Mac management for Windows IT folks

Tools and techniques for adding Macs to your network safely and effectively

1 2 3 4 Page 3
Page 3 of 4

You can also choose to map existing or new Active Directory attributes to support functionality specified in the Open Directory schema. This approach can be highly effective, but it also requires a fair amount of experience with Active Directory and Open Directory (or at the very least OpenLDAP, on which Open Directory is largely based) and schema modifications.

A third, more recent approach to Open Directory and Active Directory integration was introduced with Leopard Server in 2007. Leopard Server supports Kerberos cross-domain authorization and the use of stub records in Open Directory. This means that Leopard Server can be configured to act as a subordinate directory server to another infrastructure (such as Active Directory).

Such a server will rely on the primary directory system for authentication but will supplement attributes stored in its own domain as needed by clients. The downside is that workgroup mode is one of Leopard Server's simplified setup modes, which offers very limited client management capabilities.

More details on Active Directory integration are available in the Bombich Software white paper Leveraging Active Directory on Mac OS X.

Centrify's Direct Control for Mac OS X

Centrify offers an alternative to relying on Mac OS X Server and Open Directory for client management. Direct Control for Mac OS X (pricing varies depending on your needs) provides the easiest solution for experienced Windows administrators because it actually implements additional group policies (at this point over 200 of them) in Active Directory via pre-packed schema extensions that can be used to manage Mac OS X.

If you're used to client management via group policies, Direct Control will feel very comfortable to you. (Direct Control versions for other Unix-based platforms are also available.)

On the client side, Direct Control installs as an alternative plug-in to the Active Directory plug-in shipped by Apple. One of the great features of Direct Control for Mac is that it actually leverages Apple's managed preferences architecture so that many of the key aspects of the Mac OS X environment can be managed using the group policies that ship with it.

I've been a fan of Direct Control for Mac since I initially reviewed it for Computerworld in early 2007. The simple interface, which is among the product's biggest selling points, remains a significant advantage. And Centrify has expanded on its product since then, incorporating support for Leopard, providing secure smart card authentication options, and most importantly, including a wide range of additional policies.

Thursby's ADmit Mac

ADmit Mac ($149 per license, with bulk license options available) from Thursby Software is another longtime solution for providing enhanced Active Directory support for Macs. Like Centrify's Direct Control, ADmit Mac includes authentication support and installs as a replacement for Apple's Active Directory plug-in.

Additionally, ADmit has its own feature set that goes beyond client management. It is, in fact, the only product that provides support for the Windows distributed file system. It also provides options for leveraging Apple's managed preferences.

The big difference in implementation between Direct Control and ADmit Mac is that ADmit doesn't use group policies (or, for that matter, Active Directory at all) to store client management information. Instead, managed client settings are stored on a file server within your network.

Effective in small to medium-size environments, this solution may require more planning to scale well because this file must be accessible to any Macs in the organization (as opposed to data stored and replicated through Active Directory). However, the data is replicated to Macs and implemented even when they are off the network.

ADmit Mac relies on a separate management console that must be run from Mac OS X. The console also provides administrative access to Active Directory. For experienced Windows administrators not interested in managing Macs from a Mac, this could be a downside. On the other hand, for organizations that have a Mac-specific IT group, this allows them to perform all administrative tasks without having to rely on Windows administrative tools.

1 2 3 4 Page 3
Page 3 of 4
Shop Tech Products at Amazon