Last week I took a brief look at how managing a handful of Macs differs from managing dozens or hundreds or even thousands of Macs. Some readers asked how big companies like Apple, Google, Viacom, or IBM actually go about managing large numbers of Macs – both in terms of the tools they use and in terms of how their IT processes differ from supporting Macs in small businesses.
I can’t speak for how Apple manages the Macs of its thousands of employees, but I have worked with several large companies as a Mac IT professional – along with a number of schools and colleges, government agencies, and small businesses. Here’s a look at the tools and processes that they use to configure, deploy, and manage Macs on a grand scale.
Most companies use a combination of different tools and mechanisms to support and integrate Macs into their environments. As with supporting PCs and mobile devices, the needs of handling a large number of Macs boils down to a handful of key tasks:
- Configure and deploy new Macs (or repurpose existing ones)
- Install and manage software of Macs that are in active use
- Install software updates from Apple, third-party developers, and custom in-house software
- Provide secure login and user experience management on each Mac (a.k.a. client management)
- Integrate Macs with key enterprise systems (everything from central user accounts to corporate Wi-Fi and VPN access to file sharing and collaboration suites to internally and externally-hosted cloud solutions)
- Remote troubleshooting
- Inventory or asset management
Each of the tasks on that list is needed for virtually any technology that users access in a large organization. While the tasks may be uniform in large companies, the tools that allow IT staff to carry them out can be very platform specific – as can the skills and knowledge about how these tasks are performed with respect to Macs versus PCs (or iOS devices or BlackBerries) Broad concepts of computer and device management tend to be universal, but Apple, Microsoft, and other vendors sometimes implement those concepts in very different ways.
Mass configuration and deployment is one of the biggest differences between a company with a handful of Macs and one with hundreds or thousands. In small offices, Macs can often be purchased one or two at a time and can be setup manually by using the standard OS X setup process, Migration Assistant if needed, and manual install of apps from existing media or the Mac App Store. That process breaks down pretty quickly when you start talking about larger numbers of Macs because of the time required to go through those steps on each machine.
In large (and even not-so-large) organizations is that Mac images are used. An image is a snapshot of fully configured Mac. That means a single Mac has been setup, had all needed apps installed, and has been configured to work within the corporate network. If a user account is setup at all, it’s a standard admin account. A disk image is then made of the Mac’s hard drive, usually stripping out any device-specific details. That image can then be copied onto other Macs. OS X is highly portable, meaning that an image created on one Mac can often be used on different Mac models. Mass deployment tools then copy that image to new Macs or Macs that are being repurposed, usually over a corporate network.
Those tools can also configure some settings to customize the new Mac after deployment adding things like a unique device name, adding local user accounts, and installing additional software. These post-deployment tasks can be set to assign unique data to each Mac or to configure specific groups of Macs in a specific way.
There are a combination of different tools that can accomplish these tasks. Some are free or open source, while others are high-end commercial offerings. The free and open source tools include:
- Disk Utility and Apple Software Restore which ship with every Mac (Apple Software Restore can image thousands of Macs simultaneously using a technique known as multicast streaming)
- Deploy Studio (also supports some PC deployments)
Commonly used commercial tools, which often has features for managing Macs beyond just deployment include:
- NetBoot/NetInstall/NetRestore features of OS X Server (requires advanced admin tools package in Lion Server)
- JAMF Casper Suite
- Symantec’s Altiris Client Management (also supports PC deployments)
- Absolute Manage (also supports PC deployments)
Install and Manage software
One of the tasks that can be done after the deployment process is to install specific apps on certain Macs – the Adobe Creative Suite on Macs used for graphic design, for example. While it makes sense to do this during the deployment process, there are times that it needs to be done later – typically to add software to Macs already in use. In this case, the mass deployment tools used to roll out stock Mac configurations on new Macs aren’t the best option because the Mac is in use and may have user data or preferences on it that need to be maintained.
This means a second set of tools are used to roll out applications remotely. Typically, these tools rely on pushing files in the OS X package and metapackge formats (.pkg and .mpkg) to devices in the background. These are the same types of files that launch the OS X Installer utility if you open them. Several enterprise tools can push these to Macs and install them in the background if the Mac is actively being used.
Not all Mac software comes in a package file, however. Many apps can simply be copied to a Mac’s applications folder. Application deployment and management tools can do a simple copy like that as well.
Less frequently, applications use a custom installer utility. These have become much less common over the years, but they still exist. Some tools can still deliver them relatively easily while others can’t – it really depends on the software. Most tools, for example, can handle the proprietary installers that Adobe uses.
If a company doesn’t have a tool that can deliver these custom installer apps, IT can reverse engineer a standard Apple package file for software that uses a customer installer by taking a snapshot of a Mac before and after running the installer. Tools like InstallEase and Iceberg can then compare the before and after images, note what files were added, modified, or deleted, and create a package file that replicates the end result of the custom installer. Apple’s PackageMaker, which is included with the Xcode development suite (available in the Mac App Store)
As with mass deployment tools, there are a few open source and commercial tools that companies typically rely on for software distribution (and several can also perform other enterprise functions as well). These tools include:
- StarDeploy (donationware)
- Munki (open source)
- FileWave (also supports PCs)
- Apple Remote Desktop
- Flexera (also supports PCs)
- LANDesk (also supports PCs)
- Puppet (also supports PCs)
- Dell’s Kace network appliances (yes, Dell does produce tools that work with Macs – also supports PCs)
- JAMF Casper Suite
- Symantec’s Altiris Client Management (also supports PCs)
- Absolute Manage (also supports PCs)
Installing software updates
Software updates pretty much come in two flavors – Apple Software Updates and everything else. While Macs in a company can download Apple’s updates automatically, that’s rarely the way companies handle software updates. One reason for this is that if you have a couple hundred Macs all querying Apple’s update server and downloading large updates around the same time, your Internet connection is going to take a huge hit in performance. Another big reason is that sometimes updates fix one problem and create another – for this reason Apple recommends companies download updates and test them before rolling them out.
There are a handful of ways that companies can handle updates. For Apple updates, businesses with OS X Server can create a local mirror of Apple’s update server. The updates are downloaded once by IT and then all the Macs in the company look to that internal server – this lets IT choose which updates are available and when. Another common option is to simply to treat software updates for Apple and third-party applications as any new piece of software and use the tools I’ve already discussed to roll them out.
Enterprise login and client management
In most organizations, including many small businesses, each user receives an account that serves as their login to one or more workstations. That account also grants them access to company services like email, file shares, corporate Wi-Fi, cloud solutions, and so forth. That user account also grants or restricts access to certain systems and files (including network resources as well as files and components on a user’s assigned computer). Most users don’t have admin rights on company Macs or PCs, for example.
OS X also let’s IT pre-configure system and application settings based on a user’s account, group membership, and even the Mac that he or she is using. This process, known as client management also takes place on Windows PCs in large companies, though through very different back-end technologies. Client management makes it possible for to ensure certain apps are in the Dock, certain preferences are selected in Microsoft Office, and even that company websites and internal resources are provided as bookmarks in Safari or another browser. These settings can be pre-set, allowing users to change them, or enforced such that users cannot change them.
There are a number of tools that IT can use to plug into Apple’s client management architecture including:
- OS X Server (requires advanced admin tools package in Lion Server)
- Centrify DirectControl for Mac
- Thursby’s ADMit Mac
- Quest (also supports PCs)
- JAMF Casper Suite
- Symantec’s Altiris Client Management (also supports PCs)
- Absolute Manage (also supports PCs)
Integrating with enterprise systems
Every organization has a range of internal resources. These can include things as simple as central user accounts, client management, Microsoft Exchange, VPN services for secure remote connections to a company network, file shares, cloud-based collaborative suites, and internal messaging systems to name just a handful. In most instances all of these enterprise systems key off into a central directory system that contains user accounts, groups, computer records, and information about network services. Having all these systems interface with a central directory service eases the tasks of administering them.
The most common enterprise directory service is Microsoft’s Active Directory, which is an extremely robust, powerful, and flexible system. Macs natively support the ability to access Active Directory and can authenticate logins via user accounts stored in Active Directory.
Centrify and Thursby have beefed up Apple’s native support for Active Directory to enable additional features, greater security, and to add client management capabilities for Macs. Centrify offers its DirectControl for Mac that also adds full client management as well as a free Centrify Express edition that deals just with Active Directory integration and security. Thursby produces a couple of variations of its ADMit Mac that offer similar functionality but which uses a notably different under the hood than DirectControl. Both companies offer support for smart card authentication – common requirement by U.S. and other government agencies, which Apple began reducing support for in Lion.
Beyond Active Directory, there is a wide selection of enterprise systems used in any company. OS X may support some of them without additional software while others will need special Mac client apps. In some cases, there may be no direct Mac integration path, in which case web-based tools or Windows apps running under a solution like Parallels Desktop (or Parallels For Enterprise) are typically the only options.
The tools that go into enterprise systems integration can be all over the map from Apple-made solutions to third party apps to something created internally. Often creating a workable system of utilities and access capabilities for multiple enterprise tools is one of the biggest challenges that IT departments face when working with Macs. As a company begins to have greater numbers of Macs in use, these challenges can become more complex because simple work arounds for a few users may not be a viable option for hundreds of users in multiple departments or across multiple countries.
In a small business or office, there usually isn’t much of a need for remote troubleshooting. Even in mid-size companies, it can be easy enough for techs to simply head over to a person’s desk or office to fix a problem. Large companies, however, have large IT staffs with very delineated job functions like help desk agents, desktop technicians, and systems administrators. Often in such organizations, the goal is to resolve the problem without sending a tech whenever possible. That require two types of tools – a help desk management system and remote access and control tools.
Help desk management systems record the work done by IT staff – typically help desk and desktop techs. Each call is assigned a case or ticket number, notes about problems are tracked, and data like the user reporting a problem and the computer he or she is using is recorded. This helps identify problem areas, ideally keeps issues from falling between the cracks, and tracks the productivity of the support personnel in dealing with issues – all of which are important features even though these systems can make users with problems feel like they’ve become lost in a bureaucracy. These systems also typically integrate with inventory systems that provide data about the technology in the field.
The other part of the equation is tools that allow remote access to a computer. This is something that most users have seen or experienced at least once, where the person on the phone takes control of a Mac or PC to investigate problems and resolve them, if possible. There are a plethora of such technologies on the market and OS X even ships with built-in screen sharing. In some cases, like Apple Remote Desktop, remote control comes with a slew of additional features (it’s worth nothing that Apple Remote Desktop is essentially a Mac IT person’s swiss army knife thanks to its wide range of capabilities including deploying applications and files, remotely manning tasks across multiple Macs, its screen sharing capabilities, and its extensive system monitoring and reporting capabilities).
Ultimately, each enterprise organization develops a selection of these tools, each of which requires its own set of skills. In addition to understanding the individual tools and their functionality, Mac IT professionals also need to understand a lot of the essential under the hood operation of OS X in a managed environment – these are skills on top of being a good Mac tech. Even if they specialize in Apple solutions, Mac IT professionals also need solid general networking skills as will as Windows and Windows Server skills.