User profile for user: VaiFanatic
VaiFanatic Author
User level: Level 1
8 points

OS X Business Infrastructure

I have a client who is starting up a business who wishes to use nothing but Mac exclusively. This means desktops, tablets, and company phones will all be Apple devices. The starting number of users will be around 10 people, with hopes of growing to over 100+ employees in 3-5 years.


Under normal circumstances, I'd just set all this up using PCs and Windows so I can use Active Directory to manage user permissions and establish group policies that are pushed to each machine. However, that doesn't appear to be an option. I've integrated Macs into an existing Windows Domain and AD in the past, and I know how quirky it can be. It wouldn't make any sense to have a single Windows Server just for a flaky AD and Domain infrastructure.


I'm out of my element on this one, but can learn and adapt fairly quickly. I've done some reading on Open Directory, and it appears to be my best bet on setting up user groups as well as storing user information. Would OD essentially create a domain that would allow users to log in to any machine throughout the office? This would facilitate employee movements (promotions, office moves, etc.) without actually having to move the workstation (I prefer to keep all machines in assigned locations as it makes the inventory process quick and smooth). This would also mean that the average user would NOT be allowed to save directly to their machines, but would save to a main file server (or a "Home Drive") instead. This server would be backed up daily and whatever recommended redundancies would be put in place in case of a server meltdown or any other technical issue.


Another thing I'd like to facilitate is the ability for employees to access their files from wherever (say they wish to do some work from home, or are working on the road). In the past, configuring it so that users may access their "Home Drive" was clunky but has gotten much easier within the Windows environment. What are my options for this in a OS X environment besides having users just save to an iCloud account? Or is that the best, most robust way of doing things? Would a separate DNS server tied to the company's TLD (like server.exampleCompany.com) that acts as a gateway be an appropriate solution for this if the iCloud isn't used? Could the DNS and file/OD server be contained on the same machine, whether done via virtualization or actual static install? In case of employee termination or resignation, being able to access all of their files and retaining them for future use/review is absolutely crucial. Looking for suggestion from those experienced with a Mac-only enterprise environment.


The average user will likely be working from a 21.5" iMac, while the admins and supervisors will be running the larger 27" iMac, with perhaps a few iMac Pros for those who will actually need such computing power.


I've done my best to outline what the goal is, so I appreciate any input and feedback I can get.


Thanks!

Posted on Nov 19, 2018 1:15 AM

Reply

Similar questions

3 replies
User profile for user: MrHoffman
MrHoffman
User level: Level 10
154,501 points

Nov 19, 2018 7:12 AM in response to VaiFanatic

In no particular order...


You’re prolly headed for Apple out front, and for other vendors for the networking and for the back-end services. Apple has effectively exited the server business, with the most recent release of macOS Server.app,


For its traditional uses, macOS with Server.app is dead with the most current release, and an MDM management package of the same name has replaced it.


If you’re required to implement macOS throughout, then you’re headed toward the deep end of the pool, and a very expensive bespoke solution. This if you’re going to implement and then long-term maintain and parhc to current your own version of server on macOS. This is possible, but—having done this for many years on another platform—keeping your own and custom server distro gets... old. And gets expensive in terms of your time and troubleshooting skills, particularly if you’re inclined to keep current and patched, as those upgrades aren’t always compatible, and you‘re probably going to be cross-linking among these packages.


OD was and still remains one of the few components of the new MDM-focused Server.app product. So there’s that.If you go OD.


macOS does support file shares, without requiring Server.app. It’l work, but Macs make expensive file servers, and faster-than-GbE NICs are only very recently an option.


A NAS box from Synology or any of other vendors will probabky solve most or all of your requirements, for storage and among the various plug-ins available for Synology. Mail, directory services, etc.


There are some macOS add-ons that make for easier AD connections. NoMAD is one.


Given my druthers, I’d likely look at Azure AD and not local AD nor local OD, as I’d really prefer to avoid maintaining and securing any AD. I’d host it.


I’d likely also look to host the mail, both to offload (most of) the hassles of the mail server, and to deal with the spam and the scams.


I’d likely also host web content, just to avoid having to keep local network traffic and local clients and servers isolated from DMZ traffic. Don’t link your internet-facing “public“ services and your internal network services, as one breach there makes for a Very Bad Day. Isolate, DMZ it, or host it.


Search targets: Dzengis TreeRig, Synology add-on packages, NoMAD (now at JAMF), Azure AD, the MacEnterprise mailing list and its archives, maybe the macadmins slack, Ubiquiti APs, ZyXEL ZYWALL USG series firewalls (embedded VPN servers, etc) and prolly a few other,details.

Reply
User profile for user: VaiFanatic
VaiFanatic Author
User level: Level 1
8 points

Nov 20, 2018 10:29 AM in response to MrHoffman

My original reply didn't seem to have posted... but thank you for the wealth of information!


I've managed to convince my client that Windows machines will be better for the average employee, and the use of Azure AD will allow me to control users and user groups as much as I can given it's more of an MDM as opposed to a dedicated GPO. This will reduce the upfront equipment cost by a huge margin!


Email and website will all be hosted either through my account with Inmotion Hosting or another alternative if someone else is chosen to create the page.


What am I looking at in terms of redundancies and data backup running a Synology unit? Would I consider a second unit to act as a clone, or is there a reputable cloud service that can handle and back up automatically?

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

OS X Business Infrastructure

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up