User profile for user: Forrest
Forrest Author
User level: Level 2
198 points

Centralized desktop management for MacOS

In our enterprise environment, we have many MacOS systems. Over the years, for the most part, we relied on individuals to manage their own systems. In recent times, we've had a number of issues including software compliance that has introduced complications, for which I'm seeking a solution--I wonder if anyone here can recommend products or approaches to this.


What our basic needs are:


  • Manage and deploy certain software packages to ensure compliance
  • Manage and deploy patches as needed
  • Report on software and library versions (ie: to determine vulnerabilities)
  • Possibly configure services for central login or other recognized needs


As a systems administrator, I'm also very sensitive to end-user privacy (including my own). I want to be sure that whatever tool we use is secure, but also doesn't allow for unnecessary invasion. We allow folks to install whatever they want, but we have some basic requirements that need to be centrally managed.


I don't think we want to "roll out our own" solution, as it creates additional layers of dependencies and complexities.



Thank you,

Forrest

Mac Pro, OS X El Capitan (10.11.2)

Posted on Feb 6, 2017 9:31 AM

Reply
6 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Feb 8, 2017 4:22 AM in response to Forrest

Apple's Profile Manager in Server.app can be used to manage various settings on Macs, however the other requirements you list are not well served by Apple's software.


There are various enterprise packages to do all you want but the two mains ones that are used are -


The already Mentioned Munki which can manage deploying applications etc. to Macs and also pushing Apple updates and updates for third-party apps, on top of Munki you can use SAL or MunkiReport to generate reports showing what versions each Mac has, so Munki plus SAL or MunkiReport will cover the first three on your list with Profile Manager perhaps being used for the fourth in your list. Munki was written by an employee of Disney Animation Studios and presumably is still being used by Disney to manage their tens of thousands of Macs, I use Munki myself.


The other leading approach and the one IBM use internally to manage 100,000+ Macs is JAMF Casper Suite now called JAMF Pro which can do all four items in your list. Casper Suite is by far the leading commercial tool for managing Macs.


Note: Apple are phasing out their Software Update Service tool in Server.app and despite what some people think the Cache Server module is not a complete replacement. You can however use the free Reposado tool to run a SUS service and it has more features as well. JAMF also provide a free equivalent to Reposado


There are other tools e.g. Puppet for managing preferences which is free and Chef which is similar to Puppet both however are very much Linux style i.e. command line driven tools which is not everyone's cup of tea. There is Simian which is a Google written package similar to and based on Munki. There are a whole host of other commercial packages like LANDesk but most of these come from a Windows background and are considered less effective for managing Macs.

Reply
User profile for user: Drew Reece
Drew Reece
User level: Level 6
10,684 points

Feb 7, 2017 12:37 PM in response to Forrest

For software look at Munki…

https://www.munki.org/munki/


You will probably want OS X server for other management tools. ARD may also be used for gathering reports if you want to do that manually.

https://www.apple.com/remotedesktop/


I don't know if there are suites that handle all of your needs, Jamf looks like one candidate but I have never got around to testing it.

https://www.jamf.com/solutions/technologies/mac-management/

Reply
User profile for user: Forrest
Forrest Author
User level: Level 2
198 points

Feb 8, 2017 3:32 PM in response to John Lockwood

Thank you, everyone, for your helpful replies.


I've looked into JAMF Pro (formerly Casper Suite), as it seems like it will solve our issues. I spoke with their sales team today. I work for big *.edu and it turns out our central IT facility has already a contract with JAMF and we can get a sub-account to operate independently. So that makes the most sense now, for testing it out.


I wouldn't want us to "roll our own" due to the amount of technical liability that may introduce.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Centralized desktop management for MacOS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up