Apple Computer Inc. CEO Steve Jobs recently waved the flag for a stack of new technologies due in Mac OS X 10.4, such as expanded support for 64-bit processing and the Spotlight search engine. While the Mac OS X “Tiger” looks promising, from the perspective of someone integrating Mac clients into enterprise networks, it looks more like a paper tiger.
At his Apple Worldwide Developers Conference keynote address, Steve Jobs spent a grand total of 30 seconds on the Tiger clients Windows compatibility features.
Two of the features listed on the slide (SMB home folders and Kerberos authentication) were features Apple has previously claimed were already in the currently shipping OS X 10.3, aka “Panther” version. Jobs referred to one of the bullet points as “better authentication with Kerberos and whatever that is.” He meant NTLMv2 (NT LanMan), Microsofts secure authentication protocol.
Now, one could write this off to Jobs interest in sexy products such as the companys new 30-inch flat-panel display. But this inattention to the Mac as enterprise client extended to other conference sessions later in the week.
During a nearly content-free session titled “State of the Enterprise,” Apple hyped its server hardware, Xserve RAID storage system, and its Windows NT migration tool.
Apple then gave up the stage to Oracle Corp. and Sun Microsystems Inc., pitching Oracle 10g (announced for the Mac some 18 months ago but only now available to developers) and the wonders of Java development, respectively. Client-side issues, including the 800-pound gorilla of Active Directory integration, were conspicuously absent.
If Apple has a cross-platform client strategy for Mac OS X, it is playing it close to its vest.
But Derick Naef, chief operating officer of networking developer Group Logic Inc., of Arlington, Va., said WWDC attendees received some useful information about the Tiger client later in the week.
“There wasnt anything groundbreaking, but there were incremental improvements,” he said. “They are moving in the right direction.”
The promise of even incremental improvements would have been welcome for admins struggling with Mac clients. So, why focus instead on the harder sell of migrating from Windows servers to Mac servers?
The answer could be seen in the David vs. Goliath motif plastered over the conference. While Jobs mocked the long development cycle of Microsofts Longhorn, movie-screen-sized banners all over Moscone Center did the same.
“Apple tends to see their business differently then their customers do,” said Paul Nelson, vice president of engineering at Thursby Software Systems Inc., of Arlington, Texas. The company offers a variety of Windows network sharing products for Mac clients.
“Apple sees themselves as competitors to Microsoft. Customers, on the other hand, are concerned about getting the best experience for the money,” he said. And that user experience revolves around having Mac clients play nice in Windows networks.
Separate and Unequal
For administrators of enterprise networks, Mac clients are a pain. They still need special care that isnt required with Windows clients. This applies to access to Exchange Server and support for Microsoft server clusters.
Certainly, this situation isnt all Apples fault, and third-party products go a long way toward filling in the holes. For example, Group Logics ExtremeZ-IP lets Macs access Microsoft clusters using AFP (Apple Filing Protocol).
Still, the fact remains that the separate and unequal status remains a barrier to the wider acceptance of Macs in enterprise.
The biggest barrier is integration with Microsofts Active Directory. Apple offers two choices to integrate Panther with Microsofts Active Directory. You can make changes to the Windows Server schema—a risky proposition that few admins are willing to undertake—or install Mac OS X Server on the network.
A third-party option is to install Thursby Softwares AdmitMac tool on the Mac clients. Any way you look at, the Macs require special treatment.
But even when Macs join the Active Directory, they can still require special handling due to a lack of compatibility with certain Windows authentication features. Once such feature is SMB signing, which is similar to a digital signature. SMB signing has been around since Windows NT 4.0, but Windows Server 2003 domain controllers now default to having SMB signing turned on.
In order to accommodate Macs, admins needs to turn off SMB signing in their policy settings. Or they can add a third-party Mac product such as Thursbys AdmitMac and DAVE, or Sharity 2.9 from Objective Development Software GmbH.
Other deficiencies make Macs less secure on Windows networks. Theres currently no support of NTMLv2 authentication unless you add one of the third-party solutions to the Mac. Then there is the problem with cleartext authentication in Windows domains.
“Apple doesnt provide an admin setting to prevent transmission of cleartext passwords—something Microsoft has had since Windows NT 4.0,” Nelson observed.
But this isnt a case of poor security with Mac OS X. For instance, you can eliminate cleartext in file serving if you install an Apple Filing Protocol server, such as ExtremeZ-IP, on a Windows server.
“Apples security is great—until you get into cross-platform situations,” Nelson added.
This explains why Kerberos authentication and SMB home folders are on Apples list of Panther features as well as on the list of new Tiger features. In Panther, they work in all-Mac environments but are problematic in Windows domains.
Bright Spots on the
In the WWDC sessions, out of earshot of the media, Apple said it would beef up Kerberos and make SMB home folders work with Windows domains. It also spent some time discussing NTLMv2 authentication for higher security, another feature currently available through the third-party products.
Naef said Apple was “sending the message that they were pushing to be a good citizen with Active Directory.”
For those sites that do run Mac OS X servers, Tiger Server will add ACL (Access Control Lists), an important feature of Windows Servers that gives administrators and users far more flexible file permissions than the simple read-write-execute of Mac OS X.
For example, ACLs will let Mac server managers specify user and group permissions for creating and modifying files and folders as well as for accessing network services. Windows servers and Unix servers such as Sun Solaris have supported ACLs for years.
But once again, the question is whether Tiger Servers ACL implementation will work in a cross-platform environment. That is, will Mac clients be controlled by ACLs on Windows servers?
“How they actually pull that off will be interesting,” Nelson said. “Well have to see the implementation details to see whether you can do it cross-platform.”
Meanwhile, Apple isnt spending a lot of effort to promote Tigers support for ACLs. Jobs only mention of it was when he said, “Access control lists have been a big request.” This was a line that received big applause from the developer audience.
Instead, Apple focused on its big server dreams to the developer crowd. For instance, when describing its Xgrid 1.0 cluster server strategy (which uses Apples Open Directory), the company emphasized the use of Macs in multimillion-dollar super-computer arrays rather than the enterprise use of clusters.
Nelson considered Apples focus on servers and Oracle 10g is paying off in at least one respect.
“The Xserve RAID product helped Apple get back into the enterprise because the price point is much less than the competition. The more Apple can get into data centers, the better for Apple. And these are the same guys buying Oracle.”
Perhaps Apple doesnt yet have a complete enough Tiger vision to encompass enterprise issues such as Active Directory and improved integration of Mac clients. Or the company is holding some cards out for the launch of the OS in 2005. But if Apple really wants to increase its Mac market share with Tiger, it will need just such a strategy.
John Rizzo is the editor of MacWindows Web site.