Yeah, rather than throwing up a wall to keep them out, the better energy
is spent finding out how to support them in your infrastructure.
Binding the machine's to Active Directory is easy and painless. You will
need tools to replace things you do with GPO's, but Mathew gives a
really good place to start.
Bill
Matthew W. Ross wrote:
You are correct, many of these things you cannot do from a Active Directory.
There may be a few tricks you can use to force some of these (login scripts,
remote ssh, etc.) but I'm sure you're more interested in something a little
more centralized.
If you want the Apple solution, check out Open Directory and Apple Remote
Desktop.
Open Directory is a component of Mac OS X Server, and it is Apple's attempt at a
directory service ala Active Directory, but for Macs. If you do go this route, I
recommend joining the Macs to both your Active Directory and the Open directory at the
same time. Have your user's login using their AD credentials, while the Macs get their
settings from OD. This is what's know in the mac IT circles as the "Golden
Triangle".
Apple Remote Desktop is, at first glance, your basic remote desktop app. But,
it's also your software deployment suite and your software inventory. (As an
aside, I wish there was an equivalent to Apple Remote Desktop for windows PCs.
Perhaps there is, but not without a per-client cost.) Have a .pkg that needs to
be installed? Install it silently on every computer you can see online. Need it
installed on offline computers? Set up ARD to do it automatically when it sees
the Macs are seen on the network.
These solutions are fairly inexpensive, thanks to the aggressive price drops by
apple. You need a Mac running Lion (Costs depend on weather you have this
already and could be $0), the Lion Server update from apple ($49.99) and
optionally Apple Remote Desktop ($79.99, unlimited clients).
If you don't want to go with the Apple provided solution, there are other
methods of making this work. Check out Puppet from Puppet Labs and ADmitMac
from Thursby.
---
Now that that's said, we here have not moved to Mac OS X Lion (10.7). As of
their most recent patch, it appears they have finally resolved some of their
active directory integration issues. We as a district are moving away from
Macs, simply because of their initial costs are difficult to bear. Supporting a
Mac's software is easy. Supporting the hardware can be a nightmare.
I hope some of this information is useful to you.
--Matt Ross
Ephrata School District
----- Original Message -----
From: David Lum
[mailto:[email protected]]
To: NT System Admin Issues
[mailto:[email protected]]
Sent: Mon, 17 Oct 2011
08:16:43 -0700
Subject: RE: Macs and vunerabilities
My concern is all the above. As currently implemented, Mac's on our network
are no different than users home Windows laptops being allowed to directly
connect to our network. I can't imagine anyone here would say "go ahead and
hook your home laptop directly to my LAN and don't bother joining to the
domain".
I can't audit what's on them for software license compliance reporting
I can't apply GPO's (autoconfigure wireless, browser settings/favorites,
etc)
I can't remotely deploy software (via GPO or SMS)
I can't enforce anti-virus
I can't patch Flash, Java, etc
Dave
-----Original Message-----
From: Matthew W. Ross [mailto:[email protected]]
Sent: Monday, October 17, 2011 8:07 AM
To: NT System Admin Issues
Subject: RE: Macs and vunerabilities
David, from what direction are your concerns coming from?
Are you concerned how to patch the macs?
Are you concerned about antivirus?
Are you concerned about controlling what the Macs are allowed to do?
I'm just trying to understand, and perhaps help.
--Matt Ross
Ephrata School District
----- Original Message -----
From: David Lum
[mailto:[email protected]]
To: NT System Admin Issues
[mailto:[email protected]]
Sent: Thu, 13 Oct 2011
15:01:20 -0700
Subject: RE: Macs and vunerabilities
Well, we're getting a Mac invasion here and there is zero apparent
concern for managing these things or worrying about vulnerabilities.
To get to AD resources they're standing up Win7 VM's but doing as much
work as possible on the native MacOS.
They can get to the Internet, file shares, printers, e-mail, etc on
native Mac but I just have alarms going off in my head "unmanaged
machines with no idea what intellectual property is on them".
Dave
From: [email protected] [mailto:[email protected]]
Sent: Thursday, October 13, 2011 2:49 PM
To: NT System Admin Issues
Subject: Re: Macs and vunerabilities
I remember the big "mac virus" recently was socially engineered - but
that's definitely the mac's biggest vulnerability. Given that mac
users generally believe they are invulnerable, its an arguably bigger
vector than the same one on a Windows system.
Sent from my POS BlackBerry wireless device, which may wipe itself at
any moment
________________________________
From: David Lum <[email protected]<mailto:[email protected]>>
Date: Thu, 13 Oct 2011 21:45:39 +0000
To: NT System Admin
Issues<[email protected]<mailto:[email protected]
unbelt-software.com>>
ReplyTo: "NT System Admin Issues"
<[email protected]<mailto:[email protected]
-software.com>>
Subject: Macs and vunerabilities
Does anyone have a link to an article or two that shows
vulnerabilities that have actually been exploited? Preferably not a random
blog post...
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]
software.com>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]
software.com>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
