Operating systems

Apple and the enterprise: A complicated relationship

When Microsoft shipped Windows 2000 and Active Directory, Apple didn’t really have a solution for identity management or for linking Macs to an enterprise network. The company was just beginning the transition from its classic Mac OS—the first version of which had shipped on the first Mac in 1984—to OS X. Although Apple did ship a public beta of OS X in second half of the year, the final release didn’t arrive until March 2001.

The classic Mac OS was not for multi-user systems. It offered limited user account creation and management for file sharing between Macs, but there was no built-in mechanism for logging into an individual Mac—it booted right to the desktop, where you had full access to the entire file system and all installed software.

Apple did make a couple of attempts to create a multi-user system, however. In the early 1990s, the company shipped At Ease, which provided some multi-user support, first on a single Mac and later for multiple Macs on a network. But At Ease never gained much traction beyond some pockets of the education market for it which it seemed to be designed.

In planning the transition to the true multi-user environment of OS X, Apple added a modicum of multi-user functions in Mac OS 9 that allowed each Mac to support multiple users with basic file permissions, individual user settings and preferences, and limited account-based restrictions. Apple also created Macintosh Manager, which redirected Mac OS 9’s multi-user functions to a server-based data store and copied certain settings and configuration files from that data store to an individual Mac. It wasn’t really an enterprise-grade solution, even when incorporated into the first few releases of OS X Server, but it was a functional pre-OS X stop-gap.

Apple tries going it alone

Apple’s first real move toward enterprise functionality, including identity management, came with OS X and OS X Server. The first release of OS X was essentially the Unix-based core of NeXTStep with an Apple-inspired GUI on top of it. NeXT gave OS X solid enterprise bones right away, including support for local and network user accounts.

NeXTStep and the first releases of OS X and OS X Server relied on a proprietary user and client management system known as NetInfo. Functionally, NetInfo served many of the same roles as Active Directory. It allowed for centralized user and computer accounts and user authentication for access to network resources; worked with the file system to support a POSIX permissions model; and it could be used to define user settings and experience in the same way group policies do in Active Directory.

Although NetInfo worked and remained in the mix of Apple’s enterprise components for several years, it had some serious limitations. The biggest one: It was proprietary and didn’t integrate with other platforms.

The other achilles heel for NetInfo in early OS X releases was that it didn’t support directory server replication. That meant that either a single server had to support the enterprise identity functionality for an entire organization or multiple servers—each with a unique directory of users, computers and configuration data—had to be deployed. Even though it was possible for Macs to search for enterprise identity data across multiple servers, the process was far from the multi-master replication capabilities of Active Directory domain controllers.

The proprietary nature of NetInfo led Apple to sell a complete end-to-end solution to enterprise IT. Today, Apple is well known for its end-to-end approach to technology; in many ways, it’s been a winning strategy because it allows Apple to maximize profits and create a controlled ecosystem. It’s also the same strategy that allowed Apple to disrupt industries so effectively and deliver some of the most polished products on the market. iTunes, with its link to the iPod and iOS, is the greatest example of what Apple can achieve using it.

Apple didn’t have a lot of luck selling that end-to-end system to enterprise IT. Part of that was because of the proprietary nature of Apple’s solutions. But the company was also still pulling back from its near collapse in the mid-to-late 1990s. At the time, its market share was abysmally low and it was a complete outlier in virtually every business market.

Panther brings a new approach to enterprise

OS X Panther (and Panther Server) was one of the most important releases of OS X from an enterprise perspective. It rectified the limitations of NetInfo by introducing a broad-based solution for enterprise identity and directory services. It also added support for Active Directory. That represented a major shift in Apple’s strategy, as the company quietly acknowledged it couldn’t succeed in business without really offering support for existing enterprise systems.

Open Directory was technically a collection of directory and identity technologies that included NetInfo support, with a connection for legacy NetInfo server as well as for storing local accounts and records as well as an LDAP-based replacement for NetInfo’s proprietary data store. In practice, Open Directory became synonymous with Apple’s LDAP implementation; as that was integrated with Kerberos, it represented a replacement for NetInfo. In addition to being based on open standards, the Open Directory architecture included support for directory server replication. Even so, it remained a master/slave replication environment that was more like Windows NT’s use of a primary server and one or more backup servers than Active Directory.

The scalability advances, which continued to improve in later OS X and OS X Server releases, were only part of the advantage Apple gained by deprecating and eventually discontinuing NetInfo. The other was a move to open standards, including LDAP and Kerberos, the technologies at the foundation of Active Directory. As a result, Apple was able to offer Active Directory integration on Macs running Panther and later releases.

Out of the box the integration was pretty limited. Apple’s Active Directory plug-in for Open Directory only mapped three attributes for user account records (username, password, and home directory), but Apple offered three ways to deepen that integration: extend the Active Directory schema to include the new records and attributes used by Open Directory, map the Apple-defined records and attributes to existing but unused Active Directory counterparts, or use what was called the magic triangle. That involved Macs that were joined to the Active Directory domain for enterprise identity and user authentication and to an Open Directory domain for Mac client management.

Apple also allowed third-party companies to produce their own Open Directory plug-ins to support additional directory types like Novell’s eDirectory or provide new capabilities when using Active Directory. Centrify, an enterprise identity management developer, was one of the first companies to offer more powerful Active Directory integration. Its Direct Control for Mac, which is still on the market, allows Active Directory admins to manage Macs using group policies stored in Active Directory without modifying the schema. Group Policy options are available for virtually every Mac client and user management option available from Apple.

Leopard changes everything

2007 was a big year for Apple. It introduced the iPhone that summer and it OS X Leopard that fall. Leopard was among the most feature-packed OS X releases to come out of Apple and boasted more than 300 features and improvements. The most notable enterprise identity change in Leopard was that Apple finally phased out NetInfo, which was until then still used for storing local user accounts on Macs.

Leopard Server, on the other hand, included key features that would eventually determine Apple’s current place in the enterprise. The first was a new option for joining Macs and Mac servers to an Active Directory domain. To streamline Mac integration with Active Directory, Apple created a new type of Open Directory mechanism known as augmented records. It essentially simplified the magic triangle approach. A user’s Active Directory data still managed his or her enterprise identity and authentication, but Leopard Server could automatically include just the Apple-specified records needed for OS X Server services or client management. Everything else was passed to Active Directory.

snow leopard server

This streamlined approach was part of a new form of OS X Server setup and administration. For small organizations or Mac-centric workgroups at a large company, Apple introduced simplified management by way of a new tool called Server Preferences. It allowed users with limited technical skills to set up and manage a server running a subset of the most commonly used business services: file and printer sharing, email and chat, websites and wikis, backup and VPN access.

This approach showed that Apple was willing to work with existing enterprise technologies. Specifically, it showed that Apple was happy to leave enterprise identity in the hands of Active Directory. And it marked one of the first instances of Apple marketing an enterprise product, in this case, Leopard Server, directly to users rather than to IT shops. That approach has been viewed as fueling the success of iOS devices—and the BYOD trend—in business.

Though it wasn’t obvious at the time, Apple was also the beginning to refocus OS X Server as a small business solution rather than an enterprise server OS.

Subscribe to the MacWeek Newsletter

Comments