Dealing with Mac Creep

By Jason Brooks  |  Posted 2008-04-22

Dealing with Mac Creep

Due to the broadening popularity of Apple's desktops and notebooks-and, to a growing extent, of its iPhone-IT administrators at many enterprises are faced with providing updates, core applications and network authentication services to greater numbers of Apple computers and devices.

Fortunately, as Apple's computing fortunes have risen, an array of options for integrating these systems with Microsoft Windows-based applications and management infrastructure also have emerged.

As with the Windows-based machines in your enterprise, one of the primary tasks facing administrators charged with managing Apple clients and devices is keeping systems up-to-date with security patches and bug fixes.

For a look at the centralized update features built into Mac OS X Server, read Andrew Garcia's story, here.

But, beyond providing for a solid software update framework, perhaps the most important task for administrators that service a Mac contingent involves folding these systems into your organization's identity and policy-based management framework. For most companies, this means connecting OS X machines to the AD (Active Directory).

With current OS X versions, adding machines to an AD domain is a fairly straightforward affair, and the process has grown appreciably simpler with each passing release. On OS X 10.5, the operation is practically the same as with Windows systems and involves launching the OS X Directory Utility, specifying the desired domain and providing the correct administrator credentials.

To ensure that the same AD groups empowered to administer Windows domain members can exercise these rights on OS X clients, you need to specify this behavior in the "allow administration by" section of your AD service entry in the Directory Utility.

For organizations that wish to extend their AD-centric management embrace of OS X systems beyond authentication, there are a few third-party applications that can add Microsoft's Group Policy to your organization's OS X management mix, including Centrify's DirectControl for Mac and Likewise Software's Likewise Enterprise 4.0, which I reviewed in January of this year.

During my tests of Likewise Enterprise, I was able to use Microsoft's standard Group Policy management tools to push out a set of Mac-specific policies to my OS X test systems, most of which applied to log-in and network behavior, and many of which governed the operation of the Bluetooth radios that come built in to many Mac systems. I could not, however, exert as broad a set of controls over the appearance and operation of OS X machines as I could over Linux systems running the GNOME desktop.

Windows Application Support

Potentially more troublesome than integrating OS X clients into a Windows-centric identity infrastructure is ensuring that key Windows applications may be run from OS X machines. Many major applications do ship in Mac-compatible flavors, particularly in Apple's traditional home court of content creation applications, but there are times when native Mac software won't fit the bill-even when a Mac flavor of the application is available.

For instance, while Microsoft sells Office 2008-a Mac-native version of the company's popular productivity suite-the version of Excel that ships with Office 2008 lacks support macros based on Visual Basic for Applications.

Fortunately, Apple's move to the x86 architecture for its hardware has broadened the range of Windows application compatibility options to which administrators may turn. In particular, the fact that Windows and OS X now share an instruction set has paved the way for a set of desktop virtualization applications that enable OS X users to run Windows applications from a virtual instance of the Microsoft operating system running on their Apple hardware.

I have tested OS X-specific virtualization applications from VMware-VMware Fusion-and from Parallels, which sells Parallels Desktop for Mac.

To a much greater extent than with virtualization software products aimed at Linux and Windows desktops, OS X virtualization products tend to be focused on providing users with a relatively seamless Windows-to-OS X experience. To that end, both vendors' products boast a feature-called Coherence on the Parallels product and Unity on the VMware offering-that makes applications running in the virtualized Windows environment appear as though native to OS X.

Using a virtualization product to provide Windows application access to OS X clients ensures fairly broad compatibility, since the software in question has a bona fide Windows instance on which to run. What's more, unlike delivering Windows applications via Citrix Systems XenApp or Microsoft's Terminal Services, your Mac users will have access to their applications in both online and offline scenarios.

Of course, virtual or not, those additional instances of Windows require their own licenses and administrative care and feeding, which mean added overhead. On that note, your Mac clients must have enough spare RAM and processor resources to account for the system overhead of the virtual Windows instances they might host.

Simpler, perhaps, than running virtual Windows instances within your OS X system is the route to Windows application accessibility offered by Apple's Boot Camp, a well-implemented utility for turning a Mac computer into a dual boot OS X/Windows machine.

Boot Camp works well and can deliver increased performance compared with one of the virtualization-based options, particularly when the Mac system in question is low on RAM. However, the issues of paying for and maintaining a separate operating system instance remain, and while a user is booted into Windows, Mac applications are inaccessible.


Looming large among the management issues that come with nesting Windows instances within the Macs in your care is that of maintaining anti-virus software on those Windows instances. Fortunately (or unfortunately), most organizations have become all too familiar with deploying and managing anti-virus products on their Windows clients, and whether you're tapping virtualization or dual-boot configurations to bring Windows into your Apple hardware, these anti-virus management processes will remain mostly unchanged.

Less clear for many organizations is the role that native anti-virus software for OS X instances can or should play. For instance, the PCI DSS (Payment Card Industry Data Security Standard) guidelines through which credit card issuers enforce data protection mandates that anti-virus software must be used on computer systems at merchant sites that are "commonly affected by viruses." The standard goes on to single out Unix-based operating systems-a class of which OS X is a member-as not commonly affected by malware.

However, most of the major players in the anti-virus space do offer OS X versions of their products, including McAfee and Sophos, both of which integrate OS X anti-virus administration into the same management consoles that govern the Windows flavors of their anti-virus products. Symantec, meanwhile, markets a consumer-oriented, "two anti-virus products in one" offering that's meant to provide coverage both for OS X and for the Windows instance that may reside in a Boot Camp configuration. Last fall, Trend Micro and OS X security software company Intego announced a partnership to bring Intego's anti-virus software for OS X to Trend Micro's customers, albeit under separate management interfaces.

eWEEK Labs Executive Editor Jason Brooks can be reached at



Rocket Fuel