TOM KEMP'S CENTRIFY BLOG
Case Study: Mac Windows Integration
Friday, February 8, 2008
Having recently blogged on how Wyeth Research migrated from Sun ONE Directory Server as to using Active Directory and Centrify DirectControl as the underlying identity infrastructure for their UNIX and Linux servers (as well as naturally for their Windows infrastructure), I want to discuss in this blog post how one of our customers is integrating their large number of UNIX-based desktop systems with their Windows environment leveraging Centrify DirectControl.
As it relates to "UNIX on the desktop," we have a number of customers deploying our software for Ubuntu, SUSE and Red Hat desktops and workstations (we have not seen as of yet any specific trends in terms of particular industries or verticals doing this), as well as there are still customers out there running Solaris as engineering workstations (but more focused on a few vertical industries, namely pharmaceuticals and oil & gas, and some in defense). But by far from our customer base perspective the largest deployments of "UNIX on the desktop" is Apple's Mac OS X.
This echoes what IDC and other analyst groups are saying in terms of non-Windows desktop shipments, and Gartner is now predicting as one of the top 10 IT trends for 2008 that the Mac market share of the desktop market will double in the next few years. If the Gartner prediction is true, this means Apple's current 10+ million per year run rate of shipments would hit a run rate of over 20+ million Macs per year in next year or two, meaning Macs are bound to start making in-roads in enterprise organizations beyond its traditional strength in the publishing, entertainment and education vertical markets. This will in part be driven by IT savvy professionals and white collar workers who use the Mac for their home systems (undoubtedly hooking their iPod into it), and these "pro-sumers" will want to take the technology that makes them very productive at home into the office.
We are also seeing a growing trend of customers starting to run Windows- and OS X-based applications "side-by-side" on their underlying Macs via VMware or Parallels and are experiencing great performance, so the trend of desktop virtualization seems to be also driving further adoption of the Mac.
These inter-related trends mean that IT organizations can no longer ignore the Mac by telling Mac users "no you can't put your Mac on the network" or "you are on your own" if you do, but will start having to support these Macs and centrally manage and secure them. Given that Windows desktops will continue for the foreseeable future be the dominant operating system even as Macs creep in, it behooves organizations to be able to leverage their existing Windows skill-set and Windows-based management tools to manage the Macs to get economies of scale as more and more Macs enter the enterprise.
Centrify DirectControl for Mac OS X is the ticket to address this growing requirement by enabling Active Directory-based authentication and access control for both PowerPC- and Intel-based Mac systems. DirectControl is also the first and most robust solution that enables IT managers to centrally secure and configure Mac systems through Active Directory Group Policy. Which means IT managers can streamline operations and strengthen security by establishing a single point of administration — Active Directory. And it means end-users gain single sign-on to their Macs through their Active Directory account.
So how are customers using DirectControl to manage their Macs within a Windows environment? We recently published a case study highlighting the Atlanta Journal-Constitution (AJC) that represents a great example of how one customer is using Active Directory and DirectControl to manage their Macs. As a bit of background, AJC is the only major daily newspaper serving metropolitan Atlanta and has the 16th largest newspaper distribution in the United States. AJC also operates the number-one local Web site in the Atlanta metropolitan area.
AJC clearly represents one of the vertical markets (publishing) that Apple has traditionally been strong in. AJC has approximately 1000 Macs and over 1000 Windows systems (the mix is approximately 40% Macs and 60% Windows from a desktop perspective), and they also have a nice sized UNIX and Linux server population that are deployed alongside Windows server. In other words, a typical heterogeneous environment that Centrify sees very day.
Here was their thought process going into considering leveraging Active Directory and DirectControl:
"The AJC chose to shift its Active Directory to a new domain in order to streamline integration with its parent company. This broad centralization of directory services in Active Directory added impetus to an ongoing review of the company's overall directory organization. At the time, the AJC's Macs were using Apple's Open Directory, while PCs were using Microsoft Active Directory. This increased overhead in several ways. It required two separate infrastructures in separate servers and backups to support separate directory services, and it increased administrative tasks by requiring parallel teams to manage and coordinate the separate approaches.
The transition to the new domain introduced other challenges. First, preserving parallel directories was not an option, nor was getting rid of the Macs. Second, when integrating the Macs into Active Directory, AJC managers wanted to synchronize home directories for the company's mobile users."
Apple of course provides a plug-in into Active Directory, but has limitations and lacks functionality that DirectControl offers (e.g. Group Policy for Mac). Here is why AJC selected DirectControl:
"They looked at Apple's Active Directory client and Centrify DirectControl for Mac OS X to consolidate the Macs into Active Directory. Centrify DirectControl was appealing for several reasons. It enabled the complete integration of the Mac into Active Directory, and they could use the same administrative utilities to manage Macs as they did the Windows systems. DirectControl did not require any changes to the Active Directory schema, which reassured Active Directory administrators. And DirectControl's support for Group Policy enabled the AJC to use the familiar Windows utilities to assert the same level of configuration and strong password policy control over the Macs that they had over the PCs."
The install experience went well:
"The installation process went smoothly. Each Mac joined the Active Directory domain, and the users were immediately able to use their Active Directory credentials to access services. Using Group Policy, the Client Server team enforces a default configuration for Mac users, preventing them from installing unauthorized software or changing their network configuration."
And they like the support Centrify provides:
"The excellent support that we got from Centrify and the close collaboration between Apple and Centrify were key to the success of the project," Register noted.
Also, DirectControl's Group Policy for the Mac adds real value to managing their environment:
"By using Group Policy, the AJC is able to enforce simultaneous and uniform policies across all managed systems. The company is currently running policies for synchronizing documents, screen saver time-out password activation and strong log-on password standard requirements. Using the Group Policy capabilities, nearly every user's Desktop, Documents, Library and any files in the root of the home folder are synchronized with a local server at log-on, log-out, and at 45-minute intervals in the background."
In summary, Macs are here and not going away. And I think we will see more and more virtualized desktops where customers run VMware or Parallels and are running both Mac and Windows-based app. So it makes sense to have a common authentication and policy management infrastructure in place for both environments that can leverage the investment that customers have made in managing their Windows infrastructure.
DirectControl is the solution to make that happen - we run laps around any solution for the Mac with over 175 Group Policies, rock solid Active Directory integration, support for portable home directories, integrated printing support, etc. In closing here is what AJC thinks:
"We've realized an array of efficiency gains: a simpler infrastructure and administration, streamlined training and reduced help desk calls. We now have better control of our Mac desktops without limiting the users' ability to do what they need to do. Centrify DirectControl helped simplify a directory migration challenge, and it continues to deliver benefits in efficiency and security."
< Previous Article: Case Study: Replacing Sun ONE Directory Server with DirectControl and Active Directory for UNIX Single Sign-on
> Next Article: Integrating Samba with Active Directory
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- Superuser Privilege Management
- We've Moved!
- Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory
- Strong Authentication for the Mac
- How DirectAuthorize Compares to sudo for Root Access Control
- How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux
Categories
- Centrify (56)
- Centrify Suite (4)
- Customers and Press (38)
- DirectAudit (13)
- DirectAuthorize (5)
- DirectControl for Databases (27)
- DirectControl for Systems (48)
- DirectControl for Web Apps (25)
- Group Policy (38)
- Regulatory Compliance (36)
- Mac OS X (19)
- Partners (9)
- Open Source Tools (7)
- All (73)
Other Blogs
Subscribe
RSS Feed
