Solved

Active Directory vs. OS X Server 10 to manage Macs

Posted on 2016-08-31
9
43 Views
Last Modified: 2016-10-18
Hello - I would like to receive feedback from anyone who has managed both Mac OS X computers in an Active Directory and OS X Server domain environments please?  

I realize you can join Mac OS X computers to either Windows Active Directory or OS X Server Open Directory but am curious of the actual day to day management and "real life" experiences of how managing Macs in each of these two environment compares.

Any feedback and sharing experiences would be most appreciated!

Thank you
0
Comment
Question by:Rainman13
9 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 125 total points
ID: 41778719
Macs can't be functionally managed by Active directory, so if you want to manage things like security settings or GUI appearance, you have to use the OS X Open Directory. You can bind Macs to an AD environment, but this really only allows you to log in to them using AD credentials, which can then be used to browse Windows based file shares. You would have to have a third party solution (which there are a few of) to manage settings on Macs using AD. If all you have is Macs, use OS X "Server". If you have a mix, you can decide which systems are more important to manage, or see if OS X Open Directory has plugins for managing Windows Computers. Just be aware that every attempt Apple has ever made at server solutions has been universally crappy. And Apple really doesn't care about that in the least, because they are not in the business of supporting businesses.
0
 

Author Comment

by:Rainman13
ID: 41778753
Thanks for your thoughts Adam and in this situation it will be an all Mac computer setup.  

OS X Server makes sense but like you mention on the flip side support resources, etc. can be costly to support.  AppleCare OS support plan for the "Select" plan starts at almost $6,000 for just 10 incidents which seems crazy.

A/D does provide some benefit as you mention also but it is limited.  

You are also right.....it seems Apple is just not as excited about as their customers in terms of having their devices run in a business setting.
0
 
LVL 12

Assisted Solution

by:Justin Pierce
Justin Pierce earned 125 total points
ID: 41779221
Hi Rainman13,

All hope is not lost. Your Macs are just computers (beautiful ones at that) and can run in AD environments just fine (I do it every day). That said, you do have to think differently when working with Macs in a Microsoft world, because other employees run Windows systems and use different programs to accomplish their tasks. However, since the inception of OS X, Apple has made these tasks much easier for us Mac people. Meaning, the common productivity suites that are used in business environments (MS Office) can be paralled with Apple's: Pages, Numbers, and Keynote (iWork). Each of these applications can import and export their counterpars documents, e.g. Pages imports/exports Word documents, Numbers imports/exports Excel spreadsheets, and Keynote imports/exports Power Point documents. I would suggest for the people that will be working on the Macs to use iWork over MS Office for Mac (leave the MS headaches for the PC crowd. Outlook..ugh, need I say more).

As for the AD part, the Mac personnel can connect to Wi-Fi using AD credentials, you already know that you can bind (not really needed for many Mac people), and using "Connect to Server" (CMD + K) to access files and folders (also accessed by AD credentials). All in all, if you really need to have your Macs act like PCs you might want to look at Thursby's ADmit Mac application.

That said, I like to manage my Macs with OS X Server, while letting them dip in the Windows environment with the things I said above. OS X Server allows me to restrict by groups (device or people) and keep the kids (I work at a K-12 school) from doing crazy things. In addition, with running the OS X Server I can manage and restrict my iOS devices with ease (not easily done with Windows MDM programs, and certainly not within the price point of $19.99).

Lastly, Apple does care about the business environment. They certainly understand that BYODs are more  common place now, and are tailoring their services accordingly. Remember Macs are Macs, and will operate as such. Apple will not mimic PCs and will not feel bad for ignoring the comments from MS users who hate that a Mac doesn't work like a Windows system. Also, there will always be polarized MS and Apple users, but for those of us that work in I.T., we know that it really comes down to perference (do you like driving a Ferrari or Lamborghini) so we drown out the noise of, "Windows are better than Macs because...". There's always a way to get things done on either system, you just have to have the will and want to accomplish the task(s).  

I hope this helps. Take care.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 125 total points
ID: 41779590
I manage both windows and macs very easily with AD.

Tools to look at:
www.centrify.com
  • great tool for OS X management with an interface for Windows admins.

www.jumpcloud.com
  • if you do not have servers on site but want centralized management, this may be the tool for you

Checkout this post on Centrify and one of many others I've assisted with in my profile.

https://www.experts-exchange.com/questions/26955999/macs-stop-authenticating-to-ad.html

My final $0.02 on OS X for management is that depending on the size of your organization, OS X server does not offer redundancy for its LDAP implementation.  It's always one server and if/when it fails, potentially your company grinds to a halt.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 27

Assisted Solution

by:serialband
serialband earned 125 total points
ID: 41780783
To manage Mac with AD, you need paid software such as Centrify or PowerBroker.

Macs can join AD for SSO authentication.  You can then use OD to manage them.  You can also manage them through command line or scripts.
0
 

Author Comment

by:Rainman13
ID: 41786750
Thanks to everyone for your thoughts and sorry for the delayed response.

We are reviewing the notes above and doing more research - will provide an update soon!
0
 

Author Comment

by:Rainman13
ID: 41786762
nappy_d - you mentioned working with Jump Cloud - would you recommend that over Active Directory?  If so why?

Our situation looks like it will be mostly Mac with little if any Windows computers on the network - it looks like JC has some benefits over Ad in that regard.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 41787589
I merely mentioned Jump Cloud for that exact reason. AD is great and has a lot of benefits that are too many to but as you point out, you have little if any Windows in your environment.

You still want centralized authentication and management which makes Jump Cloud a solution over OS X server for redundancy and systems management from anywhere.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now