a user's account when a Mac is joined to Active Directory but can be automatically configured based on a policy.
Configuring either manually is very simple and can be accomplished by users. For native apps, the option is located in the Internet Accounts pane in System Preferences. For Outlook, it's located in the Preference dialog and displayed in the initial setup dialog.
OS X natively supports L2TP over IPSec, PPTP, Cisco IPSec, and IKEv2 VPNs. These can be automatically configured by a policy or configured manually using the Network pane in System Preferences. Additional VPN types are supported through the use of third-party clients. It is possible to use policies to configure most third-party software, including VPN clients.
In the next piece in this series, I’ll look at the various ways that management policies can be applied to Macs and to users, as well as the full set of policy options available in OS X.
Related articles