Over the last month or so, I have had the pleasure of working on deploying Mac computers into a large school network. The solution includes the typical AD authentication and login, full network deployments as well as the ability to centrally and remotely manage the client machines.
Leaning on my previous experience and recent refresher in these matters, I have decided to write up some general advice on managing Mac clients.
I will intentionally try not to delve too deeply into the theory behind Managed Preferences as this will be covered in the next part of our education white paper to be released at a later date.
A quick recap
So what are Managed Preferences? The official name is Managed Client Preferences and is often shortened to ‘MCXs’. These are applied from a directory system to Apple Mac clients, typically from an Apple Open Directory server.
The simplest way to explain it to a Microsoft Windows technician is to think of Group Policies set in AD, but for Macs!
It provides the ability to remotely and centrally control almost every setting on a Mac client without disrupting the end-user to update them.
But why do I want to control the settings of an end-user?
A good question. Surely you controlling the end users computers is just asking for an ear-full from them – but there are genuinely good reasons for it.
Firstly, security. Say your employer requires computer screens to be locked after 5 minutes to prevent confidential information being available when a user pops out to lunch. How can you trust that the user will remember to lock their computer? I mean lets be realistic; everyone forgets something sometimes.
Well with MCXs you could push out a preference that will automatically lock the computer after 1, 3, 5 or more minutes. This could be applied to anyone who logs onto the computer, any members of an AD group (say the Accounts team), or just that one user (for example the MD of a company).
Secondly, power saving. With the rising cost of energy and the environmental impacts its generation has, a lot of employers require that users computers be shut down at night. Again, how can you trust every single end user to remember this? With MCXs you can push out a scheduled shut down, restart and even power up on a specific day, week-daily and weekend basis, thus ensuring all company managed computers are only on when required. Even better, the user is pre-warned 5 minutes before shutdown and restart times with the option to cancel it if they are working late!
Thirdly, content management. If your employer requires all Internet traffic to travel through a web proxy for filtering, how can you ensure each employee is not circumnavigating this liability protecting solution? Simple, MCXs. You can enforce and always on proxy setting that even if a user figures out how to disable it, it can reapply it self automatically, helping to make sure all out-bound traffic is filtered and monitored.
Finally, how about annoyances? New users complaining they have to click through so many different ‘first run’ screens for every program? Well how about using MCXs to push out a first run disabled preference for each application? Admittedly, its something that will probably go without notice, but then again, that is the intention!
So you’d like a piece of the action, but not sure what you need?
Currently there are three main methods for applying MCXs to Mac clients, depending on circumstances and budget:
1. Modify the Active Directory attributes to allow Mac MCXs – This is generally considered the least favourable option, as despite being the cheapest in a dual environment, it requires some unofficial AD modification that is not supported by either Microsoft or Apple. At the end of the day, it could also produce unpredictable behaviour in Mac and non-Mac clients alike.
2. Purchase a specialist control system such as the Casper Suite. These products can provide a much deeper level of control and reporting then any other solution, but come with a relatively high cost.
Recommended, subject to budget.
3. Purchase an Apple Server and configure a dual directory system (sometimes known as the Golden Triangle). Typically the best compromise between function and price, it is this area I shall be concentrating on. With a Mac Server and a set of the Apple Server Admin Tools, you will have all you need to manage a set of mac clients.
Got them, so where do I start?
So, assuming you’ve decided to go full-Apple and use option 3 where do you go now? Well, once you have the clients bound to both directories and the server configured fully, you’re ready to setup some preferences.