Reasons for not distributing Macs at work

[DiscoDave]

Hi Chaps,

I work in a predominantly windows-based environment, but a recent decision has been made for a couple of people to use Macbook Pro's (not dual booting with XP). As the company is going through a security audit I'm trying to note down potential pitfalls with having these machines on our network and would appreciate some input in case there are more issues. So far:

· These machines will not be within the scope of group policies

· These machines will not be within the scope of auditing policies

· We will not be able to access these machines remotely ourselves

o Users may know we don't have complete control over these machines, and therefore they may start treating them as personal machines.

· These machines will be harder to manage (software updates, etc)

· We will not be able to distribute software automatically

Your input is appreciated.

Thanks,

 

[DiscoDave]

I would say that unless there's a very good reason for having macs in a near all windows based environment I would force them to have a windows based machine.

having macs just because they look better just introduces the problems you've lists with the roll out of updates etc over the network. Plus in the company I work for you'd never get the Mac purchase approved due to the increased cost over a windows machine.

I agree with you however it's not my decision to make, I'm a contracted sysadmin (and the sole person in IT) and one of the MD's has made the decision, so if he wants it, he gets it.

 

[DiscoDave]

You may have wanted to post this in the Mac part, this will make things more complicated but it's not impossible. I look after 400 Macs at the Uni where I work.

· These machines will not be within the scope of group policies

Active directory NO. But if you buy a Mac Server you can policy these Macs via Open Directory. So users log in via Active Directory accounts but recieve the policies via Open Directory.

http://krypted.com/mac-os-x/setting-up-a-dual-directory-with-snow-leopard-server/


It's unlikely they would buy a new server (even a small+cheap one) to manage a couple of users

Policies are inclusive of: Powering machines on and off, Setting dock items, limiting which apps can run, setting policies in safari etc, not as good as group policy but still tidy.

Although they are useful things to configure, I doubt they contain the complexity required by the new security requirements on workstations

· We will not be able to distribute software automatically

Hmm again ARD is your buddy. Not via startup and the like in group policy but possible to push out pkg files via ARD3 via scheduled tasks

I'll have to do some extra research looking into Mac compatible packages for our applications but I'm anticipating a low success rate.

To to sum up these things are technically possible but would require a lot of work, may make your CV look better for future jobs and will give you nothing but headaches

Very true, but being the sole IT guy for a company that works 24/7/365, 180 users and 20+ servers It's quite a bit extra on my workload