How we had to learn to manage Macs on a corporate network

Bring Your Own Device (BYOD) is already a very real headache for administrators who have not only the Macbook of a top manager in their corporate network, but also their deputy’s iPad (or even iPhone). This year, we interviewed more than a hundred system administrators of large companies in the United States - what do they use to manage mobile gadgets on a corporate network, mainly occupied by Windows PCs. The options “nothing” and “strong expressions / alcohol / tears” won. At the same time, 45% admitted that their companies have already purchased Macs for business purposes. This means that the problem must already be solved, since through the BYOD devices used by managers and key employees, information worth millions of rubles can pass through, and it is vital for them to comply with corporate policies.

In this post we want to tell how we implemented in our own company our own Mac management solution in the corporate environment - Parallels Mac Management, where we started and what we faced in the process (including the purely psychological aspects of the behavior of our employees). And also - to think about whether you really need a Mac on a corporate network (and find out your opinion about it), for what, and who uses what for management.

Scary reality

Despite the fact that far from all IT services of companies can find the answer to the question why they need a Mac in the corporate environment, their growth is a fact (see studies by Greyhound Research and independent experts ). The growth in sales of our own desktop and mobile products for the corporate market (Parallels Desktop for Mac Enterprise Edition, the same Parallels Mac Management and the business version of Parallels Access) also confirms this. Plus, a survey that says that 95% of those who work on Windows will be happy to migrate to Mac OS X as soon as they can use the unified PC control system on various platforms.

Let's be honest - for many companies, from the point of view of saving costs and resources, it is more profitable to choose a PC for Windows: Macs are more expensive, the ecosystem of specialized applications for Mac OS X is much less developed, they are less habitually managed in large quantities. Why does Apple continue to aggressively penetrate the corporate environment?

Have your device work? And if I find it?

In the same survey, we were told: the Mac platform is more reliable - fewer glitches and viruses (77% of respondents said), is easy to maintain (65%) and helps to attract employees (also 65%). But it seems to us that the reason is still the growing popularity of the BYOD concept itself, which is caused by the following factors:

FirstlyThis is an explosive increase in the number of mobile devices - phones and tablets - and their reorientation to professional tasks. There are more and more easily wearable gadgets capable of doing everything that only computers could do recently. This applies to both smartphones and tablets. In 2013, more than 195 million tablets were sold (62% - for Android, 36% - for iOS). At the same time, the number of phones used on Android and iOS X platforms in the world exceeded 900 million (iPhone's share - 15.2%, Android -78.6%). And this year, people will buy more tablets than laptops.

Secondly- BYOD fashion, quite possibly, reflects the new relationship between employers and employees. These new trends are gradually coming to us from the West, and are expressed in the fact that employees are less likely to consider themselves as part of the organization, or even not included in the staff. For example, contractors (“contractors”) in the United States are not considered employees, the company has the right to tell them what to do, but not how. Staff members behave the same. With this approach, employees have fewer restrictions, and it is de facto imposed on all market participants, including employers. And since it doesn’t matter how the tasks are solved, you can use any devices that are dear to the heart. The issues of their technical support are rarely discussed, as they are not directly related to business.

Why include a Mac in an enterprise environment?

Perhaps it is easier to ignore individual cases of their occurrence? We believe that we need to do this exactly for the same purposes with which we control a Windows PC. For example, in our company they are as follows:

• Prevention of data loss on a laptop due to a technical malfunction or user leaving the company.
• Inventory of software and equipment for accurate planning of updates, compliance with licensing requirements and a correct forecast of IT costs.
• Simplification of remote administration - deployment of standard OS images, deployment or updating of software products, remote management to resolve incidents, configurations that are consistent with policies.
• A specific goal for us: experience in the practical application of products of our own design.

How did the implementation project start?

Having come to understand why we still need to learn how to manage our own Macs (it seems to us that every IT department asks this question, but, from experience, the answer in the case of Macs may be unexpected), we opened a new project. When choosing the Mac administration tool, we proceeded from the premise that the corporate environment, by definition, has a single Microsoft Active Directory-based account directory and VPN infrastructure to provide remote users access to the corporate network, and that users are interested in having IT solve their problems . This is important because a negligent and disinterested employee may well remove the agent on the Mac, and then assure that "everything does not work."

At the end of 2012, we identified 3 potentially suitable products: Centrify User Suite Mac edition, Microsoft System Center 2012 SP1 (which was at that time at the stage of Customer Technology Preview, CTP) and version 1.0 of Parallels Mac Management (hereinafter - PMM). From Centrify turned away the need to pay for a license. The System Center license is provided to Microsoft partners free of charge through the Microsoft Partner Network program (and we are its members). An additional number of client licenses (Client Management License, CML) for System Center have already been purchased before for the task of deploying System Center Configuration Manager 2007 in the Russian office. These licenses are also needed for deploying PMM, because the Product Use Rights * content on System Center 2012 clearly indicated that CML is required for each managed device, without reservation on the origin of the agent. By the way, the distribution of the SCCM 2012 server could only be obtained by purchasing CML: the server license was not available in the Microsoft product range, while access to the distribution kit at the Volume Licensing Service Center was tied to the acquisition of CML.

The ability to control a Mac at the time the project started was only announced for SCCM 2012 SP1. The release of his release was scheduled for early 2013, so the difficulties were obvious. At that time, RMM agreed to test several partners of the company, and when the IT service of our own took up the deployment of RMM “inside”, a new goal appeared - to get feedback faster in order to speed up product development. Developers received them from "their", naturally, in a shorter time, because this process is usually delayed through the usual chain of "sales engineer" - "product manager" - "development manager". In addition, partners were located in the United States (and this difference is also in time and language). But - no greenhouse conditions for our IT: contacting PMM technical support in a general manner, setting tasks for completion in a common queue, according to the revenue brought (and if there is no revenue in this case, then the improvements will be completed only if one of the paying customers requires them). As a result, the IT service gained experience in the detailed description of the user case for each new function, and its implementation depended on whether one of the customers wanted to receive it.

PMM Deployment

For this, all Mac employees who were not involved in product development or testing were selected. Geographically, they were located all over the world: in offices in Renton, Washington in the USA, Moscow, Novosibirsk, Munich, Singapore, Tokyo; remote employees in the United States, EU countries, Australia and Southeast Asia.
It was assumed that the system administrators of these offices would be able to facilitate the fulfillment of their duties due to the PMM capabilities: remote management, centralized installation of standard software packages and updates, centralized application of security policies (based on Mac OS X Profile), installation of standard OS images, equipment inventory.

We especially highlight the task of remote administration of Parallels Desktop for Mac (a desktop virtualization product that is familiar to Mac users, we wrote about it here ) and the distribution of standard virtual machines for it. Remote administration includes setting optimal VM settings, activating and installing updates. Standard virtual machines (Windows 8 with Office 2013) were chosen both for reasons of document compatibility and user habits for the Office interface for Windows, which is significantly different from the interface for Office for Mac, and because many applications still simply do not have versions for Mac OS X.

To solve the entire set of tasks, it was decided to install the Primary server SCCM in Renton and one Distribution Point each in offices with a significant number of users - Renton, Munich, Singapore, Moscow and Novosibirsk. Remote users connect via VPN to the nearest data center (Renton, Munich, Moscow or Singapore), from where their traffic is routed through the MPLS corporate network to the Distribution Point to which the user is assigned.

Our extension integrates into the System Center Configuration Manager interface

The server side of PMM was installed on the Primary server. Client installation was done manually, partly by the users themselves, partly by system administrators. Users were sent a letter with a hyperlink to the distribution of the agent, the intervention of the system administrator was required only in cases where the installation did not finish successfully. Starting from version PMM 1.7, installation, including updating the agent version by the SCCM command, was successfully performed in automatic mode in approximately 90% of cases. In most cases when the installation of the agent on a computer where it was not previously failed, the reason was the user did not follow the installation procedure (you can start the installation without connecting to the VPN, but for successful completion you need access to the domain controller, which is accessible only through the VPN ) Now the current version of PMM is 3.1,

Deployment Summary

From a technical point of view, the deployment of PMM in Parallels can be considered successful. The agent is installed on more than 95% of those selected internally by Mac (more than 150). It is possible to deliver software packages to managed Macs, apply a password policy that meets the company's accepted requirements for password complexity and lifetime through Mac OS X profiles, and configure virtual machine settings. Starting from version 2.0, automated installation of the OS is possible, although there is no experience of mass OS updating in this way yet, since Mac OS built-in tools can cope with the task of updating the OS. Also in the third version, new features appeared, such as a self-service portal for working with applications, support for the HTTPS SCCM infrastructure and SCCM applications. Improved SCCM client support,

The Parallels Mac Management Self-Service Portal

One of the hardest obstacles to implementing PMM was learning about SCCM. We generally had no experience with this product, so one of the system administrators had to study it first on their own, and then at Microsoft certified courses. The latter made it possible to systematize independently acquired knowledge and experience, as well as to receive answers to questions accumulated during independent attempts to install and apply SCCM. A significant part of the problems encountered during the installation and deployment of PMM, as a result, turned out to be due to the non-optimal configuration of SCCM. CONCLUSION ONCE:You can take up PMM deployment only when your organization has experience working with SCCM, and if it is not already, then formal administrator training is required.

The second obstacle was of a psychological and legal nature. Some employees in EU countries objected to installing the agent, stating that in this way the IT department would invade their privacy. This opposition had to be overcome with the help of an attorney general who explained that company-owned computers were not a place for personal information. Such objections may, however, have much more solid ground in the case of BYOD. Since there can be no technical solution for them by definition (an agent capable of reinstalling the OS can access any data), the solution should lie on a contractual plane. CONCLUSION TWO: Employees working under BYOD conditions should be invited to agree in writing to installing the agent as a condition for concluding an employment or contractual relationship.

What the day ahead is preparing for us

As a result, all difficulties have been overcome, and Parallels Mac Management is in commercial operation and implemented in a number of companies, the largest of which are Rackspace, Samsung and McAfee. At the same time, we did not finish our own internal project: the next stage is the training of our technical support staff in applying PMM in daily practice. This will require, first of all, to teach them the basics of SCCM, since all operations are performed through its interface (Macs in it are controlled in the same way as computers). We also plan to introduce the Application Self Service Portal so that employees can install software recommended and appropriate to corporate policies.

Parallels Mac Management now has the largest sales growth compared to other Parallels solutions - over 50% per year. This suggests that the tasks of integrating Mac into the corporate environment became acutely relevant, and when at last there was a practical opportunity to solve them, the implementation was not long in coming.

As a result, we can draw the following conclusions: firstly, in addition to “nothing”, “tears” and “strong expressions”, there are still products that will help solve the problems of managing Macs (and even beyond our own). Secondly, you will have to resolve various conflicting aspects of the interaction between PC and Mac on the same network, including unexpected and psychological ones (not all employees will consider the benefits of BYOD along with responsibility for the contents of this D itself).

And we’re really interested in what you think about it: are Macs needed in a business environment and what kind of usage scenarios can there be. So write your thoughts and questions in the comments, we will try to answer everyone.

* Product Use Rights - the main document defining the rights to Microsoft software transferred to the licensee through volume licensing programs.
The author of the article is Vitaliy Khozyainov, Senior Project Manager at Parallels (USA)