It's just as easy to redeploy an image on a PC as it is a Mac.
Also, that's not a device management issue, that's a helpdesk issue. Helpdesk is needed whether you're running a PC or a Mac, so kind of a moot point.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
72% of Enterprise Employees Choose Macs Over PCs, 75% Pick iOS Devices Over Android
- Thread starter MacRumors
- Start date
- Sort by reaction score
It's just as easy to redeploy an image on a PC as it is a Mac.
Also, that's not a device management issue, that's a helpdesk issue. Helpdesk is needed whether you're running a PC or a Mac, so kind of a moot point.
I swear Apple is going to give me whiplash. They're effectively killing Server, ARD seems like it's now maintained by an intern, have just officially ended Airport, no new hardware without a screen attached for years, have basically handed over systems management to a third party (Jamf), have all but ended imaging which is, IMO, a much preferable way to deploy "Day 1" machines than MDM, yet Enterprises claim their people want and use Macs. So... they're all hybrid systems with Win/Linux in the data center? I'm still trying to fathom how it makes financial sense to both pay for the Mac hardware, and pay for the Windows CALs, and pay for all the extra security needed to keep malware and viruses out with that many platforms to protect.
Yes, an MDM, which again offers me about 5% of the capability of Group Policy. At least the ones I've used. (Admittedly I haven't needed to play with Macs in the enterprise in a few years. Most memorable was trying to get them on the domain, and needing to assign a network interface for use with the domain... what a PITA!)
Yes, it's doable, but you need to trust the user to actually sign in. Which we don't, because we used to, and they didn't.
Can you control it granularly? We have around 400 printers, no way is a user going to scroll through all those and choose the printers they need. Plus, if we change out a printer, get a new driver, or what have you, I simply update the print server and group policy to reflect the changes, rather than having to tell every user "hey, delete this printer and install this one instead."
We did just move to a single mapped drive for all shares employing access-based enumeration, so assuming Macs understand ABE, that should just work fortunately. EDIT: some quick searching suggests Macs don't understand ABE.
I mean, on a PC it's all automatic as well, since it's all done via Group Policy. And we have our PC vendor image them for us, so while yes it does add some upfront cost, it means we're not spending an hour downloading all software every time we set up a new PC, even if it's automatic.
Sounds like you need to step up your PC management game!
That's not the only example where ADFS is useful. We also use it for signing into O365 in the browser, for example, and I know our systems architect has a few more projects planned for it.
Also note I'm not saying Macs in the enterprise can't be done, because obviously they can. My point is it's a lot of extra work, requires a lot of workarounds, and the end product still won't be as good as what you get with a domain full of PCs and Group Policy, IMHO.
I work managing a FIs IT helpdesk and project roll outs and can mirror many of your concerns with Mac, and why we don't support them. Without full integration to GPO's in windows, the management of Apple computers in the enterprise is not worth it. TCO might be down, but there's a lot of trust we'd have to give the user due to limitations of Apple's support for a combination of Samba (which Apple is terrible at supporting) and management.
And since we're a F.I., Security is #1 for us. Our data cannot under any circumstances leave our hardware. This means we have to be extra controllling with our policies. Locked down USB drive access. Networking that blocks ability to push / pull data from the cloud. Block access to webmail and other cloud services for users. the list goes on and on, and when researching implementing Apple into our ecosystem, we would essentially have to double up our management side of things, one set of management tools for our Windows based users (windows servers have most built in) and a secondary, paid MDM just for Apple computers.
so at the end of the day, Apple computers are a non-factor and are not welcome on our corporate LAN. Nevermind the fact that our back end platform that runs our entire 24/7 financial institution is exclusively linux/windows. The platform its' based on has no MacOS support and will never have MacOS support.
iOS based end points for mail / etc are a different story since we reserve the right to remote wipe all data on our users end points should security become a concern.
I find this to be true, especially amongst older employees who, in the Windows 95 days were very technically capable.
A few years back, I had one guy complaining that his old apps won't work on the new version of Windows, so he hated the new Windows. So I asked him more questions, and I found out he was trying to copy his app folder from the old computer to the new one. Well that worked in the DOS days and in early Windows days when Windows apps had a runtime folder and didn't store stuff in the Registry or a half-dozen folders on the C partition. But you can't do that anymore and expect a modern app to work!
I told him he needed to re-install the program from the original installer so that the registry and appdata folders would get properly updated on his new system. Well, he didn't have that anymore, and that's when I could tell from his facial and body language he was trying to run software that he (and our company) didn't have a license for. So it ended right there.
Technical genius, he was, but not in Windows. He assumed that apps would follow the same methodologies on EVERY version of the OS.
Today, that stops fast because nobody gets Windows admin authority by default. Gotta make the business case for it.
At my work, I know 2 people (out of a few hundred) who use a Mac. And neither of them does any iOS development.
Funny, I don't remember seeing you there at my coworkers' desks for several hours a month but apparently you were since you know so much better about that experience than I do.
[doublepost=1525032499][/doublepost]
Keynote is 1000% better than PPT for sure. I used it for years to build great decks and could never replicate the level of quality in PPT. Pages is actually quite solid too and seems to share the same layout engine with Keynote. Numbers? I don't know. I'm not a big spreadsheet guy but I do know that's probably the one with the biggest gap -- Excel does stuff I don't believe Numbers can touch.
The big issue I always ran into with Keynote was that I could build a killer deck that nobody on a PC could see. I wished so many times Apple would build a "viewer" app for PC, but we all know that probably ain't happening.
Umm, macOS and also virtual Windows instances running on it are perfectly capable of connecting to Active Directory. In my previous job I was running an AD-connected MBP with a similarly AD-connected virtual Windows instance for Windows-only duties under VMware Fusion. I don't know what's wrong with your company's setup, but it's not a macOS limitation like you're suggesting.
The people in enterprises have spoken that Macs aren't used in enterprises.
Here's another major reason. Apple is #7.
https://www.engadget.com/2018/04/28/best-and-worst-laptop-brands-2018/
Here's another major reason. Apple is #7.
https://www.engadget.com/2018/04/28/best-and-worst-laptop-brands-2018/
Last edited:
It's way easier now that it used to be. A good MDM gives you MOST of the same capabilities in addition to a few capabilities GPO alone won't give you. When a printer driver gets updated, I upload it to the MDM and issue a scope for who should get it. For example, everyone who had the previous up-to-date driver. The Self Service app can show printers at your campus only or on the subnet you are currently connected to and update live as you move from one campus to another. It is very flexible.
Also, we don't bind our Macs to AD. There is no point to it anymore for our org.
Last edited:
I will not argue with you since I do not work in the IT field, but all i am going to say is that I have a mac mini with Windows 10 installed on it. It refuses to update. For an OS that won't do a simple thing like that I can only see horrors happening managing 2000+ PCs all at once.
I am not sure why Macs are hard to manage as you say, but I guess if Apple wanted to it can make it very easy. I remember schools used Macs since the OS 9 days and they had all the software and serveres needed to manage multiple computers at once.
[doublepost=1525054812][/doublepost]
ditto
We manage 15.000 Macs in an environment still dominated for 90% by Windows clients (2 years ago we were at 10.000 Macs, and the number keeps growing). Key is to NOT manage and consider Macs and macOS as a traditional Windows PC but use its platform specific powers.
So, don't bind them to AD and don't use mobile accounts, but use Enterprise Connect or NoMAD with local accounts. Focus on cloud and platform agnostic software as much as possible, and this might surprise you but this is where Microsoft has become better and better over the past few years with O365. It works great on our Macs, the Office suite is more mature then ever, integrates natively with OneDrive, Sharepoint and Teams.
We use a cloud instance of Jamf, Self Service (the Windows equivalent of Software Center) is available in the cloud, our users can deploy and setup their own Macs from home if they want to, in under 45 minutes. They rarely have to use the VPN app to connect to our internal network.
With MDM and DEP Macs can be easily managed, it's lightweight and not as bulky as SCCM, we don't use 3rd party antivirus software but rely on macOS's bullt-in security through GateKeeper, XProtect, SIP and Filevault. Our users don't have admin permissions by default but can get them instantly and temporarily with he click of a button when needed.
And now here's what I find funny: Microsoft is moving into that exact same direction, they're copying almost everything Apple and Jamf have been doing for the last several years. Microsoft Intune is their MDM equivalent to Jamf and Autopilot is their equivalent to DEP, Window Defender will be their built-in AV solution. This is the future for managing Windows machines in the Enterprise. SCCM will go away, traditional on-premise AD's will go away, in favour of a fully MDM an cloud based solution (Azure AD, O365).
So, don't bind them to AD and don't use mobile accounts, but use Enterprise Connect or NoMAD with local accounts. Focus on cloud and platform agnostic software as much as possible, and this might surprise you but this is where Microsoft has become better and better over the past few years with O365. It works great on our Macs, the Office suite is more mature then ever, integrates natively with OneDrive, Sharepoint and Teams.
We use a cloud instance of Jamf, Self Service (the Windows equivalent of Software Center) is available in the cloud, our users can deploy and setup their own Macs from home if they want to, in under 45 minutes. They rarely have to use the VPN app to connect to our internal network.
With MDM and DEP Macs can be easily managed, it's lightweight and not as bulky as SCCM, we don't use 3rd party antivirus software but rely on macOS's bullt-in security through GateKeeper, XProtect, SIP and Filevault. Our users don't have admin permissions by default but can get them instantly and temporarily with he click of a button when needed.
And now here's what I find funny: Microsoft is moving into that exact same direction, they're copying almost everything Apple and Jamf have been doing for the last several years. Microsoft Intune is their MDM equivalent to Jamf and Autopilot is their equivalent to DEP, Window Defender will be their built-in AV solution. This is the future for managing Windows machines in the Enterprise. SCCM will go away, traditional on-premise AD's will go away, in favour of a fully MDM an cloud based solution (Azure AD, O365).
At one point they were moving in the right direction. There was the server OS, and even a lineup of hardware for enterprise (xserve). But sometime in 2011 Apple walked away completely from enterprise. Killed the XServe and then killed The SErver OS.
Since then they just haven't cared to implement interoperability with industry standard tech like the ability to natively support GPO's and other Windows based management tools.
Apple / MacOS focused on the consumer / home user side of things and have completely ignored enterprise outside of iOS
This simply isn't true. They are embracing the Enterprise more and more but they don't want to use tools that are common in the Windows world. They want to use tools that work best with macOS and Apple devices / ecosystem in general. DEP is a good example of that, as well as the upcoming Apple Business Manager: https://beta.business.apple.com. Microsoft is now copying that behaviour with Intune and Autopilot. Which I think is a smart move on their side.
This is simply not the same thing we're talking about. We're talking about their computers in enterprise not iOS devices, which mobile devices have a far different management process and toolset entirely.
From an enterprise back end, where workstations and computers are concerned. Apple does not exist. Until they full support GPO style management natively, they're fighting an uphill battle. For reasons mentioned many times by a LOT of IT professionals in this thread.
Its a little bit too late for a company that has been around since the 70s to just start to enter this market. What I don't understand is that it will significantly increase their profits even if it was adopted by smaller companies or stores.
I guess Apple figured out that enterprise will always opt for the cheaper PCs beacuse they will do the job over their "luxury" brand. On the other hand they seem happy to have Macs in the enterprise as employee's choice and I remember they had that IBM partnership for enterprise software which I don't know how it went.
If he didn't reimage after about a half hour to an hour of troubleshooting (depending on org size), your company needs to reevaluate their helpdesk procedures.
[doublepost=1525131099][/doublepost]
I have not played with JAMF, which seems to be recommended here a lot, but I have looked at the Mac MDM options in Meraki (which we use for both mobile devices and networking) and the options appear pretty limited. Perhaps it's simply not as mature, but my impression based on limitations of the iOS side is there are many restrictions Apple creates such that managing certain aspects isn't possible.
That's nifty, but it also sounds like what I can do with item level targeting.
How do your users authenticate/how to you control access of terminated users and such? And implement SSO?
[doublepost=1525132766][/doublepost]
I take it you're not a HIPAA or SOX-compliant business then. Because this would absolutely not be an okay approach in such an org. We require pretty granular control of what users can and cannot do.
Again, more management tools required, whereas I can just do the job for my entire PC-based org in one step with a GPO. I suppose if we were 100% Mac-based, it would make sense to follow the preferred Apple approach and do away with AD entirely, but fact is we're not, and hybriding is more work for no benefit (except maybe mildly happier users).
We're on O365, but that still requires on-prem AD both for syncing and for actual management.
My understanding of Intune is it's mainly for integrating mobile devices into on-prem infrastructure. Not for managing desktops free of on-prem infrastructure-- in fact, it integrates with SCCM for "real" management capabilities.
Okay, this I didn't know about, so I looked it up, and that's pretty nifty. We currently spend around $60/PC for our vendor to apply our image, asset tag, and domain join them, plus the time spent building and re-building updated images. This could potentially save us quite a bit of money, so I'm definitely going to look into this some more; thank you for that!
Last edited:
You obviously are a sysadmin stuck in the past.
Roughly 90% of what you can do with Windows desktop OS you can do with OSX and JAMF or other fully deployable management systems. Cause let’s face it without AD and Admin Tools running on your machine or a server with DOS, Powershell 5 and a few other tools many are accessible in terminal. It’s just that you don’t know how to use a Unix/Linux based system.
Where is your ability to use powershell to find charge cycles and battery health for all laptops on your domain? I’ll wait for you to come iPhone with a script that works for any domain. Still waiting. This is easily done in terminal for Linux, Unix, and MACH.
Pushing applications into Programs and Features lol you even worded that wrong too. SCCM has its own location for curated apps on windows. I think you’re referring to msi packages.
Sorry but this isn’t 15yrs ago. The premise of fine control is very rapidly going away in corporations thanks to:
iPhone & MDM/EMM
VMSphere
Office365 vs on premises exchange servers
Allowing Office Suite, Email, and OneDrive access from personal computers off network/VPN. End users are liable and responsible for their own actions! Many gold companies are going this route, IBM has over 7yrs ago. Users have never been corporate minded to think like IT. The world is changing and there are a LOT of contractors that have the best talent and to get the best talent corporations are changing restrictive mindless useless policies and actions. That haven’t resulted in increased productivity, maintained security - in fact almost every Fortune 500 company that’s existed over 20yrs as a MS shop has suffered in security (facts are easily searchable on the net), and moreover the increased budget spending for all kinds of It implementations for restrictive IT actions or policies as yet to help the any corporation turn profits. !!
[doublepost=1525534612][/doublepost]
Not to mention of that user had admin rights to the computer installed rogue app or let someone else they know TS the PC thinking they know how a corporate PC image or GPOs work and probably messed around with drivers, network stack or even worse.
GPOs are very powrful, I love them but they also can be the source of real issues down the road.