Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

nunes013

macrumors 65816
Original poster
May 24, 2010
1,284
185
Connecticut
Hi all! I need the experts at MacRumors advice for my iMac computer lab at the school I teach at. My IT people are primarily trained in Windows and they've never done this setup before.

I have 17 student stations and one teacher station all networked through the schools active directory. IT is making me the manager of my Mac lab with Apple Remote Desktop. We want to use OS X Server to cache updates and stuff like that. They currently run OS X Server on a virtual machine.

My question to you is...what is the best way to have the 17 student stations and 1 teacher station all connected to active directory, but have my teacher station be the admin for the 17 student stations?
 
So — you don't really need to do anything special for the network setup. All Macs should be connected the same and bound to AD the same. The difference will come when you login with your teacher account which will have extra permissions in AD.

For ARD, just turn on Remote Management on all the student workstations. Only install the ARD software on your teacher Mac. Be sure to create a local (non-AD) admin account on the Macs, enable only that account for Remote Management, and then use that account when you connect from ARD on your teacher Mac.

For Caching — you may have problems enabling it inside a VM, especially if it's not running on a Mac. I've not yet been successful getting it to work at all on an Xserve, so YMMV.
 
Purchase Mac Server App for your Teacher Mac. Do not run it in a VM. You can run it as an app and still have full access to your mac. I would not recommend this if you have 1000 - 5000 clients, but 17 clients are barely noticeable on the system.
Purchase Remote Apple Desktop for your computer, to manage other macs.

1) Turn on caching in Server App.
Quick video google found:

More info on caching server ( and a little more ):
https://www.apple.com/support/osxserver/cachingservice/

Recommendations:
- Unbind computers from AD, what benefits do you gain from the added complexity? You can setup Open Directory on your Mac Server if you want to have individualized logins, but I'm not sure that would be the best solution either. For a single class, I'd let everyone in as a guest and force them to use a local cloud storage solution - owncloud, for example.
- Learn profile manager ( server app ) and add client macs to that MDM solution.

There's too much we do not know to have the perfect solution. I am only throwing out ideas to look into, that may not be offered by others.

Good luck and enjoy!
 
Recommendations:
- Unbind computers from AD, what benefits do you gain from the added complexity? You can setup Open Directory on your Mac Server if you want to have individualized logins, but I'm not sure that would be the best solution either. For a single class, I'd let everyone in as a guest and force them to use a local cloud storage solution - owncloud, for example.
- Learn profile manager ( server app ) and add client macs to that MDM solution.
I strongly disagree about getting rid of Active Directory.
If someone else is managing Active Directory, and it already has the students' credentials in the directory, leave it and use it. Trying to run Open Directory to create and manage a set of accounts is already a lot more work, and a lot less reliable, than just using the existing Active Directory infrastructure, and having students learn a second set of credentials can be problematic. Nowadays, getting Macs to authenticate accounts via AD is not complex, so just keep using it.
Many organizations also don't want their students using generic guest accounts, and this causes problems with people overwriting files and changing preferences. It's far better to have individual accounts unless we're talking very early elementary school.
Profile Manager is not especially reliable and can be a serious hassle when the database gets corrupt. For a small scale installation like this, however, it may be ok. Configuring mobile accounts that are self-contained on the Macs via Profiles is pretty simple and you'd be up and running in short order.
The challenge comes in making sure you have the systems locked down adequately to meet whatever policies the school has; it's something to be very careful about.
Caching Server should work ok in a virtual machine for this scale of an environment, if the VM is given adequate resources. It can saturate even a gigabit ethernet connection given enough clients on a day that there are a lot of big updates.
 
Profile Manager is not especially reliable and can be a serious hassle when the database gets corrupt. For a small scale installation like this, however, it may be ok. Configuring mobile accounts that are self-contained on the Macs via Profiles is pretty simple and you'd be up and running in short order.
Funny story, Apple engineers repeat the exact same words. Seems like a rumor that will not die, yet performance tests show it running 5000 devices reliably.
https://support.apple.com/en-us/HT202268

I have not had it crash yet ( three year ), but it only runs a testing fleet of about 50 clients ( because of the same comments from Apple engineers in the past ). It is of course backed up locally and if used in a production run, remotely. Nine more months of testing will tell the tale, then I'll throw 5000 devices at it.

About AD, you are correct, it would be better in this situation ( already implemented ). I just hate paying for something that really has no use in modern deployment scenarios. I'm very opinionated about AD and have been known to throw a complete fit when its use case is mentioned. Please forgive me.
 
This was all GREAT information! MacRumors members always come through! I do have to keep AD because its tied to a school account. I do like the idea of running server off of my iMac since it is literally for just my room. I forwarded these ideas to my IT manager and it was along the same lines that him and I discussed. We are going to try and set all this up tomorrow or early next week so I will report back with the final setup for anyone interested in this! Thanks again everyone!!!
 
  • Like
Reactions: Les Kern
Funny story, Apple engineers repeat the exact same words. Seems like a rumor that will not die, yet performance tests show it running 5000 devices reliably.
I tried it for 2 years with something around 200 devices. In that time I had the database go corrupt twice, and consistently had problems pushing profile changes to devices. My experience is not unique.
Now I use Profile Manager to generate the profiles and deploy them using Munki and sometimes create profiles using a tool called MCXtoProfile. It's much more reliable that way.
 
I definitely disagree about swapping out AD for OD. If anything, using Open Directory would be introducing additional complications. Using AD is the simplest option to have here; especially considering that's where student login information will come from, and if your IT dept is anything like me they want all students to have uniform logins across all systems for ease-of-use.

On that note — consider also your file storage strategy. Will students always use the same Mac, or will they move around? My advice would be to store home directories locally on each machine rather than having them set up as network homes. When you bind to AD, you can set options such that the Mac will delete user data if the user doesn't log in for X number of days. That setup will help keep your Macs clean of unused data while still allowing students to work on long-term projects.

And +1 on Profile Manager. Our Apple Education rep has said on multiple occasions that Profile Manager is a proof-of-concept to inspire third-party MDM developers. It isn't meant to be used for real. I use Mosyle for our iPads, and unfortunately feel kind of stuck with Profile Manager for our staff MacBooks and student MacBook carts. It's mostly garbage. Munki does help a lot.
 
If you are using it to add the AD server then rather OS X machine should/must change the Gothenburg OS X client to Server 2008s2 or any other newer version of AD change OS X's Time Clock to the severs Time Server! Plus with Server 2008s2 AD servers need a clock server setup for a Mac client to stay connected after a reboot!
 
OD is great but I wouldn't suggest pulling your machines from AD and recreating what you have in a new OD unless you were scrapping AD which you didn't say you would be.
In my experience Profile Manager has been great when it's not linked to AD, once it's linked to AD it's not so good.
The Caching Service is incredibly useful as is ARD.
You can add your AD user account as an admin on the student macs keeping everything tied to your one account.
 
Yeah, keep AD, nothing really compelling to switch to and if other teams are managing it then even better.
If the population grows get a robust management suite in there and you can automate better.

But for now ARD, OS X server to handle software update caching, and even a margarita/reposado server for software updates would be a great addition.

You can use createuserpkg form the App Store and create a hidden admin account you can deploy via ARD that way it's not visible to the end users and you can always have a way in.
 
  • Like
Reactions: DJLC
Add my vote too: keep AD for less to manage (less for you......more for IT). Be sure Mac clients synchronize their time/clocks with the same time as the AD server. Different times between client and server can lead to problematic behavior such as not being able to log in....and having to repeatedly rebind the Macs to AD. Once dialed in....can be very reliable. Wanna say our AD servers are 2012, with no real issues for 10.10 or 10.11 Macs bound to it.

Local home directories are easiest to manage and most reliable.

Create Profiles and add manually to work stations if need be, as you have such a small lab. Doing this removes any worry about Profile Manager being wonky. MY experience is that it is fine once up and running, but is a bit fragile, so once it is happy, don't mess with it. Very adequate for less than 100 machines IMHO.

If your IT dept is Linux savvy and helpful, and already runs a VM infrastructure, you can let them run a a netboot/update server for you: JAMF Netboot/SUS Appliance. Free, No Mac hardware required, and it works great. Straight forward if VM server is already in place.

If you really want to do something different, cloud based Meraki MDM was free last time I checked, for up to 100 devices. No server, no cost, just the initial learning curve and config time. Nice reporting to see what versions of software is installed, RAM, space free on HDs, etc.
 
If you really want to do something different, cloud based Meraki MDM was free last time I checked, for up to 100 devices. No server, no cost, just the initial learning curve and config time. Nice reporting to see what versions of software is installed, RAM, space free on HDs, etc.

Meraki is no longer free as of a little over a year ago. But otherwise I agree with everything you said! :)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.