Since the release of Snow Leopard Server three years ago, Apple has been steering its server platform away from large enterprise deployments. Instead Apple has redesigned OS X Server to meet the needs of the small to mid-size business market as well as the needs of Apple-centric departments or workgroups in larger organizations. That focus is very clear if you download and install Mountain Lion Server or look through the Mountain Lion Server documentation from Apple.
One of the transitions that Apple began in Lion and Lion Server, which were released last summer, was a move away from the traditional Mac management architecture that Apple has provided in OS X Server since it launched the platform more than a decade ago. In its place, Apple has built a management system for Macs that is very similar to the mobile management features available in iOS.
Apple hasn’t left Mac systems administrators and other IT professionals completely in the lurch. The company quietly released a Mountain Lion compatible version of Workgroup Manager, the traditional tool for creating and managing user accounts, groups, and Mac workstations. More importantly, the under-the-hood Mac client and user management system referred to as Managed Preferences is also still available as part of Apple’s Open Directory architecture (the Mac equivalent of Windows Server’s Active Directory) in Mountain Lion and Mountain Lion Server.
This means that Mountain Lion Server can still provide all the user and client management capabilities that have been part of OS X and OS X Server for many years. That’s important because the new system of configuration profiles that Apple is moving towards can only be used to manage Macs that are running Lion or Mountain Lion. Macs running Snow Leopard or any earlier OS X release can’t be effectively managed using configuration profiles.
The option to use Workgroup Manager and Managed Preferences was unexpected based on Apple’s documentation and it gives longtime Mac systems administrators some breathing room. Even for organizations that are going all Mountain Lion, making a transition from an existing Managed Preferences setup to configuration profiles requires planning, testing, and actually making the switch from one architecture to another.
A quick look at the Mountain Lion version of Workgroup Manager, however, makes it clear that this is a stop-gap measure. Virtually nothing in Workgroup Manager has been updated from the Lion release last summer. Proving how long in the tooth the tool has become, there’s still an option to manage the Classic environment that Apple created to Mac OS 9 apps under OS X – a feature that Apple killed off with the transition to Intel Macs and the release of Leopard.
Managed Preferences vs. Configuration Profiles
What are the differences between the traditional Managed Preferences and Configuration Profiles? The truth is that the two approaches are very similar. Both rely on XML data to define things like system and application preferences, security requirements, user access restrictions, and network resources within an organization.
If you look at Workgroup Manager and Profile Manager running on Mountain Lion Server, it’s obvious that both tools work with the same management options and XML data. Most of the Mac management options in Profile Manager are exact matches to management options in Workgroup Manager though some are grouped together in differing categories. Both tools even include an option to configure and manage any application (Apple or third-party) by defining custom XML data based on the application’s preferences.
The real difference between the two is in how the management data is communicated to and stored on Mac clients.
Managed Preferences stores its various administrator-defined settings in records within Open Directory (or Active Directory if you’re feeling adventurous and are comfortable altering/extending the Active Directory schema). Those settings can be stored in user, group, computer, and computer group records. When a Mac is joined to an Open Directory domain, it reads and applies any computer or computer group configurations that apply to it. When a user logs into that Mac, it reads and applies any settings defined in the user’s account along with the user’s group memberships and associated settings.
Configuration profiles work a bit differently. Each profile contains one or more managed settings or access restrictions. Profiles are stored as XML files with a .mobileconfig extension. Opening a profile on a Lion or Mountain Lion Mac offers the option to install the profile. Once installed, the Mac will read and apply any data in the profile. Profiles can be manually managed in System Preferences from a Profiles pane that appears if profiles have been installed. Like iOS devices you can distribute Mac configuration profiles by email, posting them to a website, or manually copying them to a Mac.
Ensuring profiles are installed and preventing users from disabling them requires a more proactive mechanism. As with iOS, Apple supports the use of mobile management tools, including Mountain Lion Server’s Profile Manager, to take on this challenge. In such instances, the management tool lets you create/manage multiple configuration profiles, enroll devices, and push changes out to managed Macs.
Third-party tools
There are a handful of third-party solutions on the market that plug into Apple’s Managed Preferences architecture to provide the same Mac management capabilities as OS X Server and Workgroup Manager. They can add Mac management to predominantly Windows organizations and offer a range of additional enterprise features including mass deployment tools. Products of this type include Centrify’s DirectControl for Mac, Thursby’s ADmit Mac, and JAMF’s Casper Suite.
More recently, companies that develop mobile management tools have announced support for Mac management. Since Lion and Mountain Lion configuration profiles are essentially a variation on iOS configuration profiles, it’s relatively easy and straightforward for mobile management vendors supporting iPhones and iPads to expand to include support for managing Mac workstations. AirWatch already supports Mac management, for example, and MobileIron has announced that it will be adding Mac management capabilities in the near future.
One advantage to this new approach is that it encourages one-stop shopping for enterprise management solutions. A single product and a single interface can consistently manage Macs, iPads, Android phones, and a range of other devices and platforms. That streamlines expenses and administrative tasks. The downside, however, is still the relative newness of configuration profiles compared to Managed Preferences and the fact that older Macs or those running older OS X versions aren’t supported.
The road ahead
Ultimately the changes that Apple is making in OS X Server and Mac management are a positive. Small businesses that are Apple-focused have an excellent and extremely inexpensive option in Mountain Lion Server. Enterprises have a growing range of options for managing Macs, iPhones and iPads, and other mobile device easily and efficiently. The transition, while jarring for some organizations, preserves the core functionality that Managed Preferences have always offered but in a way that is more flexible, easier to implement, and requires minimal infrastructure additions or changes. Despite the transitions that may be involved, that is ultimately good for Apple, business users, and Mac IT professionals.
