Apple on the Enterprise level

[cwtnospam]

Quote: Originally Posted by tlarkin here is the problem, you allow P2P applications to be loaded on user's machines. They install something like Limewire, a known threat filled with embeded viruses and spyware in the files you download. You have then pretty much opened a can of worms for any user to click on the wrong file and cause damage.

The problem is with your assumptions. You're basing your idea of security on isolating the OS from the real world, and that doesn't help anyone, including enterprise users. Try not to think of security through the tunnel vision of corporate IT's party line.

A sandbox is good for testing and nothing more. It shouldn't be turned into a crutch. The OS needs to be able to survive in the real world without firewalls, AV software, and even admin accounts. You can't blame anything other than the OS for the existence of a virus on any computer. (As I've said before, the Mac isn't perfect either. It does need separate admin and user accounts, and I do recommend people not use admin for day to day work.)

Imagine if you had complete, total control over your computer! Would it be theoretically possible for it to get infected by a virus? No. If it were, then you wouldn't have total control, would you? Control is the real goal. Security is just a byproduct.

Quote: Originally Posted by tlarkin Even in the Apple training for the OS, and their Server OS certs they plainly state this kind of security should be enforced because not every user is friendly, etc etc.

I know, and I hope that's just their attempt to appease corporate IT heads. Giving the user more control is what pushes the real advancements, and what makes Apple a real innovator. If/when they start believing in locked down security, they'll fail because locked down systems require the kind of conformity that stifle's innovation.

[tlarkin]

Quote: A sandbox is good for testing and nothing more. It shouldn't be turned into a crutch. The OS needs to be able to survive in the real world without firewalls, AV software, and even admin accounts. You can't blame anything other than the OS for the existence of a virus on any computer. (As I've said before, the Mac isn't perfect either. It does need separate admin and user accounts, and I do recommend people not use admin for day to day work.)

LOL, with all the nasty crap on the internet I can't believe you think that. Well, if we lived in a peferct world.....

[cwtnospam]

Quote: Originally Posted by tlarkin LOL, with all the nasty crap on the internet I can't believe you think that. Well, if we lived in a peferct world.....

It isn't a matter of living in a perfect world. It's a matter of having a much better OS than Windows.

[tlarkin]

Just got out of a meeting with a few of my bosses and it seems some big wigs went out to the Apple development conference recently and got to see hands on what apple was offering in their products. It looks like we are going to start rolling out a lot more macs at work now. Next phase will be around 600 mac books they are guessing. We will of course deploy a dual boot image on all of them so they can run windows. iMacs will also be looked at replacing some of the older desktops in our buildings. The high end labs will be getting new mac pro desktops.

Also, we are getting new xserves, and are looking at implementing data storage and back up on the mac side. So I will probably be writing up a rsync script with a cron job to automate everything.

We are also upgrading a lot of labs very soon with new intel iMacs, which will also be dual booting windows, but we already have 1 dual boot lab in place so our trial run for that is done. For the most part it works flawlessly, and the few things we did wrong we realized what we did wrong and will change those minor things when we roll out the next image for that lab.

We are also very close to completely integrating the mac platform with our edirectory novell solution and LDAP. I am still working on getting the calendar and address books to work properly but it is not wanting to work properly. We have AFP running on the netware servers and we are able to map netware drives. Looking at log in hooks and other things to get this to work but ultimately I would rather have an OD master xserve just mirror our eDirectory via LDAP and have mac users authenticate with the OD master instead. Who knows exactly how it will work out though, it is hard to tell.

We have also implemented the mac client for iprint, so we can now use Novell's print server on the macs which is actually a very nice web based tool for controling, admin, and deploying network printers out to many clients.

I also may be deploying a few cheap old linux file servers in some remote areas too for storage for some of the mac labs. Almost every mac lab has a few PCs in it, so running Linux is my suggestion, plus the benefits of running it as a file server is very nice as well. No connection limit, etc like windows and OS X both have on their client machines, it keeps cost down, and I have yet to have a Linux box crash on me.

We have an existing tape back up solution on top of all of this that we will also be implementing on the mac side so users can have their data backed up with the same redundancy as the PC side.

[ArcticStones]

.
That’s great news, Tom!
And let us know if there is any sign of an epidemic -- on the enterprise level.

[tlarkin]

Well the bid got pushed back, probably won't see the new Macs until around December or so, but hey thats what happens in Education I guess.

On a side note I did some side work today for a friend of mine who helps run an independent record label. They just signed the Meat Puppets btw and their album was released today (i know, i know shameless plug!). I was there at their offices not to fix their macs, but to fix their PCs. They have to use a windows laptop for one function, Crystal Reports which keeps track of business sales and is purely active X driven site. Now they do not have any intel based macs yet so running boot camp or virtual machines of windows is not an option yet.

I fixed the PC and got it working again but I was discussing technology in general with my friend and he was going on and on about how simple and easy his mac was and how it just worked. Of course he knows very little of Unix and very little of anything to do with IT, he is just a user. So, Apple does totally make sense in a small business situation. Now they both had Mac minis since most of their work is just plain old office type work. Documents, web browsing, emails, etc etc. They don't record music or anything taxing on these computers they are just used solely for office work. Which is what most computers in the Enterprise type networks are for, they are there for users to do basic office type work on them. I got some open source apps for them so they can do the office type productivity stuff and it keep their costs down. I mean they already had monitors, a Mac pro is way over kill and an all in one machine was not really what they wanted and they wanted to keep costs down.

Considering all of this, perhaps the Mac mini may be the way for big enterprise level networks to migrate to the mac. it has its down sides and well its not a bare-bones mini tower desktop, its an small integrated piece of technology, which nothing is upgradeable and everything is one piece. Which also has its ups and downs.

I was talking to them about even setting up a file server for back ups and well I will probably just go Linux for this since I can get a cheap PC, slap linux on it and toss in a few larger HDs, and then have it sync with another device for redundancy. Mainly because open source OS and cheap PC means it costs next to nothing for them.

[tlarkin]

Well, I had lunch with our Apple SE the other day, and he is a pretty cool guy. We talked shop and talked about some things to look for with newer versions of OS X. Things like roaming profiles, better directory service support in OS X.

We already know that you can migrate an OS X client into a MS Windows AD environment and Novell ED environment. We have a small test network at my work doing so. The permissions and policies can be a huge headache because ACLs don't work properly and if they go corrupted you just lost access to your data. The server admin tools for OS X server are very nice, but they need to be somewhat more robust.

I think that with the release of Leopard, and with how crappy vista is and that you can pretty much file share and authenticate into an existing enterprise solution (well most of them) you will start seeing companies allowing users to choose, do you want a Mac or a PC?

We just got done imaging all of our Macs over the summer, Bombich's (pro-nounced bombicK I just found out) netrestore software will most likely be phased out since Apple is going to probably start offering these features Natively, much like Windows is doing with WDS. Then you're not stuck paying a ton for a solution like Ghost.

I hope this trend continues because it will open up career opportunities for me since I am experienced in many different environments and know how to get around in OD/AD/ED and of course in OS X. Companies will need people with the know how to migrate Apple solutions into their existing environment. At home I currently have an OD master set up, and I think this winter when I build a few new systems I will set up a windows AD server and try to bind my OD to the AD and use AD for authentication and drive mapping, and use the OD to push out policies and permissions. I am starting to study up for my ACTC cert again since I have time now and I really want to go through with it this time, hopefully I will have time to study.

Also, I realized that they don't teach this type of stuff in college or any trade school. In fact they completely ignore the Mac platform all together, so really all the experience I am getting through this is going to be very valuable.

Now, only if OS X could easily integrate exchange's contacts/calendar system. I would like to mess around with that, but we run Groupwise at work and well I don't really feel like setting up an exchange server at home for giggles, plus exchange has some hefty hardware requirements. I do have access to all the software though via my work's MSDN subscription and our Apple upgrade site license subscription. So, really its just a matter of me getting the right hardware and network set up at home. Then again, not sure if I want 15 computers in my apartment testing all this stuff out. I am going to need a bigger switch!

If anyone has a spare old cisco switch they are getting rid of let me know, I think I may really need to purchase a decent switch. I will pay what I can for it or at least pay for shipping. Donations are gladly accepted. I am going to need probably 20 ports, because I really want to learn all this stuff. Yes I know I am insane.

[tlarkin]

Okay, so more thoughts rushing through my head. Lately, in my spare time to better my own skills I have been working around with AD/OD/ED and trying to figure out how things work. I mean Apple does some things awesomely correct, and other things they have elitist tunnel vision. Which irks me at times when I know that they could do something to make their technology so much more adaptable and easy to use.

I recently went to some Leopard server training at a University here where I live. I won't go into deep detail because some people will get offended that I am discussing a product that isn't released and we should all think secret.

Anyways, one of their selling points of the brand new Xserves is that they are completely modular. Meaning that it takes one hand and no tools to pop parts in and out. They were so happy about this, and when no one applauded they were like oh come on, not even a clap? Maybe Apple doesn't realize this, but they are chiming in real late on this modular functionality. I can tell you from my personal experience fixing both Xserves, and HP enterprise products (Proliant servers, data storage works, etc) that HP has been doing this for years, and so has Dell and IBM. They have all made it easy. Duh, you want your servers to have very little down time, need to swap out a part? Do it very fast and make it modular. They finally added redundant power supplies and made it more energy efficient. So, it looks like Apple is looking into the Enterprise market, even though Jobs himself has been quoted saying that Apple is not an enterprise company, they are a consumer company.

Well, I am very excited to see all the new technologies in the real world when Leopard server ships, I just hope migration doesn't bust all existing and working services running. Which brings up my very next point.

Virtualization! Apple doesn't have it and has no plans on implementing it any time soon. I was told this from an actual Apple engineer. This is so ridiculous. So, I want to migrate to a new OS or a new software solution on my Mac, and I can't deploy virtual machines to test it out. I want to update a base image because newer hardware can't run on older OS images, so I load up a virtual machine, update it, then migrate it to an image. Then deploy my new image. A user has a failed machine, instead of making them wait the 1 to 2 day turn around time for parts (this only applies if you are a self maintainer) set them up a virtual machine through some sort of console, or dummy terminal. Then you have ZERO downtime. Or lets say I want to start distributing fucntions/features/services to different servers, I can test this out with virtual servers in a small test environment and get a feel for its scalability and then deploy it network wide. All of these tools are readily available for Linux, Unix, and Windows and many other platforms. These things make it easy for IT people to deploy technology with in their infrastructure. The Apple engineer told me that I had to buy hardware. That is their answer. You know how annoying it is to keep an extra stock machine of every model of Mac you run so you have easy access to create images or to have to go hunt down a spare somewhere and haul it back to your office? Why not just let us virtualize, it will help your cause Apple trust me.

Okay, now to step back and look at some other things that make Apple good in the enterprise...

Document cameras, are the bane of our IT departments existence at the moment. We ordered a plethora of Doc Cams (like 100s and 100s) to go along with our digital class room installs (consists of digital imaging equipment, projectors, and other educational technology) so users can take snap shots of multiple hand written documents and display them on the projector. Quite handy in education. Well, we tested them before we bought them obviously and they tested fine on our HP enterprise desktops. Cool, we bought them. Well it turns out that one specific model of HP desktops (which we probably have a few thousand of) has intermittent issues with the doc cam and its hardware configuration. These problems are intermittent and only happen on this model. Every other model works fine, and we run about 4 different model HP of desktops through out our whole network right now. This specific model has some kind of weird intermittent and inconsistent issues with video of the document camera, that were not present when we tested it. Sure, some blame can be put on us for not testing it out for weeks on end to finally get this problem to surface, but then again no one really has time for that. Now, if third party hardware works on a Mac, it works on a Mac pretty much regardless of whatever Mac it is connected to as long as it meets the minimum specifications to run said hardware. This is an advantage of a closed platform, it has more quality control.

Apple is going to make some changes and you will start to see organizations taking advantage of what Apple is doing. It is coming, but not just yet. Apple is almost getting it right. Leopard will change a lot of things, or at least this is what I learned in the server training I went to. They are making their product play nice with others, or so they claim.

[brettgrant99]

Quote: Originally Posted by tlarkin ... Anyways, one of their selling points of the brand new Xserves is that they are completely modular. Meaning that it takes one hand and no tools to pop parts in and out. They were so happy about this, and when no one applauded they were like oh come on, not even a clap? ...

Do you mean that there is another redesign of the servers, or are you talking about the design differences between the G5 Xserves and Intel Xserves? I just had to replace the fan unit and fan controller board on one of the new Intel Xserve and I needed two different screwdrivers to do it.

Brett

[tlarkin]

The training was only about 4 and 1/2 hours long so they didn't cover every aspect, but this is their brand new xserve. It is completely modular. You may have opted for a security device which does latch down the top case part of a rack server and requires a tool, so not just anyone can go pop open a server. That would require a tool but once it side it should all be modular.

For example when I have to replace a system board in a HP proliant server, I use my flat head for a prying device to pop open the top plate. They have a security device on them but we don't enable them (it is some kind of torx device). So I can thumb screw everything out and then pop the part out. I think I have to actually undo like two screws, which are thumb screws.

The new xserves take this approach. The review they were so happily to boast about said it was so easy you could take it apart while eating pizza, let me google it.

Quote: You can see that I am a connoisseur of server design, and that I have no tolerance for rack servers that aren't built to micrometric tolerances. I'll test this theory when I get an evaluation unit, but it looked to me like any piece of Xserve Xeon, from the logic to the power supplies to the fan bank, and even the CPUs, can be removed and replaced in a five-minute operation while eating pizza. Apple even redesigned the rack attachment to--get this--eliminate the need for cage nuts. Yes, someone at Apple stood up in a design meeting and said, "look, this two motors per fan idea is nice and all, but can't we do something about those darned cage nuts?"

source: http://weblog.infoworld.com/enterpri...hives/2006/10/

[brettgrant99]

Quote: Originally Posted by tlarkin The training was only about 4 and 1/2 hours long so they didn't cover every aspect, but this is their brand new xserve. It is completely modular. ... The new xserves take this approach. The review they were so happily to boast about said it was so easy you could take it apart while eating pizza, let me google it. source: http://weblog.infoworld.com/enterpri...hives/2006/10/

The power supply and the HD trays are modular. The cover comes off quite easily. Inside, to access most of the boards you have to remove an airflow shield that is held down by 5 screws. The board mountscrews have plastic thumbgrips on them, but they were screwed down with so much torque and there was so little room around them that I couldn't get them undone with my fingers, hence the second screwdriver.

The magnet nuts on the mounting rails were nice, but it is quite easy to align them in a way that the servers will bind when you slide them in. I found it easier to leave all of the screws kind of loose, put the xserve in, and slide it out enough to tighten the screws. What I found most annoying was that everything came in indivdual little plastic bags. I spent more time unwrapping those than bags than almost anything else.

Now I don't have any experience with other brands of servers, just the G5 & Intel Macs, so I can't comment on any other types of equipment. These may or may not be better than other servers, but other than the powersupply I wouldn't consider these computers modular. Even the HD is held to the tray with 4 tiny screws.

I would be interested in hearing what you think after you have to actually take one apart as you clearly have a lot of experience with a lot of different types of hardware. My opinions may be completely out of wack with reality

Brett

[tlarkin]

Brett-

The problem is, our Xserves don't break! I haven't had to take them apart yet. In retrospect we have probably 100s of HP proliant servers running and maybe like 3 xserves in our whole network. Most of the time our failures are on redundant parts, so I down the server after school is out when no one is around and replace and bring it back up (all in a matter of minutes), reconfigure ILO management, set up network settings, done. Or our failures are caused by lightning strikes.

Luckily our Xserves have just never had a problem. Though we do have them on some pretty hefty UPS units that weigh like 500lbs each. If we get any more in I will definitely take it apart to find out more on them.

They also finally added redundant power supplies.

[brettgrant99]

I just finished reading the blog post that you reference. He must have seen a preproduction model, as just the 5 air shield screws couldn't be removed with a TSA approved butter knife. Also the connectors were the tightest that I have ever seen, much tighter than anything in a PC, car, engineering equipment at school, or an electronic lock (I was a locksmith while going through school). They were even hard to reinsert.

Again, the caveot is that I have only taken apart two of the Intel Xserves.

Interesting thing about that guy's posts, I never considered upgrading CPUs. Maybe something to try in 2 1/2 years. I wonder if I could get a deal on 80 new processors?

Brett

[tlarkin]

If there is one thing I have learned about enterprise level sales, is there is always a price break if you buy in quantity. I can call my sales reps and say how much for how many and how can you give me price breaks? They will respond in some time and say, well if you buy x amount I can give them to you at y price.

[brettgrant99]

Quote: Originally Posted by tlarkin Brett- The problem is, our Xserves don't break! I haven't had to take them apart yet. In retrospect we have probably 100s of HP proliant servers running and maybe like 3 xserves in our whole network. Most of the time our failures are on redundant parts, so I down the server after school is out when no one is around and replace and bring it back up (all in a matter of minutes), reconfigure ILO management, set up network settings, done. Or our failures are caused by lightning strikes. Luckily our Xserves have just never had a problem. Though we do have them on some pretty hefty UPS units that weigh like 500lbs each. If we get any more in I will definitely take it apart to find out more on them. They also finally added redundant power supplies.

The only problems that I have had with xserve are with parts being bad out of the box. One stopped working a day after I installed and even though it was working, Apple declared it DOA, which was nice of them. Didn't have to send it to them until we got the replacement. That one I just kind of poked around in. Another one had a fan that ran at the max rpms all of the time. That is the one that I needed (actually Apple sent me the parts, so I "neede") to replace parts on. It wasn't really that big of a deal since 90% of the time the computers are running at 100%, but mostly I didn't want it to be an issue down the road.

The guy before me, who purchased and setup this system, somehow blew a G5 cpu on one computer and the motherboard on another, but both of those were dropped off at the Apple store for repair.

All of the computers are plugged into a UPS that is about 4 feet wide, 6 feet tall, and 15 feet long. A tech took off one of the cover panels and the capacitors in there are bigger than pop cans. It made me nervous just being near the thing with the cover off. An lot of open connections to short. I didn't really know that they made UPS that large until I saw it. I am using about 1/3 of the circuits comming out of it.

Brett

[tlarkin]

Well I can say from experience I have had man of the G5 processors fail on me in the G5 tower desktops. So I am sure it is possible they can fail in the server.

Are you not a self maintainer? If you are you get access to all kinds of resources and can order parts directly online under warranty and get everything overnighted to you. If you have enough mac machines at your place of work, Apple will actually reimburse you for your labor, meaning they pay you to fix your own stuff.

[brettgrant99]

We only have 7 towers and not any problems with them.

We are not a self-maintainer. We only have the 7 towers, one Mini, and the 94 servers. The division I work for, not IT, bought the computers, so Apple knows that sales to us are limited. I am not the IT person, just the stuckee, as IT won't touch the computers because they aren't linux

Brett

[tlarkin]

I am willing to bet that having 100 machines and 95% of them being servers you can qualify for the first tier of being a self maintainer. Meaning you can diagnose and repair all in house products, but you don't get reimbursements. This cuts down on calls to Apple and if you know the problem, ie a bad system blower, you can just order it and bypass the need to call them.

They would require you to get certified too, so maybe your company wouldn't bother with it. I think it is a good idea to do everything in house. Your IT people are weird evangelistic Linux people? Do they have penguin tattoos or the Linux fish on their car?

[cwtnospam]

Quote: Originally Posted by brettgrant99 ...as IT won't touch the computers because they aren't linux

As much as I like to blame Microsoft for most problems, I think they're just a symptom of the real problem, which is myopic IT departments. If they truly won't touch a computer that isn't running Linux, they're just as bad as the ones that won't support anything but Windows. The same would apply if they were Mac only, although I could see locking out Windows, but only because it causes so much trouble for users. Even then, I think it should be up to the department heads to do that, not IT.

[tlarkin]

Yup, all it takes is a manager of some sorts to dislike something. For example, my boss has hated Dell from some bad experiences, which is why we don't have any Dells, even though we could possibly get a better price break on them. Also from a management perspective, you can't support everything. Read my previous posts on how you can't support everything, because it just causes too many problems.