Bringing Macs into an existing IT environment can make any Windows admin feel a little wrong-footed. Everything is familiar, in terms of the tasks and settings, but with enough of a twist to seem a bit foreign at first. Our ongoing series of Mac management tips is here to help guide you in rolling out Macs securely and productively.
In part one of this series, I looked at the essential requirements for integrating Macs into enterprise environments, including how to join them to enterprise systems. At scale, large Mac deployments often require a unique set of skills and tools to be successful. The same goes for applying management policies to Macs, which I cover in this article. Here, you will get an overview of Mac policies and insights into how to plan a strategy for deploying them.
In final piece of the series, I'll look at the specific tools used to apply policies, as well as tools that offer additional management and deployment features.
The upshot on Mac management policies
How to go about managing Macs is a question of scale. Technicians at organizations with a small number of Macs can often configure each Mac individually or create a single system image that applies a uniform configuration to every Mac. In larger organizations, the challenges are more complex. Different users or departments will have different configuration needs, and they will require different access privileges. Moreover, they will often have configuration needs related to individual users and groups, as well as needs related to specific Macs based on their use (and sometimes their hardware). Because of this, manual configuration is simply too inefficient. Here, automation is key.
To this end, Apple offers a range of policies that can be applied to your Mac fleet to enforce security requirements, to aid in automatically configuring Mac machines to specific profiles, and to enable and restrict access to resources on your network.
If you're already familiar with Windows Group Policies, you'll be happy to know that you can fully manage the Mac user experience in a similar manner using Apple's policies for Macs. Most of these policies can be applied either to specific Macs (or groups of Macs) or to specific user accounts (or group memberships). Some policies, however, can only be tied to Macs or to user accounts. Familiarity with how policies can be configured is vital to creating your Mac management strategic.
For example, as with Windows Group Policies, policies related to user needs and access controls are often managed based on group membership related to department, job roles, and other factors. Departmental app and Mac security setting requirements are best set based on Macs (or a group of Macs), rather than users (or group memberships). Some policies, such as Energy Saver policies, are Mac-specific rather than user-specific by default.
The nitty-gritty of policy deployment
Mac management policies, like iOS policies, are stored as XML data in configuration profiles. These profiles can be applied to Macs in one of three ways: by manually creating and distributing them to individual Macs/users, via the free Apple Configurator 2 app; by implementing an MDM/EMM solution; or through use of traditional desktop management suites.
If you choose to manually distribute configuration profiles, you'll need to use OS X Server's Profile Manager to create them, then the resulting profiles will need to be installed manually on each Mac. When opened, the profile will prompt the user to install the included policies. Using this method, there is no fully automated way to distribute configuration profiles without using additional deployment tools. If you are relying on users rather than IT staff to install them, it can be difficult to ensure that they have been installed. Because of this, manually distributing profiles may be the simplest option, but it is likely less ideal, or even viable, for larger organizations.
(Note: Profile Manager itself is an Apple-specific MDM solution that can be used to push policies out in the manner of other MDM/EMM offerings, in addition to creating configuration profiles for manual distribution.)
The Apple Configurator 2 app can be used to install profiles/policies to tethered Macs as well as iOS devices. This provides a straightforward, no-cost solution for ensure profiles/policies are installed and functioning. However, it requires each managed Mac to be connected to a Mac running Apple Configurator 2 by USB for configuration. This makes Apple Configurator 2 an excellent tool for small businesses and educational organizations, which often have a simple set of policy needs, but it's an inefficient Mac management strategy if you need to configure a large number of Macs.
Here, MDM/EMM tools can help, as Mac policies can be applied using the same MDM framework used by iOS devices. As such, most vendors that support iOS management also support Mac management. Thus, they're an enterprise-friendly option, particularly because many organizations already use such solutions to manage iOS and Android devices.
Another option that scales well for enterprise use is the traditional desktop management suite, including both Apple-specific suites, such as JAMF's Casper Suite, and multiplatform suites, such as LanDesk Management Suite and Symantec Management Platform. These suites not only apply policies, but they often offer management and deployment tools. Given the suites' popularity, many organizations often already have such tools in use, or they may find their additional features compelling enough to invest in them (more on these tools in part three of this series).
If you have concerns about the XML-based nature of Mac policies, rest assured: Admins generally don't need to directly create or edit the XML data used in Mac management policies. Most Apple and third-party tools provide intuitive UIs for setting policy options, and they handle the necessary XML creation under the hood. One exception is the Custom Settings policy for specifying settings for installed apps and additional OS X features, discussed later in this article. Configuring Custom Settings will require getting into the guts of XML.
Core Mac management policies every admin must know
Apple provides a dizzying range of policy options for Mac management, but a specific set of 13 policies is the most commonly used -- and is the most critical for managing and securing Macs in an enterprise environment. Each of the following core management policies apply to either Macs or users, unless otherwise specified:
- Network: For configuring network settings, including Wi-Fi configuration and some Ethernet connection details.
- Certificate: For deploying digital certificates used in encrypted communication within an organization as well as some identity credentials for specific services (many network services rely on certificates for secure communication and authentication).
- SCEP: To define settings for acquiring and/or renewing certificates from a CA (Certificate Authority) using SCEP (Simple Certificate Enrollment Protocol). SCEP provides an automated option that allows devices to acquire/renew certificates. It is used as part of Apple's MDM enrollment process for iOS devices and can be used for enrollment of Macs into a managed environment as well. SCEP configuration will vary depending on the CA and related management tools in operation.
- Active Directory Certificate: To provide authentication information for Active Directory Certificate servers. This policy can only be set for user accounts.
- Directory: For configuring membership directory services, including Active Directory and Apple's Open Directory. Multiple directory systems can be configured. This policy can only be set for Macs.
- Exchange: For configuring access to a user's Exchange account in Apple's native Mail, Contacts, and Calendar apps. (It does not configure Microsoft Outlook.) This can be set only for user accounts.
- VPN: For configuring the Mac's built-in VPN client. Several variables can be configured. If in operation, users will not be able to modify the VPN configuration.
- Security & Privacy: For configuring several of OS X's built-in security features, including the GateKeeper app reputation and security tool, FileVault encryption (can be set for Macs only, not users), and whether diagnostic data can be sent to Apple.
- Mobility: To set whether or not mobile account creation is supported, as well as related variables (see the first article in this series for information about mobile accounts).
- Restrictions: For restricting access to a range of OS X features, such as Game Center, App Store, the ability to launch specific apps, access to external media, use of the built-in camera, access to iCloud, Spotlight search suggestions, AirDrop sharing, and access to various services in the OS X share menu.
- Login Window: For configuring the OS X login window, including any login window messages (referred to as banners); whether or not a user may restart or shut down a Mac without logging in; and whether or not additional information about the Mac can be accessed from the login Window.
- Printing: To preconfigure access to printers and to specify an optional footer for all printed pages.
- Proxies: For specifying proxy servers.
Additional policies to round out your fleet
In addition to the policies listed above, Apple provides a range of policy options for configuring the Mac user experience. Some organizations will find these policies helpful for all Macs or only a subset of their fleet. These policies include the ability to preconfigure AirPlay; to set up access to a CalDAV server and a CardDAV server in the Calendar and Contacts apps; to establish the ability to install additional fonts; to configure access to an LDAP server solely for the purpose of looking up contact data; to preconfigure POP and IMAP accounts in the Mail app; to configure and add items (Web clips, folders, apps) to the Dock; to set Energy Saver preferences, as well as startup/shut down/wake/sleep schedules; to enable a simplified version of Finder and block certain commands, such as Connect to Server, Eject Volume, Burn Disc, Go to Folder, Restart, and Shut Down; to specify items that should automatically open at login; to configure accessibility features for users with disabilities; to set up Jabber accounts in the Messages app; and so on.
There is also an option to prepopulate user account identification when a profile is installed. This is generally used when profiles are installed on individual Macs. When a Mac is joined to a directory, user account information is retrieved from the directory.
The Software Update policy is relevant for organizations deploying OS X Server for use as a local Software Update Server. OS X Server has the ability to cache local copies of Apple Software Updates in order to improve performance and reduce network congestion when updating your fleet.
Custom Settings: Your policy for defining app or system settings
The Custom Settings policy plays an important role in maximizing IT's ability to manage the entire Mac user experience. It allows an admin to specify settings for any installed apps and additional OS X features even if those apps or features don't have an explicit policy defined by Apple. When used, the XML data from an app or feature's preferences file must be specified. The easiest way to use this option is to configure an app or feature with the desired setting, and then locate the appropriate .plist file (typically in /Library/Preferences directory within the current user's home folder). Alternatively, the related XML keys and information can be entered manually.
Since policies can be applied based on individual Macs, groups of Macs, individual user accounts, or user groups, there are situations where multiple policies may be applied at one time. The resulting experience depends largely on the type of policy.
The majority of policies add a configuration element; when there are multiple instances of these policies, all of them are applied. For example, if a Mac has a policy that specifies Dock items and a user is a member of two groups that each specify additional Dock items, that user will see a combined set of all specified Dock items when he or she logs into that Mac. (Another user logging into that same Mac would see the Dock items specified to that Mac, as well as any specified to his or her group affiliations.)
There are some cases, however, where policies can't simply add to each other. This is particularly true about features that restrict user access to functionality or features. In these cases, the most restrictive policy is the one that is enforced.