And Active Directory domains, and determine what additional tools or systems they need to do so. Determining how to incorporate Macs into a Windows infrastructure is no small task. Netwrix Active Directory password reset tool provides a simple Web form to change domain passwords remotely for users who don't have access to the normal logon or Ctrl-Alt-Del screen because they are not connected to the domain or do not use a Linux, Mac, or PDA device. Users just visit an easy to remember URL, enter their user name, old. Likewise Open for Mac OS v.6.0 A free, open source application that joins Mac OS X machines to Microsoft Active Directory and securely authenticates users with their domain credentials. Key Features: - Joins Mac OS X, Linux, and UNIX systems to Active Directory domains in a. Tool: Get the path to an Active Directory user home When you need to look up the path to an Active Directory user’s home directory, there are a few ways to get the information: use dscl in the terminal on your Mac to query AD.

1. Dell Authentication Services 4.0
2. Active Directory And Mac Os
3. Apple Active Directory
4. Mac Deployment Tools

If you still think Macs are fare for only specialty departments like design and marketing, think again. Business use of Macs is on the rise, and with it the need to better manage the fleet.

This past fall, for example, Apple and IBM highlighted the growing number of Macs used by employees of Big Blue, with IBM committing to 50,000 new MacBooks, a purchase order that saw IBM deploying about 1,900 Macs each week.

Though the size and speed of IBM's Mac deployment are significant, the more noteworthy numbers involve the costs to deploy and support Macs: According to CFO Luca Maestri, IBM has been saving roughly $270 for each MacBook its employees use instead of a traditional PC, and IBM VP Fletcher Previn has said that only 5 percent of IBM employees using MacBooks have called the help desk for support, as compared with 40 percent of PC users.

Initiating a major Mac deployment is becoming a more attractive option for many organizations because of the potential cost savings on support, more robust security, and reliable (if premium) hardware, as well as for reasons of user demand and/or satisfaction. Integration with Apple's larger ecosystem, particularly where it relates to the iPhone, which still dominates as the enterprise smartphone, provides an additional argument for Macs in business.

The following is the first of three articles aimed at helping you make the best of your Mac fleet.

Scale matters when it comes to Mac deployments

With a solid suite of major business and productivity apps and the ability for Macs to easily integrate into major enterprise systems, there are far fewer barriers to Mac adoption in the enterprise today than compared to even a few years ago.

One barrier that still exists: the fact that OS X is architecturally different from Windows. As a result, IT departments adopting Macs must understand these differences and ensure that they have the skills to adequately and efficiently support, manage, and deploy Macs at scale.

The operative word here is 'scale' because effectively supporting a handful of Macs isn't particularly challenging. Help desk and support staff will need to get up to speed on supporting Mac OS and its hardware, but that isn't particularly difficult as Apple provides training, self-study, and certification options for gaining those skills. Scaling Mac deployments, however, means being able to automate many processes, particularly around implementation and configuration, and knowing how to apply management policies for a large number of Macs across an organization. Those skills go well beyond simply setting up and troubleshooting individual Macs, just as the skills of Windows systems administrators go well beyond those of help desk agents.

The key parts of Mac management

Mac management in the enterprise consists of three major components:

1. Integrating Macs with key enterprise systems such as Active Directory and Exchange
2. Applying policies to manage Macs similar to the way Group Policies manage Windows PCs
3. Understanding how to efficiently deploy and update Macs and the apps and configurations they run

Dell Authentication Services 4.0

Much as with PC management, these areas combine into an overall workflow, though they tend to be somewhat more discrete processes. This article will look at the first of these areas: integrating Macs with enterprise systems. The following two articles in this series will look at understanding policy options for managed Macs and deployment methods, respectively.

There are multiple tools and mechanisms to accomplish the various tasks related to Mac management. Using the tools built into OS X itself is the most basic option. Although effective, this can be limiting when managing a large-scale Mac deployment. Another option is to make use of additional enterprise-oriented solutions from Apple, such as OS X Server, Apple's Device Enrollment Program (DEP), and its Volume Purchase Program (VPP), to streamline and enhance various parts of the process. There is also a range of third-party solutions that significantly expand on what Apple offers.

OS X and Active Directory

Active Directory is a critical piece of enterprise computing for virtually every organization. Joining PCs to an Active Directory environment provides all manner of critical functionality, including user authentication, access controls, audit logs, management of the Windows environment, and integration with a range of additional systems like Exchange. Acting as a central source of information about almost everything within an organization, Active Directory also goes beyond PCs. It is essentially the glue that makes much of enterprise computing possible.

The good news is Macs can be joined to Active Directory. On an individual Mac, the process is fairly straightforward. Launch System Preferences, go to Users & Groups, select Login Options in the sidebar, click the Join button next to Network Account Server, and enter the appropriate information for the domain and authenticate using an account that has privileges to join a PC to the domain. Once that's done, users will be able to log into that Mac with their Active Directory credentials pretty much the same as on a PC. Single sign-on is also supported for many services such as network browsing or file sharing.

Joining a Mac to Active Directory primarily enables user authentication and adherence to password policies. Some functionality common when a PC is joined to Active Directory doesn't automatically occur. Configuration based on Group Policies or automatic configuration for access to services such as Exchange based on a user's account are two examples. These can be automated using policies, but those policies generally aren't directly tied to a Mac's Active Directory membership. Basic attributes about the Mac itself are stored in Active Directory as they would be for a PC, however.

Options when joining a Mac to Active Directory

It's worth noting that a series of options can be specified when joining a Mac to Active Directory. These options can be manually adjusted, though in many environments the defaults work well. To make changes, click the Open Directory Utility button in the Network Account Server dialog described above. Later in this series, I will discuss how to automate these changes when deploying a fleet of Macs.

The manual adjustments are broken down into three areas:

1. User experience
2. Attribute mappings
3. Administrative options

User experience options include the user's network home directory and the default Unix shell users will encounter if they launch OS X's Terminal app (unless otherwise specified, /bin/bash is the default).

When it comes to home directories, OS X supports the creation of a local home directory on a user’s Mac (the default behavior, similar to how a home directory is created on a stand-alone Mac), a network home directory that allows a user to access files and settings across multiple Macs, and the option to allow access to a network home directory mounted as a folder in the OS X Dock. There is also the option to create a mobile account, which is a local account (and local home directory) that syncs/mirrors the Active Directory account (and network home directory) for offline access. Mobile accounts can be created automatically, which can lead to confusion and sync issues if a user has mobile accounts on multiple Macs, or the feature can be made optional by requiring user confirmation of mobile account creation when they log into a new Mac.

Attribute mappings relate to integration with Apple's own LDAP-based directory service similar to Active Directory called Open Directory, which is included with OS X Server. Each Mac contains a local directory node for local account information based on the Open Directory attributes. Although Open Directory provides the same functionality as Active Directory, some account attributes differ between the two. A Mac joined to Active Directory automatically maps the Open Directory attributes it requires to equivalent Active Directory attributes (uniqueID, primaryGroupID, and gidNumber). If the Active Directory schema has been modified, it is possible to create alternate mappings, though this isn't needed in the vast majority of environments.

There are three administrative options that can be set when a Mac is joined to Active Directory. The first is to prefer a specific domain controller. By default a Mac will search for the most available domain controller much like a PC. It is possible to override this and instead specify a specific domain controller to be accessed first.

The second is the ability to allow members of Active Directory groups to have administrator access to a Mac when logged in using their Active Directory accounts. This is the same functionality that can be granted to PCs. This option is disabled by default. When enabled, any Active Directory group can be specified, though domain admins and enterprise admins are enabled by default.

The final option, which is enabled by default, is to allow authentication using accounts from any domain in an Active Directory forest rather than only the domain to which the Mac is joined.

Additional information on integrating Macs with Active Directory is available from Apple.

OS X and Exchange

Next to Active Directory, Exchange is one of the most commonly used enterprise services. There are two options for integrating Macs with Exchange: use the native PIM apps in OS X or deploy Office for Mac, which includes Outlook for Mac. Neither option is configured automatically based on a user's account when a Mac is joined to Active Directory but can be automatically configured based on a policy.

Configuring either manually is very simple and can be accomplished by users. For native apps, the option is located in the Internet Accounts pane in System Preferences. For Outlook, it's located in the Preference dialog and displayed in the initial setup dialog.

VPN configurations

OS X natively supports L2TP over IPSec, PPTP, Cisco IPSec, and IKEv2 VPNs. These can be automatically configured by a policy or configured manually using the Network pane in System Preferences. Additional VPN types are supported through the use of third-party clients. It is possible to use policies to configure most third-party software, including VPN clients.

Up next

In the next piece in this series, I’ll look at the various ways that management policies can be applied to Macs and to users, as well as the full set of policy options available in OS X.

Related articles

Ready or not, Macs are infiltrating the enterprise. IT has to figure out how to integrate them with existing Windows and Active Directory domains, and determine what additional tools or systems they need to do so.

Determining how to incorporate Macs into a Windows infrastructure is no small task. It comes down to the number of Macs that need support, what type of access they require and the tools and the systems that an organization already has in place.

Many workers prefer Macs, especially over Windows PCs. The influx of iOS devices -- along with the promise of seamless integration among Apple devices -- has only fueled the fires of change. Even so, Macs remain a small minority in a Windows-dominated environment, and they are very different animals from their Windows counterparts.

In figuring out how to accommodate Macs, protect corporate assets and control resources, IT teams take three primary approaches: They use existing tools to incorporate Macs into the Active Directory (AD) domain as they would with Windows computers, incorporate the Macs into the AD domain but use special tools to manage them, or manage the Macs separately and treat them like mobile devices.

Incorporating Macs into an AD domain

Many IT administrators would prefer to seamlessly add Macs to their AD environments, like they do with Windows desktops. To a certain degree, OS X makes this possible because Mac desktops and laptops include the client component necessary to join AD and other standards-based directory services.

Binding a Mac to the domain is relatively simple, assuming the user has the necessary computer access and domain credentials. When the computer joins the domain, Windows Server automatically creates the computer object in AD (unless it already exists) just like a Windows desktop.

Recent releases of Mac OS X have made it even easier to integrate Apple products because the OS can work with Microsoft's System Center Configuration Manager (SCCM) and Exchange ActiveSync. In fact, SCCM now supports Mac OS X 10.10 (Yosemite) clients.

Still, Macs are not Windows desktops, and most management products are built for Windows computers. That means compatibility issues will arise. One way to mitigate these issues is to extend the AD schema to better accommodate Mac computers, but that may require development resources and technical expertise beyond what many organizations are willing to commit, especially if they only have a small pool of Macs to support.

Luckily, administrators can augment their existing tools' capabilities with the extensive set of commands available to the Mac OS. Admins can issue commands to set screensaver idle times, configure language and text formats, disable auto correct and much more.

Using AD and third-party tools

Although AD and command support in OS X make integrating Macs simpler, many administrators find it easier to bring other tools onboard to help with management. Admins can join Macs to AD domains and then use Apple Remote Desktop to push commands out to the Mac clients.

Another option is to implement Mac OS X Server on its own system, and then use Apple’s Profile Manager to set Mac policies based on AD groups. This entails setting up an Open Directory domain alongside the AD service, which can result in easier management over the long-haul. AD handles the Windows side and Open Directory/OS X Server takes care of the Macs. Because the Macs are still bound to AD, there is seamless communication between the two environments, as well as shared file and printer services.

If this is too hard, you might consider Centrify User Suite (Mac Edition), which can administer Macs and use the AD identity infrastructure to centrally manage authentication, policy enforcement and single sign-on. Another popular option is Casper Suite from JAMF Software, a comprehensive endpoint management product that can integrate with AD and Open Directory.

But it's not necessary to take a Microsoft-only approach to integrating Macs with AD. Often, the most effective way to work with Mac computers is to treat them like Unix boxes rather than Windows desktops. Integrate them with the current infrastructure where possible, but treat them as separate device types in all other respects.

Managing Macs like mobile devices

Since Apple released OS X 7, the operating system has been moving toward a mobile device management (MDM) model, instead of the traditional directory services model. This makes it possible for admins to use the same management tools on Macs, iOS and Android devices.

For example, OS X 10 lets administrators query a Mac computer for its iTunes account to determine whether the Apple ID associated with the computer has changed. Admins can also do this with iOS 8 devices. This helps ensure that resources, such as apps and books purchased through Apple's Volume Purchasing Program, go to the correct users.

Apple’s new MDM framework also lets administrators initiate AirPlay sessions on managed devices and push enterprise apps and ebooks to Mac computers. In addition, Apple has beefed up its OS X Server and platform capabilities to make it more MDM-friendly. Users can register their Macs, and vendors can take advantage of the increased number of application programming interfaces available to third-party security and management solutions.

MDM vendors in particular have been quick to jump on new Mac features such as AirWatch, which lets admins manage Mac computers alongside smartphones and tablets. With AirWatch Mac Manager, administrators can perform a wide range of management tasks, such as updating passcode profiles, creating managed domains for email accounts, enabling AirPlay, distributing software and tracking assets.

Active Directory And Mac Os

Although many management products can integrate with AD, organizations can also implement a separate tool such as MobileIron or an Apple server not bound to AD. This way, admins can still implement user access through virtual private networks without the machines having to join the domain. This approach can be useful when incorporating users' personal Mac laptops.

Next Steps

Use Active Directory to manage Macs in Windows environment

Citrix’s XenServer 5.5 adds Active Directory integration

Your Macs may not be as secure as you thought

5 Mac tips for Windows desktop admins

Dig Deeper on Alternative operating systems

• Explore new approaches to macOS management

• Get to know Linux desktop security best practices

• 4 use cases for Macs in the enterprise

• 4 use cases for Linux desktops in the enterprise

• Apple DEP faces new device provisioning competition

• Jamf Pro 10 self-service features entice Apple admins

• MobileIron, VMware can help IT manage Macs in the enterprise

• Google Chrome Enterprise Bundle pulls IT away from the Edge

• How Apple File System works and what Mac admins need to know

• Get to know the awk command for Linux

• Master Mac management in the enterprise

• Options abound for running Windows on Mac machines

• 4 use cases for Macs in the enterprise

• 4 use cases for Linux desktops in the enterprise

• Samsung Chromebook Pro stands out from the pack

• Potential PC replacements poised for enterprise prominence

• Explore new approaches to macOS management

• Get to know Linux desktop security best practices

• Support for Macs in the enterprise: Three factors to consider

• How to support Mac OS X and Linux in Windows environments

• Be on the lookout for Linux security vulnerabilities

• More Mac OS tips may remind desktop admins of Windows functions

• Five Mac tips for Windows desktop admins straddling two OSes

• The open source GIMP editor has lots of support and useful features

Apple Active Directory

• Robert Sheldon asks:

  How are you dealing with Macs in the enterprise?

• Why IT Must Break Down Silos as Part of its Digital Transformation Initiative–Citrix
• Preserve Your Choices When You Deploy Digital Workspaces–Citrix
• What’s Next in Digital Workspaces: 3 Improvements to Look for in 2019–Citrix

Mac Deployment Tools

• Master Mac management in the enterprise– SearchEnterpriseDesktop
• Using Active Directory to manage Macs in a Windows ...– SearchWindowsServer
• Explore new approaches to macOS management– SearchEnterpriseDesktop