Apple and the enterprise: A complicated relationship
- 21 August, 2013 10:59
When Microsoft shipped Windows 2000 and Active Directory, Apple didn't really have a solution for identity management or for linking Macs to an enterprise network. The company was just beginning the transition from its classic Mac OS -- the first version of which had shipped on the first Mac in 1984 -- to OS X. Although Apple did ship a public beta of OS X in second half of the year, the final release didn't arrive until March 2001.
The classic Mac OS was not for multi-user systems. It offered limited user account creation and management for file sharing between Macs, but there was no built-in mechanism for logging into an individual Mac -- it booted right to the desktop, where you had full access to the entire file system and all installed software.
Apple did make a couple of attempts to create a multi-user system, however. In the early 1990s, the company shipped At Ease, which provided some multi-user support, first on a single Mac and later for multiple Macs on a network. But At Ease never gained much traction beyond some pockets of the education market for it which it seemed to be designed.
In planning the transition to the true multi-user environment of OS X, Apple added a modicum of multi-user functions in Mac OS 9 that allowed each Mac to support multiple users with basic file permissions, individual user settings and preferences, and limited account-based restrictions. Apple also created Macintosh Manager, which redirected Mac OS 9's multi-user functions to a server-based data store and copied certain settings and configuration files from that data store to an individual Mac. It wasn't really an enterprise-grade solution, even when incorporated into the first few releases of OS X Server, but it was a functional pre-OS X stop-gap.
Apple tries going it alone
Apple's first real move toward enterprise functionality, including identity management, came with OS X and OS X Server. The first release of OS X was essentially the Unix-based core of NeXTStep with an Apple-inspired GUI on top of it. NeXT gave OS X solid enterprise bones right away, including support for local and network user accounts.
NeXTStep and the first releases of OS X and OS X Server relied on a proprietary user and client management system known as NetInfo. Functionally, NetInfo served many of the same roles as Active Directory. It allowed for centralized user and computer accounts and user authentication for access to network resources; worked with the file system to support a POSIX permissions model; and it could be used to define user settings and experience in the same way group policies do in Active Directory.
Although NetInfo worked and remained in the mix of Apple's enterprise components for several years, it had some serious limitations. The biggest one: It was proprietary and didn't integrate with other platforms.
The other achilles heel for NetInfo in early OS X releases was that it didn't support directory server replication. That meant that either a single server had to support the enterprise identity functionality for an entire organization or multiple servers -- each with a unique directory of users, computers and configuration data -- had to be deployed. Even though it was possible for Macs to search for enterprise identity data across multiple servers, the process was far from the multi-master replication capabilities of Active Directory domain controllers.
The proprietary nature of NetInfo led Apple to sell a complete end-to-end solution to enterprise IT. Today, Apple is well known for its end-to-end approach to technology; in many ways, it's been a winning strategy because it allows Apple to maximize profits and create a controlled ecosystem. It's also the same strategy that allowed Apple to disrupt industries so effectively and deliver some of the most polished products on the market. iTunes, with its link to the iPod and iOS, is the greatest example of what Apple can achieve using it.
Apple didn't have a lot of luck selling that end-to-end system to enterprise IT. Part of that was because of the proprietary nature of Apple's solutions. But the company was also still pulling back from its near collapse in the mid-to-late 1990s. At the time, its market share was abysmally low and it was a complete outlier in virtually every business market.
Panther brings a new approach to enterprise
OS X Panther (and Panther Server) was one of the most important releases of OS X from an enterprise perspective. It rectified the limitations of NetInfo by introducing a broad-based solution for enterprise identity and directory services. It also added support for Active Directory. That represented a major shift in Apple's strategy, as the company quietly acknowledged it couldn't succeed in business without really offering support for existing enterprise systems.
Open Directory was technically a collection of directory and identity technologies that included NetInfo support, with a connection for legacy NetInfo server as well as for storing local accounts and records as well as an LDAP-based replacement for NetInfo's proprietary data store. In practice, Open Directory became synonymous with Apple's LDAP implementation; as that was integrated with Kerberos, it represented a replacement for NetInfo. In addition to being based on open standards, the Open Directory architecture included support for directory server replication. Even so, it remained a master/slave replication environment that was more like Windows NT's use of a primary server and one or more backup servers than Active Directory.
The scalability advances, which continued to improve in later OS X and OS X Server releases, were only part of the advantage Apple gained by deprecating and eventually discontinuing NetInfo. The other was a move to open standards, including LDAP and Kerberos, the technologies at the foundation of Active Directory. As a result, Apple was able to offer Active Directory integration on Macs running Panther and later releases.
Out of the box the integration was pretty limited. Apple's Active Directory plug-in for Open Directory only mapped three attributes for user account records (username, password, and home directory), but Apple offered three ways to deepen that integration: extend the Active Directory schema to include the new records and attributes used by Open Directory, map the Apple-defined records and attributes to existing but unused Active Directory counterparts, or use what was called the magic triangle. That involved Macs that were joined to the Active Directory domain for enterprise identity and user authentication and to an Open Directory domain for Mac client management.
Apple also allowed third-party companies to produce their own Open Directory plug-ins to support additional directory types like Novell's eDirectory or provide new capabilities when using Active Directory. Centrify, an enterprise identity management developer, was one of the first companies to offer more powerful Active Directory integration. Its Direct Control for Mac, which is still on the market, allows Active Directory admins to manage Macs using group policies stored in Active Directory without modifying the schema. Group Policy options are available for virtually every Mac client and user management option available from Apple.
Leopard changes everything
2007 was a big year for Apple. It introduced the iPhone that summer and it OS X Leopard that fall. Leopard was among the most feature-packed OS X releases to come out of Apple and boasted more than 300 features and improvements. The most notable enterprise identity change in Leopard was that Apple finally phased out NetInfo, which was until then still used for storing local user accounts on Macs.
Leopard Server, on the other hand, included key features that would eventually determine Apple's current place in the enterprise. The first was a new option for joining Macs and Mac servers to an Active Directory domain. To streamline Mac integration with Active Directory, Apple created a new type of Open Directory mechanism known as augmented records. It essentially simplified the magic triangle approach. A user's Active Directory data still managed his or her enterprise identity and authentication, but Leopard Server could automatically include just the Apple-specified records needed for OS X Server services or client management. Everything else was passed to Active Directory.
This streamlined approach was part of a new form of OS X Server setup and administration. For small organizations or Mac-centric workgroups at a large company, Apple introduced simplified management by way of a new tool called Server Preferences. It allowed users with limited technical skills to set up and manage a server running a subset of the most commonly used business services: file and printer sharing, email and chat, websites and wikis, backup and VPN access.
This approach showed that Apple was willing to work with existing enterprise technologies. Specifically, it showed that Apple was happy to leave enterprise identity in the hands of Active Directory. And it marked one of the first instances of Apple marketing an enterprise product, in this case, Leopard Server, directly to users rather than to IT shops. That approach has been viewed as fueling the success of iOS devices -- and the BYOD trend -- in business.
Though it wasn't obvious at the time, Apple was also the beginning to refocus OS X Server as a small business solution rather than an enterprise server OS.
The iPhone before it was enterprise-ready
While Leopard Server was quietly changing Apple's approach to the enterprise, the original iPhone -- clearly not an enterprise product -- was released. A year later, in 2008, Apple began to give the iPhone some enterprise chops. In addition to launching the iPhone 3G and the App Store, which would revolutionize smartphone software development across the board, Apple included two important capabilities in what was then called iPhone OS 2. The first was support for Exchange Active Sync. This allowed access to key Exchange features, including push notifications; the enforcement of a handful of security policies through Exchange; and the ability to remotely wipe lost or stolen iPhones.
The second change was configuration profiles. These XML files, which could be created from scratch or by using the iPhone Configuration Utility, were the first method Apple offered for IT departments to pre-configure user iPhones, provision them with security certificates, and impose a range of restrictions on what a user could do with a managed iPhone. The process of deploying configuration profiles was cumbersome because they either needed to be installed by hand, emailed to users, or hosted on an company's intranet -- not an ideal solution to iPhone management. Seen through the lens of a BlackBerry-dominated enterprise, the Apple process looked crude and resource intensive. But it was a beginning and one that foreshadowed the iPhone as an enterprise device.
iOS 4, mobile management and third-party solutions
Three months after releasing the iPad in 2010, Apple shipped iOS 4 -- it was the most significant iOS upgrade yet from an enterprise perspective. iOS 4 answered many of the enterprise IT complaints about the iPhone and iPad. In addition to the basic Exchange policy support introduced two years earlier, Apple unveiled broad security and device management capabilities.
The security advantages alone were a big deal and included APIs that allowed developers to easily create encrypted data stores on a device. That made it possible for enterprise apps (and even some consumer apps) to store content in a secure manner. Even if the device itself wasn't passcode protected, the data within an app could be secured if that the device was lost or stolen.
The bigger news, however, was Apple's mobile device management (MDM) framework. Although based on the existing configuration profiles, Apple's MDM system made it possible to apply policies directly over the air and query devices for a range of information, including what configuration profiles and apps were installed. The release also offered several new management and feature restriction capabilities. While Apple hadn't replicated the classic BlackBerry system with its 500+ management options, it did cover the most important areas, making it possible for enterprise IT to comfortably support iOS devices.
An even more important aspect to iOS 4's MDM model was that Apple opened it up to third-party vendors instead of creating a single and proprietary Apple management console. In fact, it wasn't until a year later that Apple shipped its own MDM solution when it released Lion Server. That's significant because it was the first time Apple adopted a truly a hands-off approach to enterprise IT. The result was an explosion of mobile management vendors offering the ability to manage iOS devices in enterprise environments. While each company provided essentially the same core management capabilities, they differentiated based on a variety of factors, including support for other mobile platforms, IT-focused integration features and additional capabilities based on an agent that could be installed on a device.
Apple pulls out of the data center
A few months after unveiling a device management model that put other enterprise vendors at the heart of Apple's iOS business strategy, the company did something that sent shockwaves through its business and education markets: it canceled its last piece of enterprise hardware, the rack-mounted Xserve server. When a Mac IT professional emailed then-Apple CEO Steve Jobs to complain, he responded with one of his brief and blunt emails saying that no one was buying the Xserve (at least, not in quantities large enough for Apple to continue advancing the line).
The move was further evidence that Apple had decided not to compete with long-time enterprise vendors. Instead, it focused on making its products the best enterprise citizens possible -- through built-in functionality or through support for third-party vendors. It was a shrewd strategy and it allowed Apple to focus on business users directly rather than IT departments that had rarely paid attention to, or even noticed, Apple's enterprise solutions. Unfortunately, it also pulled the rug out from under some long-time customers that had fully invested in Apple's end-to-end enterprise approach.
Although Apple pulled out the data center, it didn't stop developing its server platform. The company marketed the Mac Pro tower and the Mac mini as server options, including a specially configured Mac mini designed as a server. The focus, however, had shifted to the small business market and away from the enterprise. This was painfully clear when Apple released Lion and Lion Server during the summer of 2011.
After installing the low-cost Lion Server, which had become an add-on to Lion itself rather than an independent product, long-time Mac sysadmins were in for another shock. Server Admin, the advanced server administration tool in OS X Server, was effectively gutted; the new Server app that replaced Server Preferences was clearly intended to be the primary management interface of OS X Server.
Mountain Lion Server streamlined management further by removing Server Admin completely and building any functionality left in the Lion Server version of Server Admin into a more robust version of the Server app. Mountain Lion Server still supports Open Directory as an enterprise identity server -- it is a required service option when hosting some services like Profile Manager. The overall message, however, is clear: OS X Server is no longer destined for the enterprise data center.
Apple's light-handed approach to enterprise integration
With Lion and Mountain Lion, Apple began to bring iOS technologies and features to the Mac. There are a number of very visible examples of this cross pollination: full screen apps, integration with Apple's push notification service and Notification Center, multi-touch gestures, the Mac App Store, deep integration with Twitter and Facebook, and Game Center. A far less visible change was support for iOS-style configuration profiles, which Apple introduced in Lion alongside Profile Manager, a basic mobile device management service included with Lion and Mountain Lion Server.
Although Lion supported configuration profiles, their capabilities weren't as robust as in iOS and they didn't offer much in the way of enterprise identity or user account management. What they did offer was the ability to manage a range of settings and restrictions for individual Macs. They could be used to streamline the setup of multiple Macs using the new Profile Manager service, a third-party product, or by simply installing them manually. That last process is simple: opening the profile on a target Mac installs it and adds a System Preferences icon for managing it.
In Mountain Lion, the capabilities of configuration profiles expanded significantly. They gained the ability to manage virtually every facet of OS X or installed applications. The new abilities matched all of the options available through Open Directory and support for enterprise identities and user accounts, but in a much more lightweight fashion.
The complete move to configuration profiles, which consist of XML data, gave systems administrators the option for managing the OS X user experience without needing any complex relationship to an enterprise directory service. In effect, it separated Mac management from identity management and authentication. Just configure a basic connection to Active Directory using Apple's AD plug-in to support authentication of Active Directory users and then deploy configuration profiles as a separate step and you're done.
Apple extended the Profile Manager service in Mountain Lion Server to support this new management model. The result was an easy-to-use GUI for creating configuration profiles and using them to manage enrolled Macs.
Apple made one more significant change in its shift to configuration profiles as a Mac management solution: it added the the MDM framework introduced in iOS 4. That made it possible for every mobile management vendor that supports iOS management to also support Macs in the same way. As a result, IT pros can now manage Macs using the same tools they use for mobile devices and they can manage a user's enterprise identity with standard Active Directory tools.
Over the past 15 years, Apple has worked, and at times struggled, to figure out the best way to integrate its products into enterprise environments. Perhaps the biggest stumbling block has been how to approach a user's enterprise identity -- how to authenticate users and deliver single sign-on; offer enterprise-grade Mac and iOS management solutions; and deliver a system that avoids placing a burden on enterprise IT. The current model is a good one, but there are improvements needed for both iOS and OS X. Soon, I'll offer a look at how Apple is further integrating enterprise identity support in both iOS 7 and OS X Mavericks and why it will appeal to enterprise and Apple IT professionals.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to CITEworld.com. Faas is also the author of iPhone for Work (Apress, 2009). You can find out more about him at RyanFaas.com and follow him on Twitter ( @ryanfaas).
Read more about macintosh in Computerworld's Macintosh Topic Center.