What should IT admins do if some employees prefer to work on Macs but the rest of the office is on Windows? Although Windows continues to dominate the world of desktop computers and laptops across the globe, the number of Mac computers in companies is growing – according to analyst estimates, the number has grown by over 10 per cent this year. But Macs in a Windows world can result in some serious headaches for IT admins. Known as shadow Macs as they are often unregistered, unmanaged, unsupported and above all, not subject to security regulations, it falls to the IT department to integrate them into the network so that they receive the same level of support, functionality and security.
Why Macs appear in office environments
Regardless of whether a Mac presence has been officially permitted in the office or has spread secretly through BYOD, there are good reasons for Macs to be welcomed into the workplace. First and foremost is cost. Companies that use Mac and Windows computers regularly refer to the significantly lower support costs of Apple computers. This can be seen in the number of calls made to the help desk. As a result, Mac users require significantly fewer support staff than Windows users do.
In general, viruses, Trojans, and ransomware primarily target Windows systems, which means that Macs are less affected by security attacks from the outset. macOS also features more integrated security, such as FileVault 2 for data encryption, and Gatekeeper, which protects against the loading of harmful software. In addition, because Apple is the only computer manufacturer that offers synchronised hardware and software, Mac systems are more reliable compared to Microsoft, which must aim to make Windows run smoothly on numerous different PC models.
Three options for Mac in a Windows Landscape
When Macs appear in an office, IT departments basically have three options for integrating them into their existing Windows administration. Firstly, they can configure and operate an in-house admin structure for Mac computers in addition to the one they already run for Windows PCs. This essentially means two administrations, which equals twice the effort. Secondly, they can look to support Macs using their existing PC administration. This means using Microsoft System Centre Configuration Manager (SCCM), which has its own limitations and challenges. Or thirdly, find a way to use one IT administration programme to fully manage both types of computers. This is the preferable option, but you must know what to look for when assessing the different market solutions.
Two admins equals double the effort
Drilling down into these options, we start with what seems an obvious solution to managing Mac in a Windows network – configuring and operating an individual, separate administration for Apple computers. The market offers well-suited solutions for this; however, it means the effort needed to support devices in the company doubles. Not only do two whole IT administration systems need to be configured and operated, but several administration tasks – from configuring and monitoring devices to data backup – need to be performed twice. Even if everything goes according to plan, something may be missed during integration, such as system administration or reporting.
Use SCCM – with limits
The second option is to enable the existing Windows IT administration to also administer Macs and the most common way to do this is to use Microsoft System Centre Configuration Manager (SCCM). However, SCCM has its limits including manual installation and registration, which is time-consuming if there are many Macs involved. In addition, although SCCM offers administration for compliance settings on Mac, these settings are restricted and only available via scripts, not OS X® Configuration Profiles. SCCM cannot activate and administer encryption of Mac computers, it can only transfer software to macOS systems via the new application model and is limited in its capacity to install patches on Mac computers. SCCM also does not support the deployment of the Apple operating system and, similarly, does not support remote operation of Mac from the console. Furthermore, Mac computers cannot be remotely locked or wiped.
If that wasn’t enough, the restricted administration of Mac with SCCM involves configuring a public key infrastructure which means every Mac with an SCCM client program installed operates like an Internet-based client. So, you then need a site server with a qualified domain name and at least one management point and distribution point for HTTPS on the SCCM side. After configuring the Enrolment Point and Enrolment Proxy Point functions in SCCM, the Macs can enter into the SCCM environment but you also require more than one management point and one distribution point if you do not want to install HTTPS communication across your entire IT landscape. One of these points must then be configured for HTTP communication and the other for HTTPS in each case.
No compromise for Macs in a Windows world
The effort involved in implementing basic Mac administration using Microsoft SCCM alone, is clear. However, there are alternatives that extend Microsoft SCCM so that it can provide IT admins with full control of all Mac and PC computers in their network landscape from anywhere, through one familiar interface.
Look for a solution that integrates fully with SCCM, like a plug in, so it takes only hours instead of days to deploy and requires no additional infrastructure or training. An important function to include is the ability to automatically detect, register and configure Macs so as to eliminate time-consuming imaging or manual configuration. You also need to easily enforce macOS compliance with security regulations and be able to support any upcoming macOS releases. Last but not least, your solution should allow you to remotely lock and wipe managed Mac devices and provide SCCM software metering and reporting, to help calculate the need for software licences.
Most enterprises with complex network configurations use Microsoft SCCM but when an increasing number of Mac devices need management, Microsoft SCCM needs to be extended beyond what its native functionally can provide. Luckily, there are some great solutions that deliver this extended capability so hard-pressed IT admins can discover, enrol and manage Macs in the same way they do PCs, eliminating the worry caused by shadow Macs.
Ian Appleby, Territory Manager, Northern Europe & MEA, Parallels Cross Platform
Image Credit: Pio3 / Shutterstock