Review: Four ways to manage Macs in a Microsoft world
Parallels, Centrify and Thursby go beyond what’s offered by Microsoft or Apple.
Traditionally, Macs have been second-class citizens in the Windows-centric enterprise world, but it doesn’t have to be so. In this review, we looked at four ways to manage Macs in a Microsoft Active Directory (AD) network.
We tested the Microsoft/Apple in-the-box management combination, as well as third-party products Centrify Suite 2016 for Mac, Thursby Software’s ADMitMac 10, and Parallels Mac Management for SCCM.
We found if your organization uses Microsoft’s System Center Configuration Manager (SCCM), then Microsoft and Apple deliver the bare minimum in terms of management and control.
Parallels for Mac adds significant Mac administration features to SCCM. Parallels has an edge in terms of management features that would likely suit your current Windows infrastructure, and leverage what you already know in terms of SCCM activities and control.
Centrify can manage Macs very well on Active Directory, and although they want you to use their other identity management type products, that’s not necessary to achieve good and flexible control over Macs.
+ MORE ON NETWORK WORLD Macs take on the enterprise +
If you simply need compliance and reasonable Mac management in a smaller Windows environment, Thursby’s ADMitMac products cover Macs nicely -- even older Macs going back to OSX 10.4.
The MacOS-Active Directory problem
Microsoft certainly knows how to lock-down Active Directory networks, but a long-standing line of demarcation exists when Windows-like controls need to be imposed on non-Windows clients.
Even when System Center Configuration Manager is used in conjunction with the Active Directory connectivity that Apple supplies, the controls are a bare minimum. The BYOD era increased Microsoft’s ActiveSync API for mobile devices, but control of Macs hasn’t been a strong agenda item for either vendor.
There are many scenarios that could require integrating Macs into Active Directory networks: a new Mac on a local net, machines used by more than one person in a shift or day, external users/contractors needing Active Directory-constrained resources, internal pockets of Macs that have been used in relative/total isolation to Active Directory, and those that have been already linked through Apple Directory Utility basics.
Microsoft’s Active Directory is standard in enterprise networks, but Windows on the desktop has been eroded by Macs, and to a far smaller extent, Linux. Organizational policy and regulatory compliance in terms of encryption, file/information sharing/accessibility have led to the development of many products that are focused on Active Directory and Windows, to the detriment of Mac users.
What’s offered In MacOS
If Apple’s Server Edition isn’t being used, any Mac can make use of Apple’s Directory Utility to connect to Microsoft Active Directory. Apple has moved towards a CIFS-based plug-in interoperability model using proxy authentication where MacOS Server has been adopted for workgroup control.
MacOS Server editions, via Workgroup Manager or Profile Manager, can talk to Active Directory, and are more common in workgroup-sized installations. Although we have not reviewed MacOS Server since the demise of Apple’s Xserve product line, there are a number of workgroups, even some large organizations, that use the Open Directory/LDAP fundamentals included in the Server Edition.
However, for most Mac users in large organizations, logon to Active Directory comes via a Directory Utility app. Using a URL, users gain rudimentary access to Active Directory resources, although users logging in through a VPN may need to use DNS pointers just to find an Active Directory-authorizing server entry point. Apple’s VPN client does not add a specified DNS search mechanism (even though there’s a blank for it) when logging in via a VPN.
Once Directory Utility CIFS Shared Resources are exposed, simple file shares are used for shared work product storage. Administrative controls made in the Active Directory can control file and resource access—if minimally. Macs become a part of Active Directory more as an inventory item than a manageable/controllable end-device.
Macs logged in this way aren’t subject to useful Windows Group Policies, although group membership access controls are in place. Common Windows apps become more manageable for Mac devices: Outlook/Exchange and Microsoft’s SQL Server. Lack of Mac-specific Active Directory controls is where the gap begins for Windows Active Directory admins.
The Directory Utility is minimalist, but it works. As a Mac user or administrator, you need to know the resources you need, as you’re limited in Active Directory resource discovery. Much of initial setup can be scripted within the Apple realm to reveal static resources, and many networks are setup using static resources for Macs because of this.
The upshot is that your current session won’t be subject to advanced Group Policy Objects, and you may have encryption boundaries, depending on the application used and obtained from the Active Directory, and how your organization uses Kerberos.
Your anti-virus/anti-malware is already much different (usually) than what’s found in the Windows world. And unaided, imaging Mac payloads isn’t really possible without extras.
Offsite users need a lot of deliberate configuration work, including the aforementioned DNS manipulation, as without working DNS, the Active Directory will laugh at you. This and other connectivity issues can make administration of individual Macs in a geographically dispersed network difficult.
Net results
| COMPANY | Centrify | Parallels | Thursby Software |
|---|---|---|---|
| PRODUCT | Centrify Suite 2016 for Mac | Parallels Mac Management for SCCM | Thursby ADmitMac |
| PRICE | $4 per user per month | Starts at $30 annually per Mac | Single license, $179; 25-license pack, $3,600. |
| PROS | Great enterprise-grade control of Macs for AD admins; flexible architecture | Total, equal control of Macs in AD | Much better than Apple's Directory Utility; simple migration |
| CONS | Documentation can be daunting | You must have the SCCM control plane | Add-ins are only basic |
Thursby ADMitMac 10
Thursby has a number of Mac to Active Directory connectivity products. We tested ADMitMac 10 and found it solves a significant part of the connectivity problems between Mac clients and an Active Directory Network.
It has add-ons for Group Policy Controls, Active Directory management specifically for Macs, and ties to a Mac administrator’s use of WorkGroup Manager or Profile Manager where installed and in use.
Think of ADMitMac as a network driver stack plug-in that replaces the CIFS stack that Apple provides, coupled with discovery and useful AD-Mac admin utilities. ADMitMac is administered through the Directory Utility or AD Commander via the ADMitMac MacOS plug-in. It also works with Apple’s discontinued Workgroup Manager, and with the current MacOS Server app Profile Manager.
ADMitMac 10 arrived as a disk image/.dmg file that contains two central components, including an all-important replacement for the CIFS connectivity that Apple offers to Mac users. Installing the package on our Macs was incredibly simple.
Active Directory volumes to be mounted are simple, and can be administratively stored for all users, or just the user logged in. A script-savvy Mac admin can also whip together an automated installer for each user by either user name or machine name. There is a Deployment Utility available for “Volume Installations,” but this wasn’t examined or tested.
Kerberos authentication works correctly. It’s also possible to prevent unauthorized users of the Mac machine from logging into the Active Directory.
Included is a Home Mover utility that moves the MacOS user’s home directory reference point to something that the Active Directory admin controls. And it can be located in a special area where the root folder is unexposed, which makes it handy for public or uncontrolled environments.
We could also create login scripts, and hybrid scripts that were active depending on user and Active Directory status. In other words, we could control where the user `home/~’ was located for datafile, tempfile, and other purposes.
We set up an Active Directory print test bed and printed successfully both locally, as well as through Active Directory auspices. Ensuring that there are correct drivers doesn’t matter, as most Macs will adjust, but it’s smarter to have printers already setup in a Mac to make this work.
For administrators, there is an AD Commander utility that allows manipulation of an AD in terms of controls. New users, their groups and characteristics, and Organizational Units relating to the Active Directory were easily manipulated using a conjoined Apple/Windows metaphor.
A final app, unused in our testing, was an ADMitMac Tracing Utility that automates and gathers situational information that can be saved, then emailed to Thursby tech support for resolution of support calls. It’s a nice detail.
Overall, Thursby’s plan is very Apple admin-friendly, and for workgroups to moderate-sized installations, appealed to us. It’s a well-done advance over the default connectivity Apple includes, and an easy answer to the question: How do we get some control over those pesky Macs on our network?
Centrify For Mac
Centrify for Mac has client, server, and optional cloud controls. The client-server components are $4 per client per month, and the cloud options adds single sign-on for a total of $6 per client per month. Our review is focused on Centrify for Mac.
The product comes with a 307-page PDF “adminguide” that we found to be excellent, if daunting. The guide recommends creating a separate organizational unit for its use, in a configuration called Auto Zone.
A zone within Active Directory is used to aggregate Mac-specific resources into an Active Directory object that becomes easier for admins to manage. The guide itself is basic enough to educate Mac admins or Windows admins to each other’s situational management needs. Daunting, but quite thorough.
But we looked at Centrify for Mac after we tried to just install it ourselves from binaries, and judged that if you’re sufficiently savvy at both Mac and Windows Active Directory, you can do it all at once.
The client-side is installed and connects quickly, and has better diagnostics and tests to get an initial Mac connected to the Active Directory than Thursby’s equivalent.
On the Windows side, Centrify will query the subnets it lives on, or other subnets we specified, to find Mac citizens and make them part of our Active Directory empire.
The discovery process also found a number of hosts which it had no business trying to tie into the Active Directory, like routers. This said, the discovery process took a while, and did find the Macs correctly—save the ones it’s no longer compatible with.
And therein lies only a small rub, which is that Centrify’s docs say that MacOS 10.9 support will be deprecated in their next release. MacOS Sierra has been added. Our ancient 10.6 instance is invisible for purposes of Active Directory control in Centrify’s current release.
Thursby’s other products go back to the Dark Ages of Apple, by comparison, but many organizations simply can’t have unsupported operating systems in use for compliance and regulatory adherence. And unsupported OS releases in general are an enormous security risk.
Once both sides, client and server were installed, we found we could establish a network home directory for users, and that this directory is available on other shares than just the Active Directory.
This home directory can then be synchronized, allowing portable/mobile operation easily. Apple File Share (AFS) and Network Filing System (NFS) homing and synching are also possible, but this is about use with the Active Directory and so we didn’t go there.
Support for Radius authentication and Centrify’s certificate management is perhaps the best of the three products we tested. We could also impose FileVault encryption key management on Macs with MacOS 10.9+, but we didn’t test this.
Centrify has explicit printer definition and permissions setup possibilities. Our simple test of finding and using an Active Directory-based print queue was without drama. It’s possible to setup comparatively sophisticated zones for purposes of managing localization and feature sets to shared print resources, but we didn’t test this heavily. The bits appear to be there.
Group Policy Active Directory objects that Centrify allowed us to install permitted direct control of virtually everything in the Systems Preferences app of our Macs. Herein lies the greatest value, we feel, of Centrify’s Mac controls: Once logged into the Active Directory, a Mac is bolted down, administratively, in much of the same way as a Windows machine in terms of settings.
Active Directory admins need learn only a few small facts to make it work. Common denominator settings between MacOS and Windows, like time, interactive logons, password controls, etc. can be set empirically in the Active Directory controls for both. The specific zones/organizational units built for Centrify (read Mac) users then allow Mac-specific constraints and permission.
A long list of Group Policy controls then manage everything from where apps can be downloaded from to firewall settings, sharing, remote management, and security/sharing capabilities on the Mac. If you have run GPO controls before, it’s very simple and intuitive—but it’s all explained if you need detail.