At scale, large Mac deployments often require a unique set of skills and tools to be successful. The same goes for applying management policies to Macs, which I cover in this article. Here, you will get an overview of Mac policies and insights into how to plan a strategy for deploying them.
In final piece of the series, I'll look at the specific tools used to apply policies, as well as tools that offer additional management and deployment features. How to go about managing Macs is a question of scale. Technicians at organizations with a small number of Macs can often configure each Mac individually or create a single system image that applies a uniform configuration to every Mac. In larger organizations, the challenges are more complex. Different users or departments will have different configuration needs, and they will require different access privileges.
Moreover, they will often have configuration needs related to individual users and groups, as well as needs related to specific Macs based on their use and sometimes their hardware.
Because of this, manual configuration is simply too inefficient. Here, automation is key. To this end, Apple offers a range of policies that can be applied to your Mac fleet to enforce security requirements, to aid in automatically configuring Mac machines to specific profiles, and to enable and restrict access to resources on your network. If you're already familiar with Windows Group Policies, you'll be happy to know that you can fully manage the Mac user experience in a similar manner using Apple's policies for Macs.
Most of these policies can be applied either to specific Macs or groups of Macs or to specific user accounts or group memberships. Some policies, however, can only be tied to Macs or to user accounts.
Familiarity with how policies can be configured is vital to creating your Mac management strategic. For example, as with Windows Group Policies, policies related to user needs and access controls are often managed based on group membership related to department, job roles, and other factors. Departmental app and Mac security setting requirements are best set based on Macs or a group of Macs , rather than users or group memberships.
Our fileserver is a Active Directory administrators often don't like to extend the Active Directory schema as it can be undone. It is also interoperable with various client types, including but not limited to Windows and Linux distros. May not provide all of the advanced printing options your device is capable of. Apple Training Series: There is also an option to prepopulate user account identification when a profile is installed.
Some policies, such as Energy Saver policies, are Mac-specific rather than user-specific by default. These profiles can be applied to Macs in one of three ways: If you choose to manually distribute configuration profiles, you'll need to use OS X Server's Profile Manager to create them, then the resulting profiles will need to be installed manually on each Mac.
When opened, the profile will prompt the user to install the included policies. Using this method, there is no fully automated way to distribute configuration profiles without using additional deployment tools. If you are relying on users rather than IT staff to install them, it can be difficult to ensure that they have been installed. Because of this, manually distributing profiles may be the simplest option, but it is likely less ideal, or even viable, for larger organizations.
This makes Apple Configurator 2 an excellent tool for small businesses and educational organizations, which often have a simple set of policy needs, but it's an inefficient Mac management strategy if you need to configure a large number of Macs. As such, most vendors that support iOS management also support Mac management. Thus, they're an enterprise-friendly option, particularly because many organizations already use such solutions to manage iOS and Android devices.
Another option that scales well for enterprise use is the traditional desktop management suite, including both Apple-specific suites, such as JAMF's Casper Suite, and multiplatform suites, such as LanDesk Management Suite and Symantec Management Platform. These suites not only apply policies, but they often offer management and deployment tools. Given the suites' popularity, many organizations often already have such tools in use, or they may find their additional features compelling enough to invest in them more on these tools in part three of this series.
If you have concerns about the XML-based nature of Mac policies, rest assured: Admins generally don't need to directly create or edit the XML data used in Mac management policies. Most Apple and third-party tools provide intuitive UIs for setting policy options, and they handle the necessary XML creation under the hood. One exception is the Custom Settings policy for specifying settings for installed apps and additional OS X features, discussed later in this article.
Apple provides a dizzying range of policy options for Mac management, but a specific set of 13 policies is the most commonly used -- and is the most critical for managing and securing Macs in an enterprise environment.
Each of the following core management policies apply to either Macs or users, unless otherwise specified:. In addition to the policies listed above, Apple provides a range of policy options for configuring the Mac user experience. Some organizations will find these policies helpful for all Macs or only a subset of their fleet. There is also an option to prepopulate user account identification when a profile is installed.
This is generally used when profiles are installed on individual Macs. When a Mac is joined to a directory, user account information is retrieved from the directory.
OS X Server has the ability to cache local copies of Apple Software Updates in order to improve performance and reduce network congestion when updating your fleet. The Custom Settings policy plays an important role in maximizing IT's ability to manage the entire Mac user experience. It allows an admin to specify settings for any installed apps and additional OS X features even if those apps or features don't have an explicit policy defined by Apple.
When used, the XML data from an app or feature's preferences file must be specified. Apple accomplishes this feat by hosting a Windows NT-style domain and not an Active Directory domain. This limitation prevents you from being able to apply group policy objects to users and computers in the domain, and from being able to use the replication abilities built into Active Directory. See All Related Store Items. All rights reserved.
Publishers of technology books, eBooks, and videos for creative people. Who Gets To Be the Boss? Like this article?
We recommend. Apple Training Series: