Since its release on July 20, Apple’s newest version of OS X, known as Lion, has been bought, downloaded and installed by more than 1 million users. As an operating system, it represents a new paradigm: Apple’s desktop platform is becoming more iOS-like. To date, most of the focus has been on new features like gestures, Mission Control, the new download-based install process, and user interface tweaks that are the biggest since the OS X public beta was introduced in 2000.
But what about Lion in the workplace? Certainly, it should appeal to small firms. But a growing number of companies have a large-scale installed base of Macs.
Here’s a look at how Lion will affect the existing processes at those organizations and what companies considering a big Mac investment should keep in mind.
The first question any new technology poses in larger environments is how to roll it out effectively and efficiently. Most organizations have long-entrenched deployment processes for things like operating systems, applications and software updates that are network-based.
Like Windows PCs, Macs and Mac software are often deployed using mass imaging tools and/or programs that install/update OS components, individual apps and any other files that need to be changed. As with past OS X releases, Apple provides applications such Apple Software Restore with every Lion install as well as more specialized network tools like NetInstall and NetRestore with Lion Server for accomplishing these goals. Third-party options such as the open-source Deploy Studio are also available to roll out Lion—and they also support Windows deployment.
The actual deployment of Lion is no different than Snow Leopard or earlier Mac OS X versions, except Lion must be purchased and downloaded using the Mac App Store. Once the Install Mac OS X app is downloaded, IT shops can use it to configure systems that can be captured in a disk image snapshot and rolled out with an image-based deployment. Or IT staffers can use the app as the source for a NetInstall image using Apple’s Lion Server to create a generic install process. Obviously, companies must purchase an appropriate number of licenses for Lion from Apple.
Note: Apple will make Lion available on a flash drive for $69 later this month, which offers another way for companies to get the OS. But that option wouldn’t scale for a large-scale Mac deployments, given the cost.
Troubleshooting and redeploying
Deploying Lion may not be that much different, but what about dealing with problems? Apple has designed Lion with a lot of self-recovery capabilities, with the big one being that Lion creates a recovery partition during the installation process that a Mac can boot from if there is a serious OS failure and from which Lion can be reinstalled. This is good news for consumers, but systems administrators and techs are likely to have some trepidation about it.
There appears to be no way to prevent the installation of the recovery partition. That in itself isn’t a bad thing (and the recovery partition is needed for Apple’s File Vault 2 whole disk encryption. But having a Mac boot disk built in could confuse casual users and might even prompt them to try their own reinstallation before calling the help desk. User education is key if this is a concern. And for remote users, having the Recovery HD partition might even be helpful if sending support staff isn’t an option.
Desktop support techs may find the recovery partition helpful, since it contains a number of basic troubleshooting options, but they should still keep their own set of troubleshooting and recovery tools. If Lion needs to be reinstalled, the better approach is likely to be to redeploy it using the same methods used initially. Redeployment (wiping and re-imaging a disk and/or reinstalling software packages) from a known good source offers uniformity with other systems for future troubleshooting and will likely be quicker than extensive troubleshooting.
Overall, as with deployment, this isn’t an area where Lion has really changed the game.
AirDrop for sharing and collaboration?
AirDrop, on the other hand, has game-changing potential, with an emphasis on the word potential. One task that systems administrators often get saddled with is helping workers share data. This can mean anything from creating and managing permissions on network shares to configuring internal or external cloud solutions to supporting email/chat services to trying to lock down flash drives—or at least prevent malware from coming in on them.
AirDrop makes it easy for users to share files wirelessly—over a TSL-encrypted, firewalled peer-to-peer connection—without any back-end support. That means more user empowerment, less IT involvement and better data security than that offered by flash drives or public cloud services like Dropbox.
The problem is that AirDrop’s overall usefulness breaks down quickly in most environments. First off, Macs are typically a minority population at most companies—and Lion may not be supported or deployed to that already small group. That makes it a novel solution usable for a handful of staff and/or departments at best.
A second limitation is that AirDrop functions on a completely ad-hoc basis with Lion-equipped AirDrop-capable Macs locating each other by proximity rather than over a corporate network. As long as two Macs are within range of each other’s Wi-Fi hardware, they can establish an AirDrop connection, regardless of what, if any, network they’re using. This makes AirDrop suitable only for short-range file-sharing—a tool that’s limited when compared to network file shares, cloud storage, and even email.
A final concern is that AirDrop is completely beyond the control of any network or systems administrator. While it may be an overall secure solution, its use could violate internal security policies or government-mandated privacy and security regulations.
As much as I’d like to call AirDrop a major advance for OS X in the enterprise, it really isn’t at this point. In small business and education, I think it has a lot of potential, but unless Apple opens it to other platforms and/or offers to scale it up (perhaps by integration with other technologies like Active Directory or Windows DFS) its real use in the enterprise is likely to be limited.
Is Versions a good thing?
Versions and its companion Auto Save are great features in Lion. Although not enterprise-oriented, they certainly speak to the age-old help desk calls of “XYZ crashed while I was working on this document and I lost everything…” and “I deleted a bunch of content in XYZ and I need to get it back if I can.” That Versions is a big advantage to Lion is without question. But does it create any particular storage concerns for businesses?
Apple built Versions using much the same approach as its Time Machine backup app. All versions of a file exist within that file, meaning you need not fear multiple iterations of the same file popping up on local, network or removable storage.
What about file size? As with Time Machine, an entire copy of the file isn’t stored for each separate version. The file system notes the specific data in the file that has changed each time Auto Save is triggered (which appears to be with almost any change to a document’s contents as well as when it’s opened or closed). As a result, the final file may be slightly larger if notable amounts of content have been trimmed between one version and the finished product since the trimmed data will still be included. Most times, the difference won’t be significant.
In this case, Versions has the potential to be a real aid for end users—as long as support personnel are familiar with the feature and can walk users through it—making it a plus for the enterprise. The only real downside may be that users will assume this feature is supported by every application. It’s not. Third-party apps will have to be updated to take advantage of the feature.
An important issue for Macs in most enterprises is how well they integrate with Microsoft’s Active Directory (AD) service and Exchange environment. Apple has been building some level of AD support into OS X for more than a decade; Lion continues that tradition. In fact, Lion expands support somewhat when it comes to multi-domain forests—including full support for users with identical account names in different domains within the same forest—and with improved site and subnet support when choosing which domain controllers and global catalogs to rely on.
Exchange support has improved, particularly in that multiple Exchange accounts are now supported by Apple’s default Mail, Address Book and iCal applications. Also supported are several server-side actions, most notably the ability to configure out-of-office auto-responses, though there are still some limitations when it comes to features like personal folders.
As with past releases, it’s worth noting that while Apple has done a very solid job with Active Directory support, there are also third-party tools available, including those from Thursby, Centrify, and BeyondTrust (formerly LikeWise) that offer further AD integration, including client management (more about this in a minute) and DFS browsing.
Smart card support is now deprecated
Apple has always been big on supporting functions needed by government agencies such as the U.S. Department of Defense in OS X. The use of smart cards as a two-factor form of authentication is particularly big in these sectors, and OS X has supported the technology for more than a decade.
Lion still allows this technology to be used, but deprecates its support. It seems clear that enterprises requiring smart cards will need to rely on third-party companies like Thursby and Centrify (both of which offer support in their AD-related products).
Third-party accounts now standard
One of the areas where Apple has practically picked up an iOS screen and plopped it wholesale into Lion is in the Mail, Contacts & Calendars pane in System Preferences. This makes it easy for users to configure third-party accounts available from a range of providers including Apple (MobileMe/iCloud), Google, Yahoo and AOL, as well as Exchange, IMAP/POP, CalDAV, CardDAL, and LDAP accounts.
As users configure each account, they can add support for the email, contacts, calendar and chat features offered by each provider. Lion automatically configures the accounts in the appropriate client applications.
While it doesn’t introduce capabilities that weren’t already available in earlier versions of OS X, it does offer one-stop shopping for the services—some of which organizations might prefer users avoid for security issues. Software , the best option is to disallow access to this preference pane using client management or disallow access to the associated applications.
Apple ratchets up security
Apple has always had some under-the-hood security features in OS X. Technologies such as file quarantine and code signing in Leopard and Snow Leopard allowed the operating system to warn users about apps downloaded from the Internet and verify that the apps hadn’t been modified in the background. Apple has beefed up security in Lion with built-in malware detection, true application sandboxing and address space layout randomization.
Beyond those advances, Lion introduces FileVault 2, an extension to the existing file encryption capabilities of earlier releases. Past OS X versions allowed users to encrypt the contents of their home folders using FileVault, which stored user home directories as encrypted disk images.
FileVault 2 adds whole-disk encryption for boot and non-boot volumes, and has a lot of potential for securing mobile Macs. It relies on standard AES 128- or 256-bit encryption. Alone, that isn’t particularly impressive, but when tied with Apple’s new Profile Manager or Apple’s forthcoming iCloud service, it becomes possible to remotely wipe the encryption key from a lost or stolen Mac with a single push notification. That effectively prevents someone from decrypting data stored on the device. It’s particularly useful given the bring-your-own-device policies companies are increasingly adopting.
Client management has always been a component of OS X. Apple’s existing Managed Preferences architecture (often abbreviated as MCX) allows administrators to use OS X Server, Active Directory with Apple-specific schema extensions, or third-party tools to restrict access to virtually any application, command or system component. It’s also been used to pre-configure any portion of the OS X user interface or settings for any application that follows Apple’s development guidelines.
While Apple continues to support all the existing OS X client management options in Lion, the company has introduced a new feature in Lion Server known as Profile Manager. Profile Manager is an extension of the iPhone Configuration Utility and iOS configuration profiles from past OS X releases and is a complete iOS-specific mobile device management tool. (It comes at a fraction of the cost of broader options on the market.)