Reasons for not distributing Macs at work

DiscoDave

DiscoDave

DiscoDave

Associate
Joined
6 Jun 2005
Posts
1,856
Location
Cambridge
Hi Chaps,

I work in a predominantly windows-based environment, but a recent decision has been made for a couple of people to use Macbook Pro's (not dual booting with XP). As the company is going through a security audit I'm trying to note down potential pitfalls with having these machines on our network and would appreciate some input in case there are more issues. So far:

· These machines will not be within the scope of group policies

· These machines will not be within the scope of auditing policies

· We will not be able to access these machines remotely ourselves

o Users may know we don't have complete control over these machines, and therefore they may start treating them as personal machines.

· These machines will be harder to manage (software updates, etc)

· We will not be able to distribute software automatically

Your input is appreciated.

Thanks,
 
I would say that unless there's a very good reason for having macs in a near all windows based environment I would force them to have a windows based machine.

having macs just because they look better just introduces the problems you've lists with the roll out of updates etc over the network. Plus in the company I work for you'd never get the Mac purchase approved due to the increased cost over a windows machine.
 
You may have wanted to post this in the Mac part, this will make things more complicated but it's not impossible. I look after 400 Macs at the Uni where I work.

· These machines will not be within the scope of group policies

Active directory NO. But if you buy a Mac Server you can policy these Macs via Open Directory. So users log in via Active Directory accounts but recieve the policies via Open Directory.

http://krypted.com/mac-os-x/setting-up-a-dual-directory-with-snow-leopard-server/

Policies are inclusive of: Powering machines on and off, Setting dock items, limiting which apps can run, setting policies in safari etc, not as good as group policy but still tidy.

· These machines will not be within the scope of auditing policies

ARD can help out with that, cost involved

http://www.apple.com/remotedesktop/

We will not be able to access these machines remotely ourselves

see apple remote desktop above

o Users may know we don't have complete control over these machines, and therefore they may start treating them as personal machines.

Domain them then set up policies on the boxes, only give them user rights

· These machines will be harder to manage (software updates, etc)

True in a sense but ard can remotely do software updates etc via scripts and tasks

· We will not be able to distribute software automatically

Hmm again ARD is your buddy. Not via startup and the like in group policy but possible to push out pkg files via ARD3 via scheduled tasks

To to sum up these things are technically possible but would require a lot of work, may make your CV look better for future jobs and will give you nothing but headaches:p
 
I think generally adding complexity is a huge reason not to. Your skills and experience will largely be based around Windows and if you add another operating system into the mix there is inevitably going to be some learning process during which mistakes will be made.

In terms of security you can give them a standard account much like you can do in Windows so they'll only be able to use it as a "personal" computer as much as they would a similar configured PC laptop.

There are cross platform tools for remote access, LogMeIn for example, but again it's whether these tie in with whatever method you use now. If you're using a solution that is Windows-only to remote access your machines then you're adding complexity again by having to use a different product for the Macs.

I'm guessing as part of your audit you're looking at disk and USB memory stick encryption. Again, you may have already invested in something that is incompatible with OSX.

What about staff training? Will the people receiving the MacBooks have ever used OSX before? It's not a direct security issue but if you have to take lots of time out to support them and write guides then you could argue it's taking you away from more important work.

I would also point out that a MacBook Pro is more attractive to thieves than a generic Windows laptop would be.

In "real life" you probably won't have many issues with the MacBooks, but if a Windows laptop will do the same job it just seems unnecessary. I like Macs but when I chose my own work laptop I just went with a Windows-based one for pretty much all the reasons above.
 
Gman said:
I would say that unless there's a very good reason for having macs in a near all windows based environment I would force them to have a windows based machine.

having macs just because they look better just introduces the problems you've lists with the roll out of updates etc over the network. Plus in the company I work for you'd never get the Mac purchase approved due to the increased cost over a windows machine.
Click to expand...

I agree with you however it's not my decision to make, I'm a contracted sysadmin (and the sole person in IT) and one of the MD's has made the decision, so if he wants it, he gets it.
 
mike1210 said:
You may have wanted to post this in the Mac part, this will make things more complicated but it's not impossible. I look after 400 Macs at the Uni where I work.

· These machines will not be within the scope of group policies

Active directory NO. But if you buy a Mac Server you can policy these Macs via Open Directory. So users log in via Active Directory accounts but recieve the policies via Open Directory.

http://krypted.com/mac-os-x/setting-up-a-dual-directory-with-snow-leopard-server/


It's unlikely they would buy a new server (even a small+cheap one) to manage a couple of users

Policies are inclusive of: Powering machines on and off, Setting dock items, limiting which apps can run, setting policies in safari etc, not as good as group policy but still tidy.

Although they are useful things to configure, I doubt they contain the complexity required by the new security requirements on workstations

· We will not be able to distribute software automatically

Hmm again ARD is your buddy. Not via startup and the like in group policy but possible to push out pkg files via ARD3 via scheduled tasks

I'll have to do some extra research looking into Mac compatible packages for our applications but I'm anticipating a low success rate.

To to sum up these things are technically possible but would require a lot of work, may make your CV look better for future jobs and will give you nothing but headaches:p

Very true, but being the sole IT guy for a company that works 24/7/365, 180 users and 20+ servers It's quite a bit extra on my workload
Click to expand...
 
DiscoDave said:
I agree with you however it's not my decision to make, I'm a contracted sysadmin (and the sole person in IT) and one of the MD's has made the decision, so if he wants it, he gets it.
Click to expand...

Work out how much £££ it will cost to implement the mac's and hit him with that.
He wont be that interested in how much harder your job will be, talk money
 
Don't do it, we've had over 100 macs put into a Windows infrastructure at a huge cost and supporting them is turning out to be real problem. We've so far had problems with DHCP, logging on, printing, bonjour and DFS. The problem now is all the staff are having to be trained on how to support them so the bills continuing to rise all because they look nice :(

MW
 
Use to work in a mixed environment with Windows PCs, Macs on a range of OS, Unix and Linux. Must admit it was a nightmare, mostly because of the Macs. However that was pre-OS X macs, the OSX macs were much easier to manage especially with a Mac server to configure them. It never did work anywhere near as nicely as the 2003 servers we had to manage the MS clients.

Personally in your situation I'd keep it to Windows/Mac OS or Linux, not mix them up without additional people to support them.
 
You must log in or register to reply here.
Back
Top Bottom