Mac Management Group

 View Only
  • 1.  Need Best Approach to Configure and Manage Mac Computers

    Posted Mar 06, 2016 01:48 PM

    I am a NOOB for working with Mac Computers.  The objectives to me are fairly clear, but the tools and approach to accomplish these objectives are very fuzzy.

    Requirements:

    • Use ITMS to automate and manage Mac Computers
    • Join Mac's to corporate network (Active Directory)
    • Set and enforce corporate policies on Mac's
      • allow remote management
      • leverage GPOs if possible
    • Add root CA and WiFi certificates and profile
    • Install ITMS agents to fully manage - software deployment, update management, inventory, asset management
      • Install Network Access Control client
      • Install Virus Scan software
      • Install ofther applications...
    • Set User and Management defaults
      • User Experience Defaults for AD
      • Adminitrative defaults for AD
      • Network Resource access ( represent Windows Server shares (SMB) for Mac users)
    • Configure patching cycle with ITMS 

    We are primarily a Windows client organization and extensively use Deployment Server 6.9 to image and initial software to new and rebuilt Windows machines.  We are moving to using Ghost Server along with our ITMS instead of DS, but have not switched over to using ITMS for all.  

    Adding Mac computers to the network in a fully managed and automated manner is the primary focus.  We want to leverage the Symantec ITMS to its fullest to  assist this process.  Addition of other tools is acceptable where required but we are not looking to spend additional funding unless there is value.  

    For example,

    • the addition of an Apple SUS to bring updates into the organization will not be necessary until we are managing more than just a handful of Mac computers
    • we are implementing Centrify for Linux Server authentication management and could use it for GPO management on Mac but need to understand the benefits and costs
    • use of Apple DEP may greatly assist in this process but want to know if it is required

     

    Thanks in advance.



  • 2.  RE: Need Best Approach to Configure and Manage Mac Computers

    Posted Mar 07, 2016 05:24 PM

     

    I'm going to be blunt, and others may disagree with me, but to leverage ITMS for a few to many Mac clients isn't the easiest but it is possible. We manage almost 1,000 Macs in a mixed environment and, in all honesty, use a single MacMini running OS X Server for patching, management, software deployment, profile management, etc. We do use our ITMS for a few software packages and some deployments of other things when needed, and it can all be done with ITMS, along with some scripting, etc. but its not the easiest thing in the world. If I can gather some thoughts I'll post them here. If you want more information on what we do, you can direct message me and I can share how we manage things.

     



  • 3.  RE: Need Best Approach to Configure and Manage Mac Computers
    Best Answer

    Posted Mar 08, 2016 11:39 AM

    Let's see if I can hit as many of your requirements as I can.

    Use ITMS to automate and manage Macs:
        
        This can be done but it takes some planning and setup. You can image Macs, install a base OS or configure OS X all through ITMS. You would use the Symantec tools provided to great .NBIs (similar to WinPE PXE images) and then deply those to your PXE server. These files will allow Macs to NetBoot (PXE Boot). 
        
        One word of caution: like with Windows, you will most likely need a few different .NBIs to boot your Macs and you will always want to create the .NBI from the newest piece of hardware you have. An example: The 2015 Retina iMacs will not boot from an .NBI built from a MacBook Pro from 2014. The drivers aren't included in the base OS so they won't be there in the .NBI and there is no real way to add them.
        
    Join Macs to AD
        Very possible, even if you just do it from a small script task. One or two lines is all you need since there's a command-line method for binding to AD. Other considerations would need to be investigated (UID, GID number matching for example) but possible and we do this all the time.
        
    Leverage GPOs:

        You're out of luck here unless you use third party tools like ADmitMac or Centrify (which you say you could use. Their website quotes $4 per user/month). A few years ago you could extend the AD Schema to allow Workgroup Manager on an OS X server to manage some Mac settings through GPOs but Apple did away with WGM in favor of profiles. You can manage many policies with Profile Manager (does require running Apple's Server.app available in the Mac App Store on at least one Mac). Other policies, depending on what you want to do, can be handled through scripts, configurations with .plist files and more.
        Allow remote management is also easily configured from a command line. A single line can turn on and enable management so that won't be an issue
        
    Add root CA and WiFi certs
        This can be done through the use of profiles, and there's a task for that, or very easily from a custom package or custom script. We just did this on all 1,000+ Macs here, all using a custom package but adding a cert is just another one-liner.
        
    Install ITMS agents:

        Similar to Windows. You can include the SMA in your base image (remembering to remove the host.GUID file from /opt/altiris/notification/nsagent/etc/ before snapping the image). You can then add sub-agents into your deployed machine or the image, whichever you prefer.
        
    Install Software:

        Once the image is deployed and agents are installed you can deploy software from the Software Catalog just like you would a Windows machine. ITMS can use .pkg, .mpkg, .dmg and .app files. I have had some hit-or-miss tries with this with the most luck coming from having everything be pulled form inside of a .dmg (you can create these from a command-line or Disk Utility on any Mac).
        
    Set User and Management Defaults:

        Yes and no here. This all depends on exactly what you're doing. Unlike Windows, OS X doesn't have a registry to worry about so settings per user are mostly contained in .plist files in their home directory and can be manipulated using the "defaults" command or by just editing the files. Network access is more complicated. We mount 3 SMB shares at login for our clients but we use a custom script to do so at login. There are many different options depending on what you want.
        
    Patching:

    You can do some light remediation with ITMS but it isn't an Apple SUS so it relies on going out to Apple for its updates. You can tell it to do some or all but it is always a pull and clients can update manually at any time as well. If you want to limit which updates they can see, you would need to either host Software Update on an internal OS X server or run Resposado on a Linux server and point your clients to that machine. This, of course, means they can't update off the network but you can limit what gets updated (example: you might not want to allow them to upgrade to OS X 10.11.4 when it comes out in case there are bugs in the release, you'd rather wait 2 weeks before allowing it. You'd do that at the SUS server).

    DEP is not required but is handy with Profile Manager if you want to make sure machines are configured out of the box. It takes some setup and doesn't really relate here. We don't bother using it for our Macs but we do for all of our iPads.



  • 4.  RE: Need Best Approach to Configure and Manage Mac Computers

    Posted Mar 08, 2016 01:18 PM

    Thanks for the comprehensive information.  The hardest part we have is understanding what to use and how to use it with a Mac and the old chicken and the egg scenario, what order to get there. 

    For example,

    • without jumping into netboot and imaging, can we get the NS agent installed first and then use it do do the various tasks like AD Join and any other scripts?
    • creating a profile with Configururator 2 seems fairly straightforward but do you create one big one, a whole bunch of little ones, then deploying it via an MDM means you enroll the devices with MDM but you can deploy a profile with ITMS so do you really need the MDM?
    • you can't leverage GPOs without something like Centrify but there are some basic things one can do as you described, SMB connect shares for users, this one I still don't know where to look for that

    The overall approach here is to do the basic requirements that allow connecting these devices to our network and allow functional usage of internal resources.  Things like reseting the root password, remote admin, allowing access to our network, encrypting the drive (FileVault is per user), connecting to Corporate WiFi using certificate, using our Enterprise Virus protection. 

    Much appreciate your insight so far.  If you are managing 1000 Mac's, you must have dealt with these basics.  Removing admin rights on a Mac might not be that welcome but allowing full control on a device on the network is also not a desired state.



  • 5.  RE: Need Best Approach to Configure and Manage Mac Computers
    Best Answer

    Posted Mar 16, 2016 08:40 AM

    Here are some answers to your questions:
    First, to install the agent on a Mac, in the console, go to Actions; Agents/Plug-ins; Push Symantec Management Agent. 

    Click the tab for Install Agent for UNIX, Linux and Mac.  Then down in the download page Select platform: Mac - wait for the 
    screen to repaint.  Click on view page and now you can download the installer.  It's a DMG.  Inside it there is a PKG file and a folder 
    that contains the settings needed for the agent to be installed correctly.  That 
    folder has to be in the same directory as the PKG installer during installation.  It's a bit odd for a Mac install, but
    it works.  Give it a chance to register with the SMP server and you should be good to go.  You may want to make sure that
    server has settings to get all the sub-agents pushed out.  That works just like for Windows.

    Regarding profiles - I would suggest spending the $19.00 to get a copy of Mac Server software.  Load it on any Mac you'd 
    like to use and start up Server.  Then you can create Profiles to do lots of things.  You don't have to use it as an MDM
    server, you can just export the profiles and then copy them to client machines to install or create an Altiris task to
    copy the profile file and write a small script to install it.  Google "mac os x script to install profile" for more help.

    Regarding your third point - if you learn how to create profiles with Profile Manager, you can either push them with 
    Altiris or you can actually set up the Mac Server to push them to your Macs.  If you Google "profile manager tutorial" you 
    will find several good references that will help you get going.



  • 6.  RE: Need Best Approach to Configure and Manage Mac Computers

    Broadcom Employee
    Posted Mar 22, 2016 04:31 AM

    Hi!

    I know it's a huge doc, but you might want to scroll through it - maybe you find something useful.

    The Client Management Suite User Guide for Mac Management:

    http://www.symantec.com/docs/DOC8709