Will OS X Lion roar in the enterprise?
Since its release on July 20, Apple’s newest version of OS X, known as Lion, has been bought, downloaded and installed by more than 1 million users. As an operating system, it represents a new paradigm: Apple’s desktop platform is becoming more iOS-like. To date, most of the focus has been on new features like gestures, Mission Control, the new download-based install process, and user interface tweaks that are the biggest since the OS X public beta was introduced in 2000.
But what about Lion in the workplace? Certainly, it should appeal to small firms. But a growing number of companies have a large-scale installed base of Macs.
Here’s a look at how Lion will affect the existing processes at those organizations and what companies considering a big Mac investment should keep in mind.
The first question any new technology poses in larger environments is how to roll it out effectively and efficiently. Most organizations have long-entrenched deployment processes for things like operating systems, applications and software updates that are network-based.
Like Windows PCs, Macs and Mac software are often deployed using mass imaging tools and/or programs that install/update OS components, individual apps and any other files that need to be changed. As with past OS X releases, Apple provides applications such Apple Software Restore with every Lion install as well as more specialized network tools like NetInstall and NetRestore with Lion Server for accomplishing these goals. Third-party options such as the open-source Deploy Studio are also available to roll out Lion—and they also support Windows deployment.
The actual deployment of Lion is no different than Snow Leopard or earlier Mac OS X versions, except Lion must be purchased and downloaded using the Mac App Store. Once the Install Mac OS X app is downloaded, IT shops can use it to configure systems that can be captured in a disk image snapshot and rolled out with an image-based deployment. Or IT staffers can use the app as the source for a NetInstall image using Apple’s Lion Server to create a generic install process. Obviously, companies must purchase an appropriate number of licenses for Lion from Apple.
Note: Apple will make Lion available on a flash drive for $69 later this month, which offers another way for companies to get the OS. But that option wouldn’t scale for a large-scale Mac deployments, given the cost.
Troubleshooting and redeploying
Deploying Lion may not be that much different, but what about dealing with problems? Apple has designed Lion with a lot of self-recovery capabilities, with the big one being that Lion creates a recovery partition during the installation process that a Mac can boot from if there is a serious OS failure and from which Lion can be reinstalled. This is good news for consumers, but systems administrators and techs are likely to have some trepidation about it.
There appears to be no way to prevent the installation of the recovery partition. That in itself isn’t a bad thing (and the recovery partition is needed for Apple’s File Vault 2 whole disk encryption. But having a Mac boot disk built in could confuse casual users and might even prompt them to try their own reinstallation before calling the help desk. User education is key if this is a concern. And for remote users, having the Recovery HD partition might even be helpful if sending support staff isn’t an option.
Desktop support techs may find the recovery partition helpful, since it contains a number of basic troubleshooting options, but they should still keep their own set of troubleshooting and recovery tools. If Lion needs to be reinstalled, the better approach is likely to be to redeploy it using the same methods used initially. Redeployment (wiping and re-imaging a disk and/or reinstalling software packages) from a known good source offers uniformity with other systems for future troubleshooting and will likely be quicker than extensive troubleshooting.
Overall, as with deployment, this isn’t an area where Lion has really changed the game.
AirDrop for sharing and collaboration?
AirDrop, on the other hand, has game-changing potential, with an emphasis on the word potential. One task that systems administrators often get saddled with is helping workers share data. This can mean anything from creating and managing permissions on network shares to configuring internal or external cloud solutions to supporting email/chat services to trying to lock down flash drives—or at least prevent malware from coming in on them.
AirDrop makes it easy for users to share files wirelessly—over a TSL-encrypted, firewalled peer-to-peer connection—without any back-end support. That means more user empowerment, less IT involvement and better data security than that offered by flash drives or public cloud services like Dropbox.
The problem is that AirDrop’s overall usefulness breaks down quickly in most environments. First off, Macs are typically a minority population at most companies—and Lion may not be supported or deployed to that already small group. That makes it a novel solution usable for a handful of staff and/or departments at best.
A second limitation is that AirDrop functions on a completely ad-hoc basis with Lion-equipped AirDrop-capable Macs locating each other by proximity rather than over a corporate network. As long as two Macs are within range of each other’s Wi-Fi hardware, they can establish an AirDrop connection, regardless of what, if any, network they’re using. This makes AirDrop suitable only for short-range file-sharing—a tool that’s limited when compared to network file shares, cloud storage, and even email.
A final concern is that AirDrop is completely beyond the control of any network or systems administrator. While it may be an overall secure solution, its use could violate internal security policies or government-mandated privacy and security regulations.
As much as I’d like to call AirDrop a major advance for OS X in the enterprise, it really isn’t at this point. In small business and education, I think it has a lot of potential, but unless Apple opens it to other platforms and/or offers to scale it up (perhaps by integration with other technologies like Active Directory or Windows DFS) its real use in the enterprise is likely to be limited.
Is Versions a good thing?
Versions and its companion Auto Save are great features in Lion. Although not enterprise-oriented, they certainly speak to the age-old help desk calls of “XYZ crashed while I was working on this document and I lost everything…” and “I deleted a bunch of content in XYZ and I need to get it back if I can.” That Versions is a big advantage to Lion is without question. But does it create any particular storage concerns for businesses?
Apple built Versions using much the same approach as its Time Machine backup app. All versions of a file exist within that file, meaning you need not fear multiple iterations of the same file popping up on local, network or removable storage.
What about file size? As with Time Machine, an entire copy of the file isn’t stored for each separate version. The file system notes the specific data in the file that has changed each time Auto Save is triggered (which appears to be with almost any change to a document’s contents as well as when it’s opened or closed). As a result, the final file may be slightly larger if notable amounts of content have been trimmed between one version and the finished product since the trimmed data will still be included. Most times, the difference won’t be significant.
In this case, Versions has the potential to be a real aid for end users—as long as support personnel are familiar with the feature and can walk users through it—making it a plus for the enterprise. The only real downside may be that users will assume this feature is supported by every application. It’s not. Third-party apps will have to be updated to take advantage of the feature.
An important issue for Macs in most enterprises is how well they integrate with Microsoft’s Active Directory (AD) service and Exchange environment. Apple has been building some level of AD support into OS X for more than a decade; Lion continues that tradition. In fact, Lion expands support somewhat when it comes to multi-domain forests—including full support for users with identical account names in different domains within the same forest—and with improved site and subnet support when choosing which domain controllers and global catalogs to rely on.
Exchange support has improved, particularly in that multiple Exchange accounts are now supported by Apple’s default Mail, Address Book and iCal applications. Also supported are several server-side actions, most notably the ability to configure out-of-office auto-responses, though there are still some limitations when it comes to features like personal folders.
As with past releases, it’s worth noting that while Apple has done a very solid job with Active Directory support, there are also third-party tools available, including those from Thursby, Centrify, and BeyondTrust (formerly LikeWise) that offer further AD integration, including client management (more about this in a minute) and DFS browsing.
Smart card support is now deprecated
Apple has always been big on supporting functions needed by government agencies such as the U.S. Department of Defense in OS X. The use of smart cards as a two-factor form of authentication is particularly big in these sectors, and OS X has supported the technology for more than a decade.
Lion still allows this technology to be used, but deprecates its support. It seems clear that enterprises requiring smart cards will need to rely on third-party companies like Thursby and Centrify (both of which offer support in their AD-related products).
Third-party accounts now standard
One of the areas where Apple has practically picked up an iOS screen and plopped it wholesale into Lion is in the Mail, Contacts & Calendars pane in System Preferences. This makes it easy for users to configure third-party accounts available from a range of providers including Apple (MobileMe/iCloud), Google, Yahoo and AOL, as well as Exchange, IMAP/POP, CalDAV, CardDAL, and LDAP accounts.
As users configure each account, they can add support for the email, contacts, calendar and chat features offered by each provider. Lion automatically configures the accounts in the appropriate client applications.
While it doesn’t introduce capabilities that weren’t already available in earlier versions of OS X, it does offer one-stop shopping for the services—some of which organizations might prefer users avoid for security issues. Software , the best option is to disallow access to this preference pane using client management or disallow access to the associated applications.
Apple ratchets up security
Apple has always had some under-the-hood security features in OS X. Technologies such as file quarantine and code signing in Leopard and Snow Leopard allowed the operating system to warn users about apps downloaded from the Internet and verify that the apps hadn’t been modified in the background. Apple has beefed up security in Lion with built-in malware detection, true application sandboxing and address space layout randomization.
Beyond those advances, Lion introduces FileVault 2, an extension to the existing file encryption capabilities of earlier releases. Past OS X versions allowed users to encrypt the contents of their home folders using FileVault, which stored user home directories as encrypted disk images.
FileVault 2 adds whole-disk encryption for boot and non-boot volumes, and has a lot of potential for securing mobile Macs. It relies on standard AES 128- or 256-bit encryption. Alone, that isn’t particularly impressive, but when tied with Apple’s new Profile Manager or Apple’s forthcoming iCloud service, it becomes possible to remotely wipe the encryption key from a lost or stolen Mac with a single push notification. That effectively prevents someone from decrypting data stored on the device. It’s particularly useful given the bring-your-own-device policies companies are increasingly adopting.
Client management has always been a component of OS X. Apple’s existing Managed Preferences architecture (often abbreviated as MCX) allows administrators to use OS X Server, Active Directory with Apple-specific schema extensions, or third-party tools to restrict access to virtually any application, command or system component. It’s also been used to pre-configure any portion of the OS X user interface or settings for any application that follows Apple’s development guidelines.
While Apple continues to support all the existing OS X client management options in Lion, the company has introduced a new feature in Lion Server known as Profile Manager. Profile Manager is an extension of the iPhone Configuration Utility and iOS configuration profiles from past OS X releases and is a complete iOS-specific mobile device management tool. (It comes at a fraction of the cost of broader options on the market.)
Apple basically expanded Profile Manager beyond its iOS roots to serve as a client management tool in Lion Server. Using it, with or without other Lion Server features or a service like Active Directory, admins can define a powerful set of configuration options for Lion as well as a slate of user restrictions.
Apple has expanded Profile Manager to serve as a client management tool in Lion Server.
End users can enroll their Macs using a Web interface or administrators can define enrollment as part of the deployment process. Administrators can update managed settings at any time and have those changes propagate to clients via a push notification, regardless of whether the device is online when the change is made.
Client management isn’t new (for either Macs or IT), but the ability to enact it without requiring a central directory system is a novel concept. The ease and simplicity certainly has an appeal for small and medium-sized organizations, but it also offers some new options for larger enterprises — particularly in that permission to a central directory isn’t needed to implement it or to make changes. This can simplify the setup of management policies, reduce the cost of managing Macs to $79 — the cost of Lion plus Lion Server — and even move some of the management burden off IT and onto individual departments or managers. The self-enrollment option allows employee-owned hardware to be managed without binding the devices to a directory or even requiring IT to configure them.
As the role of IT continues to evolve and support for employee-owned devices becomes more prevalent, Lion Server’s Profile Manager looks like a worthy investment.
The Mac App Store and software licensing
One of the big complaints about Apple’s iPhone and iPad in business is that the devices are tied to a user’s iTunes account for activation as well as for purchasing and installing apps. With Apple moving to an App Store model with Lion, there’s bound to be hesitation about how this will play out in business.
So far, it’s too early to tell how the Mac App Store will affect larger organizations. As it stands now, the App Store is one option for purchasing software, but it is decidedly consumer-focused. Given that Lion supports the same set of deployment options as earlier OS X versions, this doesn’t seem like an immediate concern. Organizations can continue to volume and site license most software directly with manufacturers or vendors, side-stepping the App Store completely. Microsoft’s Office for Mac isn’t even available via the App Store.
The exception, of course, is Lion itself and other Apple software titles: iLife, iWork, Aperture, Final Cut Pro X, Motion, Compressor and Apple Remote Desktop. In these cases, businesses can make volume purchases from Apple and receive redemption codes for the Mac App Store. Those apps can be deployed using conventional techniques or installed on individual Macs via the App Store using those redemption codes.
Apple has also recently begun to allow volume licensing of iOS apps for businesses using a similar model; redemption codes are distributed to employees. I wouldn’t be surprised to see Apple extend that model to third-party software in the near future.
For now, outside of Apple software or applications from small developers whose only presence is in the Mac App Store, IT will have a choice of using the App Store or sticking with conventional ways of installing software on users’ hardware.
Screen sharing and virtualization
Since the introduction of Leopard in 2007, OS X has supported screen sharing. Lion now allows simultaneous user sessions, both local and remote. In theory, this could allow the equivalent of a Mac terminal server, although Apple has forbidden that in its end user license agreement. The multiple user session capability could be used for remote support in which a help desk agent could log into a Mac using an admin account while a user is logged in with a more limited account. In practice, however, organizations are better off using more robust remote access and management tools.
Lion also is the first release to support virtualizing OS X itself. This has some potential for developers and users who need to test how their apps will work on virtualized OSes. Not surprisingly, Lion can be virtualized only on Apple hardware and a given Mac can run only two virtualized instances of Lion. Right now, no Mac virtualization software supports running Lion in a VM.
New options for policy banner at login
One change in Lion is that the login screen now sports a full-screen tweed-patterned background with a login dialog. This means that some of the previous ways of customizing the login screen have changed.
Probably the biggest customization any organization makes is to display an acceptable use policy, ideally requiring users to read/acknowledge it before they can log in. Apple has now built this ability into Lion (including the acknowledgement requirement). Simply place a text or rich text file into the /Library/Security/directory on the startup drive. No special tricks, hacks or client management tools are required.
User training and guidance
Providing training and education to both end users and support staff is a critical part of any upgrade or migration. Since Lion changes many long-standing areas of the Mac user interface, this is a particular concern for organizations that will be upgrading.
Providing basic user guidelines, a transition guide or an internal Web page or email with information about Lion is a must. It will help users make the transition more easily. And, of course, it’s critical that support staff are familiar with Lion in general, as well as with how to troubleshoot any problems that arise.
Overall, is Lion good for the enterprise?
There’s no doubt that Lion offers a unique update compared to past Mac OS X releases; it almost certainly represents the future of computing in many ways. Gestures will be used more and more to navigate through the OS and individual apps. Features like Versions and File Vault 2 offer increased data protection and security. And Mac users (old and new) have an interesting new set of interface options that should allow them to work in a manner that best suits them. All of those things (along with the evolutionary bumps to enterprise features like multiple Exchange account support) are benefits to users and businesses large and small.
Despite all the changes, Lion itself doesn’t have to be a huge burden in terms of new enterprise processes. For organizations just now considering the Mac, Lion offers a broader set of initial testing and deployment options, particularly when it comes to client management. Those are good things in terms of fitting Macs into an organization — and they’re well worth consideration by companies already using Macs.
Overall, however, the OS itself may seem more evolutionary than revolutionary to IT. There are lots of useful updates and changes, but nothing that’s a show-stopper.
Lion Server, on the other hand, has undergone a massive transformation. I’ll be offering an in-depth look at it soon.
[Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues.]