Bringing Macs into an existing IT environment can make any Windows admin feel a little wrong-footed. Everything is familiar, in terms of the tasks and settings, but with enough of a twist to seem a bit foreign at first. Our ongoing series of Mac management tips is here to help guide you in rolling out Macs securely and productively.
In part one of this series, I looked at the essential requirements for integrating Macs into enterprise environments, including how to join them to enterprise systems. At scale, large Mac deployments often require a unique set of skills and tools to be successful. The same goes for applying management policies to Macs, which I cover in this article. Here, you will get an overview of Mac policies and insights into how to plan a strategy for deploying them.
In final piece of the series, I'll look at the specific tools used to apply policies, as well as tools that offer additional management and deployment features.
The upshot on Mac management policies
How to go about managing Macs is a question of scale. Technicians at organizations with a small number of Macs can often configure each Mac individually or create a single system image that applies a uniform configuration to every Mac. In larger organizations, the challenges are more complex. Different users or departments will have different configuration needs, and they will require different access privileges. Moreover, they will often have configuration needs related to individual users and groups, as well as needs related to specific Macs based on their use (and sometimes their hardware). Because of this, manual configuration is simply too inefficient. Here, automation is key.
To this end, Apple offers a range of policies that can be applied to your Mac fleet to enforce security requirements, to aid in automatically configuring Mac machines to specific profiles, and to enable and restrict access to resources on your network.
If you're already familiar with Windows Group Policies, you'll be happy to know that you can fully manage the Mac user experience in a similar manner using Apple's policies for Macs. Most of these policies can be applied either to specific Macs (or groups of Macs) or to specific user accounts (or group memberships). Some policies, however, can only be tied to Macs or to user accounts. Familiarity with how policies can be configured is vital to creating your Mac management strategic.
For example, as with Windows Group Policies, policies related to user needs and access controls are often managed based on group membership related to department, job roles, and other factors. Departmental app and Mac security setting requirements are best set based on Macs (or a group of Macs), rather than users (or group memberships). Some policies, such as Energy Saver policies, are Mac-specific rather than user-specific by default.
The nitty-gritty of policy deployment
Mac management policies, like iOS policies, are stored as XML data in configuration profiles. These profiles can be applied to Macs in one of three ways: by manually creating and distributing them to individual Macs/users, via the free Apple Configurator 2 app; by implementing an MDM/EMM solution; or through use of traditional desktop management suites.
If you choose to manually distribute configuration profiles, you'll need to use OS X Server's Profile Manager to create them, then the resulting profiles will need to be installed manually on each Mac. When opened, the profile will prompt the user to install the included policies. Using this method, there is no fully automated way to distribute configuration profiles without using additional deployment tools. If you are relying on users rather than IT staff to install them, it can be difficult to ensure that they have been installed. Because of this, manually distributing profiles may be the simplest option, but it is likely less ideal, or even viable, for larger organizations.
(Note: Profile Manager itself is an Apple-specific MDM solution that can be used to push policies out in the manner of other MDM/EMM offerings, in addition to creating configuration profiles for manual distribution.)
The Apple Configurator 2 app can be used to install profiles/policies to tethered Macs as well as iOS devices. This provides a straightforward, no-cost solution for ensure profiles/policies are installed and functioning. However, it requires each managed Mac to be connected to a Mac running Apple Configurator 2 by USB for configuration. This makes Apple Configurator 2 an excellent tool for small businesses and educational organizations, which often have a simple set of policy needs, but it's an inefficient Mac management strategy if you need to configure a large number of Macs.
Here, MDM/EMM tools can help, as Mac policies can be applied using the same MDM framework used by iOS devices. As such, most vendors that support iOS management also support Mac management. Thus, they're an enterprise-friendly option, particularly because many organizations already use such solutions to manage iOS and Android devices.
Another option that scales well for enterprise use is the traditional desktop management suite, including both Apple-specific suites, such as JAMF's Casper Suite, and multiplatform suites, such as LanDesk Management Suite and Symantec Management Platform. These suites not only apply policies, but they often offer management and deployment tools. Given the suites' popularity, many organizations often already have such tools in use, or they may find their additional features compelling enough to invest in them (more on these tools in part three of this series).
If you have concerns about the XML-based nature of Mac policies, rest assured: Admins generally don't need to directly create or edit the XML data used in Mac management policies. Most Apple and third-party tools provide intuitive UIs for setting policy options, and they handle the necessary XML creation under the hood. One exception is the Custom Settings policy for specifying settings for installed apps and additional OS X features, discussed later in this article. Configuring Custom Settings will require getting into the guts of XML.
Core Mac management policies every admin must know
Apple provides a dizzying range of policy options for Mac management, but a specific set of 13 policies is the most commonly used -- and is the most critical for managing and securing Macs in an enterprise environment. Each of the following core management policies apply to either Macs or users, unless otherwise specified:
- Network: For configuring network settings, including Wi-Fi configuration and some Ethernet connection details.
- Certificate: For deploying digital certificates used in encrypted communication within an organization as well as some identity credentials for specific services (many network services rely on certificates for secure communication and authentication).
- SCEP: To define settings for acquiring and/or renewing certificates from a CA (Certificate Authority) using SCEP (Simple Certificate Enrollment Protocol). SCEP provides an automated option that allows devices to acquire/renew certificates. It is used as part of Apple's MDM enrollment process for iOS devices and can be used for enrollment of Macs into a managed environment as well. SCEP configuration will vary depending on the CA and related management tools in operation.
- Active Directory Certificate: To provide authentication information for Active Directory Certificate servers. This policy can only be set for user accounts.
- Directory: For configuring membership directory services, including Active Directory and Apple's Open Directory. Multiple directory systems can be configured. This policy can only be set for Macs.
- Exchange: For configuring access to a user's Exchange account in Apple's native Mail, Contacts, and Calendar apps. (It does not configure Microsoft Outlook.) This can be set only for user accounts.
- VPN: For configuring the Mac's built-in VPN client. Several variables can be configured. If in operation, users will not be able to modify the VPN configuration.
- Security & Privacy: For configuring several of OS X's built-in security features, including the GateKeeper app reputation and security tool, FileVault encryption (can be set for Macs only, not users), and whether diagnostic data can be sent to Apple.
- Mobility: To set whether or not mobile account creation is supported, as well as related variables (see the first article in this series for information about mobile accounts).
- Restrictions: For restricting access to a range of OS X features, such as Game Center, App Store, the ability to launch specific apps, access to external media, use of the built-in camera, access to iCloud, Spotlight search suggestions, AirDrop sharing, and access to various services in the OS X share menu.
- Login Window: For configuring the OS X login window, including any login window messages (referred to as banners); whether or not a user may restart or shut down a Mac without logging in; and whether or not additional information about the Mac can be accessed from the login Window.
- Printing: To preconfigure access to printers and to specify an optional footer for all printed pages.
- Proxies: For specifying proxy servers.