In my last column, I talked about how you can use Apple’s client management tools to help lock down portable/removable media access on a Mac, and how you were going to need a Mac to run the administrator tools to do this.
I also mentioned that there were some tools that allowed you to manage your Macs from a Windows machine via the Active Directory tools and group policy objects, or GPOs.
Two major names in this area are Vintela and Centrify. Vintela’s main product is its Vintela Management Extension, which allows you to manage Mac OS X and other Unix systems from Microsoft Systems Management Server (SMS) 2003.
The Vintela Management Extension Product (VMX) is an SMS client for Unix and Mac OS X systems. It allows you to handle things like software distribution, hardware/software inventory, software metering, system discovery, remote command-line and VNC access, reporting, etc. There’s also support to integrate VMX clients into the Active Directory single sign-on environment, and run-software distribution on the client systems. Currently VMX is PPC-only, but I’d expect a universal binary version out soon enough.
I didn’t get a chance to play with Vintela, as I’m not in an SMS-managed network, but for those who are, it looks fairly impressive. As would be expected, VMX doesn’t support Installer VISE or Stuffit Installermaker packages, but then, there aren’t many packages that do.
It looks as though you can also use VMX to distribute software to Mac OS X systems via RPM, but again, I’ve not used it, so caveat emptor. There is some support within VMX for using it to join your clients to the Active Directory domain, but it doesn’t look as full-featured as the Apple Active Directory plug-in or ADmitMac from Thursby Systems.
If you’re in an SMS network, and want to be able to remotely manage them without having to purchase Apple Remote Desktop, then I highly recommend going to Vintela’s site and downloading the demo of VMX and giving it a try.
Integrating Group Policy Objects
For those who want GPO integration, then Centrify’s DirectControl may be the solution you’re looking for. DirectControl is designed to integrate your Mac into Active Directory in a way that allows for the use of GPOs on your Mac systems.
I did get a chance to play with DirectControl for a bit, and it’s a solid tool. If you’re looking for a way to completely replace Workgroup Manager, then you’re going to be disappointed however. DirectControl doesn’t allow you to manage all the preferences that Workgroup Manager does, nor does it allow you the flexibility of Workgroup Manager’s “Managed Preferences” for pushing out various third-party .plist files.
The biggest reason for this is probably that Active Directory doesn’t directly support this by default, not without extending the Active Directory schema to support the Managed Client for OS X, (MCX) attributes that Active Directory would need.
That’s not to say that DirectControl is of no use. It’s quite handy for applying the policies it knows about, such as password policies, home directory location, and other such items. DirectControl also provides an Active Directory plug-in for Directory Access, that allows your systems to authenticate to Active Directory, much as the Apple plug-in does. (Note: I’ve no idea what this will do to a Mac in a “Golden Triangle” situation. “Golden Triangle” is the name given to Mac/Windows integrations that use an Active Directory domain controller and an Open Directory Master to manage Mac OS X clients. The visual for this is a triangle, hence the name. For more information, check out AFP548.com.)
There are some things about DirectControl that I wasn’t impressed with. DirectControl doesn’t seem to be able to use the Active Directory user and group IDs directly, but rather has to map those over to traditional Unix UID and GID numbers. It has to use its own Active Directory plug-in, which may cause problems for those who need to integrate MCX and other services for their Macs via a “Golden Triangle” setup.
I can see why DirectControl does things the way it does, as it has to support many Unix client types, not just Macs, but I would like to see future versions use the native Mac OS X Active Directory plugin for authentication services. The client installer for Mac OS X could be cleaned up a bit more too.
Using DirectControl within Active Directory is a little wonky too, as it sets up its own “zone” paradigm for managing Unix systems within the Active Directory tools. Again, I can see why they do this, but it seems a bit unnecessary. If you only need to handle the most basic client management needs — like password policies, log-in banners, account lockouts, very basic mobile accounts — and you don’t want to have to set up an Open Directory Master on your Windows network, or modify your Active Directory schema, then DirectControl is probably not a bad option. But in its current incarnation, it’s not going to completely replace Workgroup Manager and MCX.
So there are two options for running Macs from a Windows network. Vintela is more of a replacement for Apple Remote Desktop, and Centrify is a way to do basic management on your Macs via Windows GPOs. Right now, there’s still no complete package, but with Microsoft having “found the interoperability religion” here and there, perhaps with Longhorn Server, they’ll make some improvements to help make this job easier.