back to article Adjustments will be needed to manage the Macs piling up in your business

As discussed in the first part of this series, Macs are everywhere. Despite their presence in businesses large and small, managing Macs in the enterprise still is not easy. A few years ago I gave Apple in the enterprise a look, and sadly, things haven't changed too much since then. Managing Macs in an organisation is really …

  1. Crazy Operations Guy

    They still are terrible at domain-resolution

    Add a Mac to an Active Directory Domain that ends in a non-standard TLD like .local, or .corp and they'll take forever to log in...

    But, really, the easiest way to deal with macs is to ignore that they are macs and manage them like you would a Linux or BSD box. I've dealt with the "Creatives" that insist on using Macs for Photoshop and the like, I just set up a redundant pair of Puppet servers and use it push the configs. I was already using puppet to manage the Linux web boxes, the FreeBSD network appliances, and the high-sec OpenBSD admin boxes so I jsut dumped the Puppet image onto a pair of unused servers and away I went.

    1. chivo243 Silver badge

      Re: They still are terrible at domain-resolution

      We're binding Apples to an OD server using IP address instead of domain name(our internal domain name ends in .lan), and the clients log in just as fast as any windows workstation to AD. We use MCX records to manage all sorts of preferences and configurations. All users have cached mobile accounts, so all data is local on their mac, and synced (portable home directories) back to the server (when available). We use DeployStudio, and it works for deploying hundreds of machines at one go. We also use Casper Suite for iPads, but I personally find it lacking.

      In the end, there is just as much work involved in managing Windows or OSX. Just do your homework if you have to manage OSX. There is plenty of information out there.

      We manage roughly 1,200 OSX devices and 400-500 iOS devices.

      1. Anonymous Coward
        Anonymous Coward

        Re: They still are terrible at domain-resolution

        1,200 OSX devices so a BIG OSX deployment. Pah small potatoes

  2. Virag0

    A lot of people forget Mac OSX is UNIX under the hood. All the FOSS tools work. If you have a competent Systems Admin, they can integrate Macs as UNIX workstations and manage them discretely. The thing is, with Macs, Windows is optional. You do not need AD to manage Macs in any way shape, or form. If you are a Mac shop and have windows server licenses, cash them in and get

    a good Sysadmin out of the savings. As for provisioning, onboarding etc, all the tools are there and

    If you want to integrate with an all UNIX environment, Macs will do that too. There is no special magic in Macs, just they are underestimated in their enterprise capability.

  3. Lee D Silver badge

    As someone who's done AD integration for things as basic as Slackware Linux, I can safely say that I hate Mac integration. Yes, there's UNIX underneath, so it's possible to build an AD login (if you have expensive software or buy Mac servers to do that "golden triangle" junk with OpenDirectory, etc.). But the faffing just shows that they are actively avoiding any enterprise tools. They obviously just DO NOT want people managing Mac servers in a mixed environment.

    DeployStudio is fabulous but mainly because it can be coaxed into pushing out Mac/Windows bootcamp images and people can choose what they want to use. Otherwise, everything appears to be a bodge. Locking down proxy settings is a faff without extra bolt-on tools. Keychain junk still appears if you do certain things and users can't avoid it. And mapping drives etc. - though there's nothing stopping you mapping an SMB share, it's again a faff and some things refuse to play ball with it like it's normal storage ("libraries" spring to mind).

    Every time I have a dealing with Apple, I just realise that they absolutely do not care about enterprise or educational use of their machines. You bought you, you fix it. There are no decent tools, no integration, nothing. As said, if you have an entirely Apple setup, it's okay, but that's not the reality of most places except, possibly, Apple Inc. And they actively go out of their way to make things different, difficult and unsupported and they don't care that they do that.

    I see no reason to support a manufacturer who behaves like that. And I'll be damned if I'm going to pay $100 a seat to a third-party on top of the Apple tax just to get some usable integration on the basics. I don't do that on Windows, I certainly am not going to do it for Apple.

    This stuff isn't built for business, stop pretending it is. If someone wants it, tell them fine but it's unsupported and they are on their own. I'll look again if/when Apple bother to release some kind of enterprise-friendly tools themselves, but to my mind that will only happen when they are in their death knell anyway, so probably not even then.

    The only people I see use Macs actually have stupendously low requirements and expectations of their machines. They buy it because it's flash, it's fancy, etc. and that they heard that music/graphics are done on Mac. You know what, I've not seen ANYTHING on Mac that's not possible with much less expense and the same or less effort on Windows. And stupid stuff abounds - you can't put the servers in a KVM arrangement because they sometimes require a Mac keyboard to even boot (think I'm joking? Wait until it crashes!). They can't even play ball with the simplest of USB sharing/switching devices.

    I hate them. I hate them, I hate them, I hate them.

    Sure I'll manage them, it's my job. But, I hate them. However, I will be going to my boss at the end of the year and showing him some stats from the managed network we have (which includes MDM and client software) - I want to see just how much they are used, how many programs are run on them, etc. And then I'm going to dual-boot them with Windows and keep stats on how many people use which OS. And then I'm going to recommend that we sell them off and just buy two rooms of PC's for every room of Macs we have.

    1. Anonymous Coward
      Anonymous Coward

      Obviously you're just a lazy IT'er who can't be bothered to learn Mac.

      Apple "it just works" might be true for little Johnny at home with his MacBook but it bleedy well isn't in a corporate environment, when day to day management and doing simple things like map a drive configure a proxy, manage disk encryption, etc doesn't "just work" It's consumer goods not corporate

  4. Anonymous Coward
    Anonymous Coward

    Open question

    Has anyone managed to get Macs to integrate authentication to a normal LDAP server like, say, 389?

    I really want to avoid coming near anything that involves Windows licensing.

    1. Trevor_Pott Gold badge

      Re: Open question

      Last time I checked it worked with the latest Samba. Zentyal SBS does a dang fine job...

      1. Maventi

        Re: Open question

        Second Zentyal, it's fantastic.

  5. Chris Miller

    Who pays for this support?

    If I'm running a shop that has Windows on the desktop, and a department (usually Marketing, for some inexplicable reason) comes to me and insists they must have Macs (or Linux), my first thought is not a technical one, but a financial one. If I'm going to support them, I'm going to have to replicate many of the costs involved. If I don't support them ("they're Macs, we can support them ourselves"), who's going to be in the line of the shitstorm when something (inevitably, it will be something 'business critical') goes wrong?

    My solution - sure you can have a Mac (or a Nexus), but you're connecting to the corporate network through a VPN and running a virtual desktop (which will look and feel an awful lot like Windows). Have a nice day.

    1. Robert Helpmann??
      Childcatcher

      Re: Who pays for this support?

      A lot of what "enterprise" should mean boils down to standardization. That's where businesses can save money through the economies of scale. I've worked in many mixed environments - the first sysadmin job I had was for an art college that ran Windows, Mac and Amiga desktops and Novel servers - and have helped support a few others. Sure, it is possible to maintain and support multiple machine types and images, but at a certain point, you end up multiplying the costs associated with doing so by the total number of images. Assuming you have the tools to get the job done, there is not much difference in maintaining 2K and 3K Windows workstations - the tools involved should scale fairly well. Likewise with Macs, though I am making an educated guess as I have not worked in a shop that had that many Macs. However, if you go from say 1K Windows boxes to adding on 1K Macs, you end up having to buy or write new tools and hire a whole new group of people to maintain them. While a lot of experience transfers between administering different OSes, there is enough overhead added that most enterprises have good reason to go one way or the other, but not both.

  6. DerekCurrie
    Holmes

    Again: It takes 10x lower IT resources to maintain and manage Macs

    Again: It has been a constant in the IT business that it takes 10x lower IT resources to maintain and manage Macs relative to Windows boxes. And yet dealing with Macs arriving in the workplace "is a time sink the IT department just doesn't need." Rubbish.

    The only reason Macs are any problem to IT staff is that:

    1) Macs are unfamiliar to them.

    2) They're too staid and lazy to bother learning Mac technology.

    3) They're afraid for their jobs, seeing as it takes 10x lower IT resources to maintain and manage Macs.

    Get over it. Windows box market share is being replaced with Mac market share. And that's a GREAT thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Again: It takes 10x lower IT resources to maintain and manage Macs

      "Again: It has been a constant in the IT business that it takes 10x lower IT resources to maintain and manage Macs relative to Windows boxes."

      That was possibly true - in the days before Windows enterprise management tools, and when the great majority of corporate Mac users were knowledgeable and looked after things themselves. In effect, the IT resources were shunted off into the hole that was marketing or print workflow, and it tended to be siloed off from the rest of the system.

      But this is 2015 and the idea is that everything has to fit nicely into the corporate environment. And the Mac users are increasingly people who want Macs because they believe they are secure by design and intrinsically zero maintenance.

      I have no brief in the Windows versus Mac debate, I would just point to that comment in the article - that Google likes Macs as computers, but they have had to design their own IT infrastructure around them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Again: It takes 10x lower IT resources to maintain and manage Macs

      and you've plucked this X10 figure from where???????? And what does it mean?

  7. Anonymous Coward
    Anonymous Coward

    I am surprised using the cloud to simplify things is not mentioned more, here.

    I remember reading about a school-district that switched to Chromebooks with only some seats left with fat-client software. mainly for media-editing and some CAD-design. I guess that when the customers do not have much budget they cannot push for fat-client stuff as much.

    Unfortunately, business customers, with more budget, often still want to decide on "having" computers, tablets etc. and then wanting someone else to make them fit in.

    As more kids start showing up that have been schooled using Google-Apps/MSO365 and Wevideo and youtube editors and the like I wonder what the impact will be. Imagine a baffled young kid wanting to plug in an electrical appliance and having to listen to the Oiil-types and the Coal types who are at war over which tech is better and how they store and backup their stuff better than the other.

  8. Anonymous Coward
    Anonymous Coward

    Love it.

    we have been 100% windows until 3 years ago, now we're 95% Mac clients 5% windows for desktops/laptops. It's bliss. We use AD, deploy studio, OS X server for profile manager and updates, and munki.

    If your use to the windows world it might seem odd and frustrating at first, but once you go fully in its such a better world. Plus my most favourite part, we have had zero malware to deal with since we moved over. Every day we would have a windows machine come to us with something on, or users would say my computer is slow. Not 1 complaint about the speed of the macs, the users love the battery life of the MacBook airs and the light weight portability of them. Even those who hate trackpads actually like using the the ones on macs. Also like that lots of places stock the Chargers, so when a user says I've lost my charger we just pop PC World and get a 45w MagSafe adaptor. There are so many upsides to the macs.

    In rooms with projectors staff just AirPlay one click and there screen is on the wall, no wires , no fuss.

    It is the case of you will need 3rd party tools in the Mac world for management. Unlike the windows world where Microsoft make a lot of management software. But you have to pay either way , so it's not really a big issue.

    1. Anonymous Coward
      Anonymous Coward

      Re: Love it.

      so you use 4 tools when in my windows environment I just use 2 AD and SCE. An advantage how?

      We also have 0 malware as its not 1998 anymore and our clients are configured properly. Plus we have the advantage that our clients cost several hundreds of £ less than the cheapest Mac client, we can run all the software we want, and we don't need to buy the various adapters, etc to get proper use of said devices.

      1. Anonymous Coward
        Anonymous Coward

        Re: Love it.

        "and we don't need to buy the various adapters, etc to get proper use of said devices"

        He has a fair comment about mains adaptors, though.

        Or at least I thought he had till I googled for the adaptor for my 2012 Asus - not a common model - and discovered the embarrassment of choice from £18 to £33. And the £34 replacement batteries. It would seem I can have a new charger and battery for the price of the Apple mains adaptor.

        1. Anonymous Coward
          Anonymous Coward

          Re: Love it.

          you could have a whole new computer for the cost of a Mac charger!

      2. Anonymous Coward
        Anonymous Coward

        Re: Love it.

        "so you use 4 tools when in my windows environment I just use 2 AD and SCE. An advantage how?"

        There's always that old adage of quality versus quantity.

        One problem with Windows is that you need Windows to manage it. It's a self-licking icecream. It's amazing what you can do when you are able to use alternate offerings on both the client and servers that suit the business in question. For some this is WIndows/AD/etc, for some this is not. The key is choice, and having enough imagination to keep an open mind about it.

  9. launcap Silver badge
    FAIL

    Yosemite and AD

    In a word - pathetic.

    We have AD. It worked fine (for a slightly flaky version of fine but we knew where the issues were and how to avoid them or mitigate them) on Mavericks, Lion, Mountain Lion, Snow Leopard etc etc.

    Then comes along Yosemite. We can persuade it to bind (eventually - by being specific about the OU where the machine account is) but it won't actually use AD to authenticate. It just sits there and gives 2100 errors (and virtually nothing in the way of diagnostics).

    My home AD works fine (same domain level, same-ish structure).

    So - we have to use AdmitMac and pay for something to do what the OS should do (and did do pre-Yosemite).

    Not that I'm annoyed about it or anything. Or being moaned at.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yosemite and AD

      or cut out the middle man and don't have any Mac's! Why make life difficult!?

      1. Maventi

        Re: Yosemite and AD

        "or cut out the middle man and don't have any Mac's! Why make life difficult!?"

        For administrators or users? If you ask around, you might find that many users would prefer something other than Windows.

        Diversity in technology is a damn good thing.

  10. Anonymous Coward
    Anonymous Coward

    What about Novell's ZENWorks? Not exactly a small product, we've been using it to manage our windows clients for years, and we've recently started pushing it out to the macs. App deployment, remote control, etc, all the usual bells and whistles and our support staff don't have to learn new tools.

  11. Jan 0 Silver badge

    Casper

    Why's nobody mentioning Casper?

    Take a look at JAMFsoftware.

  12. Basic

    Wasted cycles

    It's amazing how much effort you need to waste on inconsistent, feature-poor tools.

    I've been fairly open to the idea of adding Macs to our domain but since I've started investigating, I'm not going to bother. I can't even buy a server that's rack mountable unless I want hardware from 2009 that not guaranteed to be supported in future.

    Oh and good luck trying to use a Mac Mini - have you seen what's involved in swapping a HDD, let alone getting it to RAID or similar?

    It's a total farce

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like