Apple on the Enterprise level

[cwtnospam]

Quote: Originally Posted by tlarkin Read my previous posts on how you can't support everything, because it just causes too many problems.

Maybe not everything, but the top three operating systems shouldn't be a problem for a professional, and I count the various versions of Windows as one operating system.

[tlarkin]

Quote: Originally Posted by cwtnospam Maybe not everything, but the top three operating systems shouldn't be a problem for a professional, and I count the various versions of Windows as one operating system.

No, you can't. There are so many factors:

What is your infrastructure?
What is your model?
What are your users's needs?
What is your budget?
How would you apply this technology?


Just supporting the top three OSes because it is a good idea, is not a good idea. You realize when I am talking about my job, I am talking about supporting 33,000 users. That is a lot, and everything has to be considered. So, we support certain things and others we do not.

[cwtnospam]

You're forgetting the most important factor: What do the people you're supposed to be supporting need?

[tlarkin]

No, I stated what are our user's needs. It is a factor and I listed it.

[brettgrant99]

Actually we have lots of different IT people. Some only deal in windows, some just in linux, some with just sun, some with just hp. There are a few that "know" linux and unix, but I think that someone in management probably decided that max os is different enough that they shouldn't support it as they already support all of the other os's. I believe that judgement was made without anyone ever having looked at one, though.

Of course, if I was in IT, I would worry about a computer system that someone with no training was able to set up in about a week. If they are that easy, one might not need so many IT guys.

Brett

[cwtnospam]

Quote: Originally Posted by brettgrant99 Of course, if I was in IT, I would worry about a computer system that someone with no training was able to set up in about a week. If they are that easy, one might not need so many IT guys.

All too often, that's the major/only motivation.

[tlarkin]

Quote: Originally Posted by brettgrant99 Actually we have lots of different IT people. Some only deal in windows, some just in linux, some with just sun, some with just hp. There are a few that "know" linux and unix, but I think that someone in management probably decided that max os is different enough that they shouldn't support it as they already support all of the other os's. I believe that judgement was made without anyone ever having looked at one, though. Of course, if I was in IT, I would worry about a computer system that someone with no training was able to set up in about a week. If they are that easy, one might not need so many IT guys. Brett

This has nothing to do with the IT department per se, it is more of a management issue. Even though Apple machines are easy to set up, I wouldn't except your average user to know anything about fixing it or advanced configuration. Plus would the user take the proper security measures?

Work help desk for two weeks, after your reset the 5,000th password for a your user base you realize they can't even remember passwords. I can remember all my passwords, and I change them every 90 days on systems I need lots of security on.

Do you expect your users to set up switches, routers, firewalls, servers and other things that make up your infrastructure? There is a reason why you have onsite IT staff.

For example if a department purchases any technology and do not go through us first we don't support it. If they call help desk for an item which they purchased outside technology we tell them they can have it, but we don't support it. If they take the necessary steps to go through us to purchase items, we research it, find the best item for their needs, test it out, then say, yup it works here you go. Then we support it.

[brettgrant99]

tlarkin - I totally agree with you, and can see how my post wasn't very clear.

In the enterprise setting one definitely needs IT guys that know what they are doing - especially in the areas that you mention, topology, security, and so forth.

However, I think that if you look at most jobs, there are experts who know what is happening and how to get it done, those that are being trained to be experts and are learning, those being trained and aren't learning, and those that show up to drink the coffee. I think that it is the last two categories of people that need to watch out pretty much all of the time, but especially when a new or better technology or process comes along.

I also agree that managment is probably more of an issue. The reason that the department bought the macs was because IT could provide computers in the time frame needed, which is really more of business/management issue. I have also thought that if IT was tied more directly to the end product, that they would have more of an interest in making sure that we are successfull.

Certainly it is not really a simple subject with a clear-cut, cookie-cutter answer.

Brett

[ArcticStones]

.
I think this will soon impact on "Mac on the Enterprise level":

A quadrupling of Mac users at University level

First: Universities may be considered (educational) Enterprises.

Second: These are tomorrow’s corporate decision makers. So I venture that we will soon see similar decisions being made in a much great percentage of Western companies.

All the more reason for Apple to play its cards right!

[tlarkin]

Educational networks are identical to Enterprise level networks in the corporate world. The difference between them is budget, but otherwise they are almost 100% identical. Infrastructure of course will differ, but that goes back to how much money can you spend. Can you afford to run fiber to the desktop?

Here is a very interesting article about distributed computing and how it is helping save money, and how it is also getting results with all kinds of high end research.

http://www.apple.com/education/profiles/louisville/

[yaroen]

So here's my story of two separate networks windows for corporate and apple for education (sound familiar? :/) growing together in some ways and keeping a safe distance in others.

My organization consists of all art education in the east of Holland, it's spread out over three cities. We have one network which consists of one part windows for administration and some generic workgroups. Then at three art academies there are apple networks. At the music schools there are some standalone macs. most computers within the organization are concentrated at the art schools

Almost all computers used in actual 'education' (as opposed to 'administration') at the art schools are macs. The setup is the same at the other 2 art schools.

We have a gigabit connection between cities.
We use one osx server master in one city and 2 osx server replicas in the other two cities Storage on xserve raid and some xtra xserves for demanding workgroups are local.

Since all administration is done on windows, all user information for the whole organization is stored in active directory. These names and passwords are used for email (microsnot outlook webmail and intranet (microsnot share point) access.
Starting each academic year we copy the new active directory users into our open directory database by hand :-/ We are currently looking in to syncing the two which is a problem with no easy answer.

So two seperate worlds really. And no real reason to try and choose one over the other since they're used in different environments. Since the two seperate networks are tying in to eachother more and more we are constantly pushing (and having to push) for open standards though. There's lots of problems with windows apps on non windows computers, like sharepoint, ms webmail and topdesk etc. All these could be replaced by apps that support mixed environments. Like an open-source WIKI instead of sharepoint etc.
The difficulty mostly is that windows and windows apps are the default choice no matter what and anything else has to be proven and has to tie in to everything else flawlessly including everything microsoft.
It's the irony that I see all around. Microsoft is an automatic choice. Everything else is not really seen as a possibillity and is treated with mistrust.

Anyway since a couple of years we have an ITcoordinator who is open to suggestions we're slowly integrating the two environments more and more while trying not to have one at expense of the other.

A long time ago we had a Novell network for administration. That soon disappeared when Microsoft began shoving their products down every ones throats. Anyway you all know the story. So almost automatically the administrative network became a windows network. At one time, when Apple had little more 'color' to offer but boring beige, we had a brief moment where we could have done away with macs alltogether because it looked like the mac could have gone the way of the Amiga wich was also at one time a very popular choice in the Arts.
Thankfully Jobs was back on the job just in time and we got a brand spanking new xserve G4 and some imacs and G4's to finally build a somewhat professional network.

Still, the 'devide' was there and apple didn't stand a chance to take a place in our corporate network. Years later, now Apple has the goods, it can only get there if Microsoft is no longer taken for granted. Now that Vista is a joke (at least on this forum) and Microsoft is scrutinized for its world domination and its evil tendencies , at least Linux and open-source gets a foot in the door in corporate environments and maybe this can help me to push the macs a little more to the top. There now are a couple of faculty directors who got a shiny new macbook pro and are turning to us to get them to logon to the windows servers etc. For now we use parallels and a windows virtual machine to be able to do that. Not great but it's a start...


Kind regards,

[tlarkin]

hey thanks for sharing, good stuff there....

I just took a new job, which I will start in about a week from now, where they are deploying over 6,000 Macs in their network. I took off work today early to go to my new job and finish paper work and get an employee ID badge, etc. How they are doing it is that they are contracting a certain company out to image and prep everything, then they hired me and some other people to basically be in house support once it is deployed. They have a very simple and stand alone network scheme, but also are a novell shop. After deployment happens and things smooth out I plan on starting to integrate the networks together.

So, each building will have a OD master bound to an Edirectory server which all points to our main LDAP directory, where all users are stored. Then when the user is out in user space and wants to log in, they will authenticate to the eDirectory server and then get policy and everything else pushed down from the OS X server. This of course works in theory, and I have got it working currently in a very small test environment of a few computers and like 50 fake users I just made up in two different groups. So, theoretically this should work network wide. Novell, doesn't make it all that easy. There are like 10 or so steps you have to take in console one to accomplish this, and off the top of my head i don't remember them all. I know that you have to have universal passwords enabled, and that you have to mirror the LDAP user database. Once that is accomplished on the server side you have to have a few log in hooks set in the client side to make sure it un-mounts all network drives at log out or it will try to remap the previous user's drives when the next user logs in.

After I get the deployment rolling out I think I will have lots of fun. I know that pod casting is something they are dying to accomplish and I look forward to setting up and writing scripts for pod cast servers, integrating network technologies, and of course mobile (or portable depending on who you are talking to) home directories.

As for microsoft. They actually do make decent products. Their server side solutions are really good, and Active Directory is very robust and can accomplish a lot. OS X server is no where near the abilities yet, but it is getting there closer and closer with each release. And yes, for the record, Vista is horrid. I do not like it, but I have also been very biased against it. I think maybe in '08 when it has 1 year of patches I will give it another run and try it out.

[Anti]

Quote: Originally Posted by tlarkin As for microsoft. They actually do make decent products. Their server side solutions are really good, and Active Directory is very robust and can accomplish a lot. OS X server is no where near the abilities yet, but it is getting there closer and closer with each release. And yes, for the record, Vista is horrid. I do not like it, but I have also been very biased against it. I think maybe in '08 when it has 1 year of patches I will give it another run and try it out.

I had to deal with some MS stuff on the server side, and I was just shaking my head.

Like with their "forms" in Frontpage. We tried to host those pages on our Apache server, and it was totally broken. Unusable. We then looked it up on MS's website (And that's something I'll give MS: If you want to find out about something, they have craploads of info) and read that in order for our form to work, we had to have "Frontpage Server Extensions".

...

I wanted to rebuild the website in Nvu, but I was turned down because it wasn't Microsoft and therefore wasn't "certified" to work with the network.

Feh.

[yaroen]

Quote: Originally Posted by tlarkin Novell, doesn't make it all that easy. -SNIP- As for microsoft. They actually do make decent products. Their server side solutions are really good, and Active Directory is very robust and can accomplish a lot. OS X server is no where near the abilities yet, but it is getting there closer and closer with each release.

I heard about Novell being the magic glue that ties everything together
Not an option for our (in comparison) smallish network and IT Staff. We have to limit ourselves to windows and osx.

I'm currently looking in to getting basic user information from AD and doing everything else from OSX server. I have a lot of reading to do but I'm hopeful we can set up a small trial early next year. At least this forum already proves to be very helpful.

Best of luck (and lot's of fun foremost) at your new job!

[yaroen]

Quote: Originally Posted by Anti I wanted to rebuild the website in Nvu, but I was turned down because it wasn't Microsoft and therefore wasn't "certified" to work with the network. Feh.

LOL
Isn't 'microsoft certified' an invention to keep everything else from standing a chance? I'll bet it's something the marketing department came up with.

[Anti]

Quote: Originally Posted by yaroen LOL Isn't 'microsoft certified' an invention to keep everything else from standing a chance? I'll bet it's something the marketing department came up with.

Probably.

I was able to build this form in Nvu (It was crap, but it was somewhat more functional), host it from my MacBook Pro, and have everyone in the classroom who had Windows 2000 laptops access my MacBook and use the form. It worked well.

FrontPage forms, however, were broken in anything but IE, which doesn't exist for the Mac.

[tlarkin]

Well, the roll out of 6,000 macbooks is next week. I am working with Casper Software suite right now to help roll out packages, policies, and inventory management. Casper Suite so far is pretty awesome. I think it is well worth it, and I don't even know how it costs. I have never used Casper before and well no one has at my new job. The Casper field engineer was here the last two days giving us some hands on training. I am just scratching the surface on it, but there are a few key features it offers that no other solution does. If I push out an update, casper can send it out every 15 minutes, every 30 minutes, however I want it to work. Then it can flag in the inventory that the particular machine has had that update, so it won't try to give the update again. This comes in handy because users sometimes power their machines down and the udpate can't remotely be pushed out, but next time the power it up and boot into the OS the udpate will run. Laptop users a lot of time just close the lid of their laptop and hardly every reboot or log in or out. They just close the lid and go. Which is how I use my own personal laptop. Then once this script, update, or software package has hit every machine in inventory it stops broadcasting that particular policy.

Also, you have one casper server set up, then you have what you call casper share points in each location, or on each subnet. These share points mirror the server, so you only make master changes on the server and it will mirror it down the share points on each subnet. Then all your clients on that subnet will get everything from the sharepoint on their subnet. So, you don't have 6,000 clients pulling software from the same server.

So far I like it. I have already built an iLife 08 package, office package, firefox package, and a couple of scripts that get pushed out to make modifications. The inventory system allows me to see how many succuessful clients have received the updates and how many are still in queue. You must have a local ssh account on every client though, because casper does everything over ssh. So, you make a hidden account on the machine locally with ssh, then server side use that ssh account to authenticate and push everything out over ssh.

I will post more as I learn more, but this is definitely a nice enterprise level product.

[tlarkin]

So, after a month or so at the new job, I am now doing all kinds of cool stuff. Our network is 100% macs with the exception of some older legacy novell shares that are running AFP, so the users can still connect. All servers are xserves and all users authenticate via ODM.

I have been using Casper a lot. Had a lot of issues with it at first but that was because our server did not have enough RAM, and TomCat (the web server that casper uses) was just getting beat to hell with policies and all the RAM was being eaten up. I am taking snap shots of software installs and making them into deployable packages with Casper. Casper does a lot of cool things, and I think its a great product. For example, I created a plist file in /Library/LaunchDaemons on my control machine, and made a snap shot of the modified and different files. It detected my plist and where it was located, then made an install package for it. All packages are in DMG format, so they are compressed. I next set a policy for casper to check all available machines in inventory (just over 5,000) and to send out this policy once per a machine. It checks every 15 minutes over the network. It then logs every computer in inventory that has it. I made that policy yesterday at 4pm (school is out at 2:30) and by the end of the day today it had already been pushed out to over 4,000 computers. It does everything over ssh. So, in the client machines we set up a hidden admin account that is enabled for ssh. Casper uses that account to authenticate to the machine locally and pull the packages down.

Technically, also it is not a push, its a forced pull. The JAMF binary connects to the server and searches for policies, whatever policies are there for the taking that need to be ran are then pulled down from the client machine. The jamf binary tells the machine to pull down said policies. You can then set up share points on each subnet. These share points are mirrors of the casper server itself, and they host all the packages on that share point so every client on that sub net pulls from that share point instead of across tons of subnets from one server. We are going to work on load balancing it out amongst the buildings.

I am having problems with my netboot server using caspers netboot image install set creator. It was working fine, and then I had a botched update on my server go south, and because of time and other issues I just wiped the server out and reloaded the OS. Not a huge deal its not like it had anything on it and I had all the images backed up, but now it doesn't want to seem to let the clients netboot. Before I was using bombich's netrestore helper to make netinstallers for my netboot server. Now I am using Casper's netboot install set creator, which works in an odd way.

It looks like I will have a crack at setting up our first Leopard server on the network in the near future. We want an ichat, podcast, ical server. I figure that one server could probably handle all three of those tasks in each building (1 server per a building). We don't want ichat going out to the interwebs but would like to have an internal system working. The pod cast server would host pod casts of teachers presentations in class so students can keep the lectures on hand at all times. This has been talked about but not finalized. It is something we want to get into but it is not certain when exactly we will do this.

So, if apple still claims to not be an enterprise company (quote from steve jobs himself) then why do they have all these things that allow admins like me to implement this type of control over an enterprise network?

I still want a VM of OS X. Making software packages for deployment would be so awesome if I had a VM that I could wipe back to zero every time and then install and configure whatever then take a snapshot of that VM then deploy that package. I really want a VM of OS X. I think I will email apple and say that is all I want for christmas.

I am also hesitant to even think about how we are going to update the OS on 5500 macbooks. that is going to suck! I guess we could haul them all to one giant room, set up a server and just ASR multi-cast to all of them like 1,000 at a time or something....that will be a project to tackle over the summer when faculty and students are gone.

[tlarkin]

Apple machines do netboot slower and it is because of their design. I meant to clear this up on why they netboot slower but I never got a chance to. The reason is, when you create a netboot install set for your client machine to netboot on, it basically makes a small, limited image of OS X, with some basic utilities on it that the client pulls down at boot. These netboot installers are kind of large, like some of them have been just under a gig in size. So the apple client has to pull that down to the machine to run it.

Where on other platforms a PXE boot generally pulls down an image that is just several megabytes in size. The zenworks netboot client uses a non gui version of Linux (I think its knoppix based, not sure though), so its really tiny. Considering DSL is a fully functional bootable linux distro that is only 50 megs in size just goes to show you how cool some of those micro kernel OSes are. That is why it boots so much faster on other platforms it is because they are designed to be very minimal and lacking on the GUI side..

The OS X client loads an Apple GUI. Sure I suppose it looks nicer, and it is easier to use, but it does hit performance.

I meant to post this a while ago when I looked into and reading through the thread again I realized I had never explained it. Also, some of my thoughts on the iMac has changed as enterprise solutions. Mainly, because there is no Mac I can't fully break down at this point in a matter of minutes, but also because of a particular issue we ran into deploying some systems.

Short version of the story goes.....

We wanted low profile gateway windows desktops (all-in-ones) because the building we were deploying them into have real limited number of power drops in the walls and floors. Its an old, historically protected building. So, we can't drill or run cable or anything. Since we gotta buy everything on one bid, we buy all the same machines across the board. So this historic building basically set our standard. Well, we can run cable with race tracks, and no one wants to do that. So, the gateway low profile machine only needed one power cord, which was one of our major concerns. Gateway said they could get us our machines in a couple of months. Unacceptable, so we ordered iMacs. I now have several hundred iMac clients at my work that do not run OS X, they run windows. I laugh every time I walk by an office full of iMacs running windows.

So, the iMac, although not my first choice for a wide deployable desktop in the enterprise level, does have its place if you want to limit one power cord per a client machine.

[tlarkin]

So, now I have got a pretty good feel for a complete 100% Mac enterprise network. here are my thoughts:

First thing is first I will get the bad out:

1) Apple print server services - they stink, Apple should just buy a third party service already out there and integrate it into their server. I have had bad luck with it in the small test environment I have tried it in.

2) No tiered administration (however apparently 10.5 server changes this) I will find out how well it works when we migrate to 10.5

3) Home directory sync. For the most part this is great, but every now and then I get a hiccup machine and have to go in and blow out the user completely and resync their home directory. Once a user fully syncs, they no longer log in via ODM, they log in via the locally sync'd account. It needs fixing, but with Netinfo Manager gone, it could be way better now

4) Change and rearrange over different versions - To me it seems that Apple tries to reinvent the wheel sometimes. If something works, don't fix it. They rearrange certain things in certain versions. A quick example is, what was one managed in Workgroup Manager is now managed in Server Admin. MAKE UP YOUR MIND APPLE! Its not a huge issue, just annoying when you spend an hour trying to figure out why a feature is gone in a newer version of the software only to find out it has been moved to a different app/utility.

5) WiFi, still not perfect. We had to run WEP for some legacy devices but now that we are running 90% macs we will possibly be migrating to WPA. Which I hear has way less compatibility issues with Mac. Overall, its not bad but its not perfect. It is the Mac driver and the lack of its robustness. Where in other OSes in the driver you can set the WiFi card to only connect to A, B, G, or N radio signals, but in the Mac it always prefers B or G. So, if one radio is full that is B/G and is getting over loaded, it will not switch over to the A radio to load balance. We fixed this by turning off all B radios, however, it is definitely a client side issue. I hear that the update for 10.4.11 fixes some issues and my Leopard client has none of these issues. I just don't have the time and resources to push out software updates quite yet.

OK, now for the good.

1) OD managed preferences, and white listed applications - this really helps you lock down a machine. I mean really lock it down. I keep getting users that tell me that they are going to hack their machine. I tell them, if they figure it out come back to me and I will give them a job, because it is not possible in my mind (or at least only possible to a very small elite few). This also helps troubleshoot issues. For example I had to install an interactive text book on a small group of students laptops. We only had licenses for 40 users, so I white listed the app for users at that certain school. One user had come in and complained that it wasn't allowing her to run the app. Sure enough she got access denied. Well, I know for a fact it was white listed for every user group at her building, because I was the one that white listed it in the ODM. The first thing that comes to mind is to look her up in the LDAP database. Sure enough there were two users with the same name (but entered in differently) and she was logging in as her. Which was to a different group which did not have access to the app.

2) Casper Suite (third party) - I can't begin to tell you how handy this little suite is. I can install and manage policies, log in hooks, software installs, software updates, remote VNC (though ARD admin is best), image, uninstall, and all sorts of other neat stuff. Also, how casper is designed is very neat. Each client machine has the casper client binary installed, which has its own set of commands, which it then uses the under the hood Unix of OS X to execute them. I can bind a machine to AD or OD, set up user accounts, create or modify existing user accounts, modify network settings, etc. How it works is also very unique. The client lives in /usr/sbin/jamf. Now, every time the machine logs in or out or boots up or every 15 minutes (depending on the policy you set) it will connect to the JSS server and look for jobs to execute. The jobs can be set to VLAN, Computer group by name, by mac address, by network segment, etc. If the client is flagged for a job via policy it tells the laptop to pull that policy down and execute it. So the server is not constantly pushing things out, it is really a forced pull from the client. To give you an idea of what we have is 5,500 to 6,000 macs all managed via Casper.

3) Design of the OS. I like how it takes the Unix/Linux design of a file heirarchy, and all user data is in /Users. This is so helpful for troubleshooting and having to back up data when users forget to. Self contained apps, so on and so forth.

4) Integration - this is both a con and a pro. On the pro side I can map windows, linux, novell shares pretty much no issue at all. On the down side integrating them into our novell groupwise email/calendar system not so easy. It has gotten better and will get better. It is possible though, so I will keep it as a plus.

Right now I am managing about 20 xserves and 6,000+ macs with most of them being macbooks. I like how Casper is set up that way to help with the issues of laptops being asleep or turned off or not in the network and when they return they can trigger a policy.