Three ways to manage Macs in the enterprise

Although they’re still uncommon, Macs are making their way into corporate IT shops. Luckily, you can take your pick from a few different management approaches.

Ready or not, Macs are infiltrating the enterprise. IT has to figure out how to integrate them with existing Windows and Active Directory domains, and determine what additional tools or systems they need to do so.

Determining how to incorporate Macs into a Windows infrastructure is no small task. It comes down to the number of Macs that need support, what type of access they require and the tools and the systems that an organization already has in place.

Many workers prefer Macs, especially over Windows PCs. The influx of iOS devices -- along with the promise of seamless integration among Apple devices -- has only fueled the fires of change. Even so, Macs remain a small minority in a Windows-dominated environment, and they are very different animals from their Windows counterparts.

In figuring out how to accommodate Macs, protect corporate assets and control resources, IT teams take three primary approaches: They use existing tools to incorporate Macs into the Active Directory (AD) domain as they would with Windows computers, incorporate the Macs into the AD domain but use special tools to manage them, or manage the Macs separately and treat them like mobile devices.

Incorporating Macs into an AD domain

Many IT administrators would prefer to seamlessly add Macs to their AD environments, like they do with Windows desktops. To a certain degree, OS X makes this possible because Mac desktops and laptops include the client component necessary to join AD and other standards-based directory services.

Binding a Mac to the domain is relatively simple, assuming the user has the necessary computer access and domain credentials. When the computer joins the domain, Windows Server automatically creates the computer object in AD (unless it already exists) just like a Windows desktop.

Recent releases of Mac OS X have made it even easier to integrate Apple products because the OS can work with Microsoft's System Center Configuration Manager (SCCM) and Exchange ActiveSync. In fact, SCCM now supports Mac OS X 10.10 (Yosemite) clients.

Still, Macs are not Windows desktops, and most management products are built for Windows computers. That means compatibility issues will arise. One way to mitigate these issues is to extend the AD schema to better accommodate Mac computers, but that may require development resources and technical expertise beyond what many organizations are willing to commit, especially if they only have a small pool of Macs to support.

Luckily, administrators can augment their existing tools' capabilities with the extensive set of commands available to the Mac OS. Admins can issue commands to set screensaver idle times, configure language and text formats, disable auto correct and much more.

Using AD and third-party tools

Although AD and command support in OS X make integrating Macs simpler, many administrators find it easier to bring other tools onboard to help with management. Admins can join Macs to AD domains and then use Apple Remote Desktop to push commands out to the Mac clients.

Another option is to implement Mac OS X Server on its own system, and then use Apple’s Profile Manager to set Mac policies based on AD groups. This entails setting up an Open Directory domain alongside the AD service, which can result in easier management over the long-haul. AD handles the Windows side and Open Directory/OS X Server takes care of the Macs. Because the Macs are still bound to AD, there is seamless communication between the two environments, as well as shared file and printer services.

If this is too hard, you might consider Centrify User Suite (Mac Edition), which can administer Macs and use the AD identity infrastructure to centrally manage authentication, policy enforcement and single sign-on. Another popular option is Casper Suite from JAMF Software, a comprehensive endpoint management product that can integrate with AD and Open Directory.

But it's not necessary to take a Microsoft-only approach to integrating Macs with AD. Often, the most effective way to work with Mac computers is to treat them like Unix boxes rather than Windows desktops. Integrate them with the current infrastructure where possible, but treat them as separate device types in all other respects.

Managing Macs like mobile devices

Since Apple released OS X 7, the operating system has been moving toward a mobile device management (MDM) model, instead of the traditional directory services model. This makes it possible for admins to use the same management tools on Macs, iOS and Android devices.

For example, OS X 10 lets administrators query a Mac computer for its iTunes account to determine whether the Apple ID associated with the computer has changed. Admins can also do this with iOS 8 devices. This helps ensure that resources, such as apps and books purchased through Apple's Volume Purchasing Program, go to the correct users.

Apple’s new MDM framework also lets administrators initiate AirPlay sessions on managed devices and push enterprise apps and ebooks to Mac computers. In addition, Apple has beefed up its OS X Server and platform capabilities to make it more MDM-friendly. Users can register their Macs, and vendors can take advantage of the increased number of application programming interfaces available to third-party security and management solutions.

MDM vendors in particular have been quick to jump on new Mac features such as AirWatch, which lets admins manage Mac computers alongside smartphones and tablets. With AirWatch Mac Manager, administrators can perform a wide range of management tasks, such as updating passcode profiles, creating managed domains for email accounts, enabling AirPlay, distributing software and tracking assets.

Although many management products can integrate with AD, organizations can also implement a separate tool such as MobileIron or an Apple server not bound to AD. This way, admins can still implement user access through virtual private networks without the machines having to join the domain. This approach can be useful when incorporating users' personal Mac laptops.

Next Steps

Use Active Directory to manage Macs in Windows environment

Citrix’s XenServer 5.5 adds Active Directory integration

Your Macs may not be as secure as you thought

5 Mac tips for Windows desktop admins

Dig Deeper on Alternative operating systems