On Apr 6, 2012, at 11:26 AM, Tim Kirby wrote: > which leads me to > ask whether any of this body have any useful experience in > "managing" such machines. I'm open to pointers to useful > resources, but I'm particularly interested in anyone who is > actually "doing" this at some level.
We are an all-Apple campus, with 400 student laptops (bring-your-own), and a bunch of school-owned machines, so we do this all the time. The student machines are imaged by request but not managed (they own them, so we don't have admin rights). Meanwhile, the school-owned boxes are imaged and managed (we set policies on how the machines behave). We currently use Apple's solutions for all management tasks. We have a NetBoot server to boot the machines disklessly and then image them using DeployStudio (open-source). Works well, especially if you only have a few master images. For centralized authentication and policies we use a central directory (Apple's "OpenDirectory", which is akin to MS Active Directory). If you can drop the $1000 for a mac mini server, you can have this all up and running in a test mode on one machine. If you're serious about this, I *strongly* suggest signing up for the MacEnterprise mailing list (www.macenterprise.org). Apple also has some mailing lists dedicated to their server technologies which you might want to lurk on, though many of the heavy hitters are on the macenterprise list as well. Since we're all-mac, I unfortunately have no direct experience integrating into an MS environment, but I know it can be done. Macs will talk to AD out of the box for authentication, but for management (password restrictions, VPN settings, security settings, etc), you have to go a little further. You have a few options: 1) Apple publishes a set of schema extensions for AD that lets you embed the Apple-specific stuff directly in AD. All client management settings are stored in "MCX" records that the macs look for. This allows you to push policy from a central AD system. 2) If extending your schema freaks out your windows admins (likely), you can have the macs pull auth from AD and then find an Apple OpenDirectory server for policy information (called the "golden triangle" or "magic triangle"). It's a little more work (you have to keep two directories up to date), but you won't have to touch your AD server for mac-specific stuff. 3) New in 10.7 is "Profile Manager" which lets you build XML profiles and publish them for client devices (rather than using a directory service). This works for Macs and iOS devices (MCX is only for "bound" OS X clients). I haven't played with this yet, so I don't know if it covers all the settings you can tweak with the directory-based solutions. If your policy needs are modest, this may be the least-intrusive way to add on to an AD environment. If you really don't want to spend money on Apple server stuff, most of their services are just special sauce on top of standard protocols. OpenDirectory is just LDAP+Kerberos (with schema extensions). NetBoot is just DHCP/TFTP/AFP. Their Apple Update Server (local cache of managed software updates) is web-based. JAMF has even created a linux-based appliance to handle imaging and software updates: https://jamfnation.jamfsoftware.com/redirect.html?url=https://s3.amazonaws.com/jamfsoftware-content/downloads/NetBootSUS+Appliance_v1.0.pdf That uses some open-source stuff contributed by other mac shops (Disney, in this case). Hope that's helpful! Jason -- Jason Healy | jhe...@logn.net | http://www.logn.net/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
