Manage those Macs: A guide for Windows admins
In part one of this series, I looked at the essential requirements for integrating Macs into enterprise environments, including how to join them to enterprise systems. At scale, large Mac deployments often require a unique set of skills and tools to be successful. The same goes for applying management policies to Macs, which I cover in this article. Here, you will get an overview of Mac policies and insights into how to plan a strategy for deploying them.
In final piece of the series, I'll look at the specific tools used to apply policies, as well as tools that offer additional management and deployment features.
How to go about managing Macs is a question of scale. Technicians at organizations with a small number of Macs can often configure each Mac individually or create a single system image that applies a uniform configuration to every Mac. In larger organizations, the challenges are more complex. Different users or departments will have different configuration needs, and they will require different access privileges. Moreover, they will often have configuration needs related to individual users and groups, as well as needs related to specific Macs based on their use (and sometimes their hardware). Because of this, manual configuration is simply too inefficient. Here, automation is key.
To this end, Apple offers a range of policies that can be applied to your Mac fleet to enforce security requirements, to aid in automatically configuring Mac machines to specific profiles, and to enable and restrict access to resources on your network.
If you're already familiar with Windows Group Policies, you'll be happy to know that you can fully manage the Mac user experience in a similar manner using Apple's policies for Macs. Most of these policies can be applied either to specific Macs (or groups of Macs) or to specific user accounts (or group memberships). Some policies, however, can only be tied to Macs or to user accounts. Familiarity with how policies can be configured is vital to creating your Mac management strategic.
For example, as with Windows Group Policies, policies related to user needs and access controls are often managed based on group membership related to department, job roles, and other factors. Departmental app and Mac security setting requirements are best set based on Macs (or a group of Macs), rather than users (or group memberships). Some policies, such as Energy Saver policies, are Mac-specific rather than user-specific by default.
Mac management policies, like iOS policies, are stored as XML data in configuration profiles. These profiles can be applied to Macs in one of three ways: by manually creating and distributing them to individual Macs/users, via the free Apple Configurator 2 app; by implementing an MDM/EMM solution; or through use of traditional desktop management suites.
If you choose to manually distribute configuration profiles, you'll need to use OS X Server's Profile Manager to create them, then the resulting profiles will need to be installed manually on each Mac. When opened, the profile will prompt the user to install the included policies. Using this method, there is no fully automated way to distribute configuration profiles without using additional deployment tools. If you are relying on users rather than IT staff to install them, it can be difficult to ensure that they have been installed. Because of this, manually distributing profiles may be the simplest option, but it is likely less ideal, or even viable, for larger organizations.
(Note: Profile Manager itself is an Apple-specific MDM solution that can be used to push policies out in the manner of other MDM/EMM offerings, in addition to creating configuration profiles for manual distribution.)
The Apple Configurator 2 app can be used to install profiles/policies to tethered Macs as well as iOS devices. This provides a straightforward, no-cost solution for ensure profiles/policies are installed and functioning. However, it requires each managed Mac to be connected to a Mac running Apple Configurator 2 by USB for configuration. This makes Apple Configurator 2 an excellent tool for small businesses and educational organizations, which often have a simple set of policy needs, but it's an inefficient Mac management strategy if you need to configure a large number of Macs.
Here, MDM/EMM tools can help, as Mac policies can be applied using the same MDM framework used by iOS devices. As such, most vendors that support iOS management also support Mac management. Thus, they're an enterprise-friendly option, particularly because many organizations already use such solutions to manage iOS and Android devices.
Another option that scales well for enterprise use is the traditional desktop management suite, including both Apple-specific suites, such as JAMF's Casper Suite, and multiplatform suites, such as LanDesk Management Suite and Symantec Management Platform. These suites not only apply policies, but they often offer management and deployment tools. Given the suites' popularity, many organizations often already have such tools in use, or they may find their additional features compelling enough to invest in them (more on these tools in part three of this series).
If you have concerns about the XML-based nature of Mac policies, rest assured: Admins generally don't need to directly create or edit the XML data used in Mac management policies. Most Apple and third-party tools provide intuitive UIs for setting policy options, and they handle the necessary XML creation under the hood. One exception is the Custom Settings policy for specifying settings for installed apps and additional OS X features, discussed later in this article. Configuring Custom Settings will require getting into the guts of XML.
Apple provides a dizzying range of policy options for Mac management, but a specific set of 13 policies is the most commonly used -- and is the most critical for managing and securing Macs in an enterprise environment. Each of the following core management policies apply to either Macs or users, unless otherwise specified:
In addition to the policies listed above, Apple provides a range of policy options for configuring the Mac user experience. Some organizations will find these policies helpful for all Macs or only a subset of their fleet. These policies include the ability to preconfigure AirPlay; to set up access to a CalDAV server and a CardDAV server in the Calendar and Contacts apps; to establish the ability to install additional fonts; to configure access to an LDAP server solely for the purpose of looking up contact data; to preconfigure POP and IMAP accounts in the Mail app; to configure and add items (Web clips, folders, apps) to the Dock; to set Energy Saver preferences, as well as startup/shut down/wake/sleep schedules; to enable a simplified version of Finder and block certain commands, such as Connect to Server, Eject Volume, Burn Disc, Go to Folder, Restart, and Shut Down; to specify items that should automatically open at login; to configure accessibility features for users with disabilities; to set up Jabber accounts in the Messages app; and so on.
There is also an option to prepopulate user account identification when a profile is installed. This is generally used when profiles are installed on individual Macs. When a Mac is joined to a directory, user account information is retrieved from the directory.
The Software Update policy is relevant for organizations deploying OS X Server for use as a local Software Update Server. OS X Server has the ability to cache local copies of Apple Software Updates in order to improve performance and reduce network congestion when updating your fleet.
The Custom Settings policy plays an important role in maximizing IT's ability to manage the entire Mac user experience. It allows an admin to specify settings for any installed apps and additional OS X features even if those apps or features don't have an explicit policy defined by Apple. When used, the XML data from an app or feature's preferences file must be specified. The easiest way to use this option is to configure an app or feature with the desired setting, and then locate the appropriate .plist file (typically in /Library/Preferences directory within the current user's home folder). Alternatively, the related XML keys and information can be entered manually.
Since policies can be applied based on individual Macs, groups of Macs, individual user accounts, or user groups, there are situations where multiple policies may be applied at one time. The resulting experience depends largely on the type of policy.
The majority of policies add a configuration element; when there are multiple instances of these policies, all of them are applied. For example, if a Mac has a policy that specifies Dock items and a user is a member of two groups that each specify additional Dock items, that user will see a combined set of all specified Dock items when he or she logs into that Mac. (Another user logging into that same Mac would see the Dock items specified to that Mac, as well as any specified to his or her group affiliations.)
There are some cases, however, where policies can't simply add to each other. This is particularly true about features that restrict user access to functionality or features. In these cases, the most restrictive policy is the one that is enforced.
Determining which policies to apply and how to apply them can be challenging. In most enterprises, a template and organizational guide already exists in the form of Active Directory and Group Policies. Although it may not be ideal to apply every corresponding policy (and there may not always be corresponding policies between Windows and OS X), your existing policy structures often provide an excellent starting point. It also makes a great deal of sense to leverage your existing groups or organizations units within Active Directory for applying user-based policies.
Determining Mac-based policies may take a bit more thought. Again, you can use your existing PC organizational units or structure as a guide, but you may find it more efficient and effective to create Mac-specific units or groups.
It's also important to note that most tools that apply Mac management support leveraging your Active Directory environment -- even Active Directory itself -- aren't the source of the policies as it is with Windows Group Policies.
In the final piece of this series, I'll look at the various tools used to manage Macs as well as OS and app deployment options. If you'd like additional details on Mac (and iOS) policy options and configuration file structure, check out Apple's Profile Manager documentation.
Related articles