Macs are starting to make serious headway into corporate networks, but they’re bringing some challenges with them.
You want to get the best from your users by allowing them the tools and devices they prefer to do the job, but you need to weigh up the costs to the business in doing that.
We take a look at four things you’ll need to deal with if you’re considering bringing Macs into your corporate network:
1. Manageability
One of the biggest issues with allowing Macs into your corporate environment is that your sysadmins don’t have the same visibility with them as they do with Windows systems.
Macs just don’t have the same culture and software that’s been built up around Windows that has decades of massive corporate deployments under its belt and, as a consequence, it’s more difficult to centrally manage Macs.
For example, rolling out a patch to every one of your users’ machines just isn’t as easy with a fleet of corporate Macs as it would be with Windows machines.
The culture part is important too – the fact is that there are many, many more Windows admins than there are Mac admins, so there’s more choice when it comes to recruitment.
The skill sets and tools needed to manage Macs is less well established and a lot of companies who are just getting to grips with corporate Mac deployments will need sysadmins who can handle both. In reality that probably means they’ll have Windows admins who have picked some Mac stuff up along the way.
Your Macs need to be just as secure as your Windows machines and that means you need to deliver the same standard of support. Even if your employees use Macs on a BYOD (Bring Your Own Device) basis, you still need to know enough to stop them being a risk to your corporate assets.
A single serious outbreak or breach on your corporate network can cost huge amounts of time and money so if you are serious about deploying Macs then it’s worth spending time to find the best software, and training staff up to the standards you need.
2. A false sense of security
Some users have a false sense of security when it comes to Macs so, just in case it needs repeating one more time, tell your users that Macs get viruses too.
And, of course, Macs and the software that runs on them are just as likely as any other piece of software to harbour vulnerabilities like FREAK and Shellshock.
Remind your users that Macs are not protected by an invisible force field, and that in addition to getting their own viruses they can be an infection vector for Windows computers – carrying viruses into your corporate network for your Windows machines to catch.
A false sense of security isn’t just misguided; it’s dangerous because it stands in the way of users doing the things that IT can’t do for them such as choosing good passwords and being suspicious about links in emails.
Everyone inside your company that uses a computer has a role to play in keeping that company safe, and nobody’s computer is inherently safe no matter if it’s running Linux, Windows or OS X.
The only way to shift that false sense of security is by meeting it head on with user education. Changing people’s perceptions can be difficult and it can take a long time so be prepared to say the same things over and over again…
3. Theft
Apple hardware is expensive and desirable which can make it a more tempting target for thieves.
Once a laptop (any laptop) is in the hands of a criminal it doesn’t matter how good the password is unless the machine is using full disk encryption.
If the hard drive is encrypted, then the data on it is nothing more than the computer equivalent of shredded cabbage. You may have lost a laptop but you haven’t lost control of the data on it, and that can be many times more valuable.
Without full disk encryption, a thief can simply mount the disk from a stolen computer on a Linux machine and bypass the password completely.
Centrally managed encryption is built into Windows but while all Macs come with FileVault full disk encryption, you’ll need to find third party software that can manage it across your network.
4. The cloud
When configuring a user’s new Mac, one of the first things you’ll probably ask them to do is to enter in their AppleID and password.
If that user already has an iCloud account, that could easily lead to corporate data ending up on iCloud, protected by a password that was created without a thought for your corporate password policy.
If users set their Mac to automatically back up to the cloud, they may not even be aware that they’re storing important company data there and, as we saw with the celebrity photo hacks in 2014, iCloud is no more protected by a magical force field than any other Apple product.
Keep reminding your users about the importance of strong, unique passwords and ask them to use two-step verification on their iCloud account if they have one.
The bottom line
Macs are inside the corporate network and they’re not leaving any time soon. The skills and tools needed to manage them are out there and improving but they’re not as readily available as they are for Windows, yet.
Sophos can help, by the way – at Naked Security we normally avoid product endorsements in our news articles but it would be plain odd if we didn’t mention that we can help you manage full disk encryption and anti-virus across your Macs.
7 deadly IT sins
‘Mac Malice‘ is one of Sophos’s 7 Deadly IT sins. You can read more about that and the 6 other sins here.
Greg Jewett
NOT TRUE: “For example, rolling out a patch to every one of your users’ machines just isn’t as easy with a fleet of corporate Macs as it would be with Windows machines.”
Centrally managing Macs is just as easy as it is with Windows, if you are using the Apple tools to do it. It is NOT included, but with an Apple OS X Server platform, yes, you can do it.
Points 2 and 3 are valid, but the overtone in all points is a bit overwhelming PC/Windows zealot and anti-mac. A Mac is like any other system, with the right support and acceptance, it can be a safe, productive and manageable tool in the corporate environment.
Anonymous
So you have to roll out a second network infrastructure alongside your existing Active Directory infrastructure?
Bosco (@BoscoATX)
No, you can easily bind Macs to AD.
Aaron S.
Point 2 is not valid. Macs haven’t had a “virus” since last century. I would expect a better understanding of technical nomenclature from Sophos.
And I would also posit that managing and deploying patches on Macs is easier on OS X using ARD and Server’s Caching Service, options that would cost thousands on even the smallest Windows installation, that are priced in the tens-of-dollars on OS X.
Paul Ducklin
The word “virus”, like it or not, has undergone a shift in meaning to the point that it is widely used, and generallyunderstood, to mean “malware”, not just “malware capable of transitive self-replication.”
I don’t think the use of the word that way is confusing at all. (And, if the truth be told, I think you knew perfectly well what we meant, just as you know what we mean when we say, “Sophos Anti-Virus for Mac.” Or, indeed, Sophos Anti-Virus for any platform, where true viruses are a tiny minority these days :-)
On the issue of deploying patches and other updates to Macs…I am inclined to agree with you.
Simon
I assume from your claims that you’ve never actually done it then?
Tell me, what hardware was that server instance running on? Something rack-mounted that hasn’t been updated since 2009 and is likely to lose support soon? a Mac Mini? Did you have much trouble swapping out the hard disk and/or enabling RAID?
Of course, any other supplier we could just buy a license and install the server software on our existing virtualisation farm, but no… OSX requires Apple hardware, despite the fact that Apple don’t make hardware suitable for enterprise use.
So we can chuck all the native Mac tools off the table straight away (unless we really want to manage everything from a laptop on some guys desk)
The alternative? Non-Mac tools which seem to sit on a spectrum between “incomplete/broken” through to “so bloated there’s a noticeable performance penalty”.
The whole situation is a farce
Mark
Its hard to write a reply without it sounding like nothing but Mac-bashing. I suspect part of this is due to my lack of knowledge about Macs but the reality for us is that we are around 5% Mac’s and they cause me a lot of headaches. We put a lot of energy into central management tools to reduce support costs, but few of the tools work on a Mac.
Aaron S.
Sounds like you chose the wrong management suite, and are blaming that on Apple.
Phil
There are enterprise management tools out there for Mac ranging from ARD (Apple Remote Desktop) to Casper used in conjunction with Apples server/workgroup manager.
Our users authenticate to the AD and pick up their share access etc from Apple workgroup manager.
Casper allows us to ‘lock down’ our Macs to the same degree as our Windows workstations. Not only can we block specific applications but also identified processes.
We use the same enterprise antivirus on both Mac and Windows workstations.
Steve Marchant
This article completely overlooks the massive boost in productivity and creativity that is possible with a Mac, for many organisations this fact might far outweigh the slightly less mature management issue. Windows was at one time hopeless when organisations wanted better management of them but that changed and it will change for Macs too and probably with better results as the market drives the need. Most good innovations punch above their weight but lack maturity in all the traditional areas. If we all followed the attitude expressed in this article, there would have been no Windows as there would have been no PCs and we would still be using mainframes – because they are more manageable in a corporate environment right?
Richard Klimming
“Massive boost in productivity?” I don’t think so. They’re just computers; they can’t do the work for you, and they can’t do it faster than Windows machines. You can put the same hardware a Mac has in a regular desktop case for at least $500 less. I own an iMac 27″ and I love it. However, OS X is meant for eye-candy; the operating system is beautiful, but that doesn’t mean it has super production-boosting powers that Windows doesn’t have. I gladly bought my Mac because I love how OSX looks, but for a business on a budget, investing into Macs probably isn’t the best idea.
Hg
This article is complete FUD. If you don’t know sod all about Macs and how it is managed, please don’t write lousy articles about it propagating rubbish and falsities.
Paul Ducklin
If you can’t be bothered to construct grammatically correct sentences, please don’t post impolite comments that are devoid of any evidence or explanation.
Hg
So you want only native speaker of English to give their opinions on an international blog?
Paul Ducklin
No, I am hoping you will learn some manners, in English or any other language.
Philippe LeCavalier
I think the article is great except for the endorsement of employees storing data in iCloud. Macs just like Facebook always tie back to the person and therefore isn’t owned or controlled by the corporation. And that’s a huge problem. I love Macs (particularly since they started running on FreeBSD) but there’s still a huge brick wall stopping it from becoming a viable corporate solution. Doesn’t mean Admins shouldn’t let them in their networks but you almost need to have the user sign a non-disclosure waiver…
Gob
A few comments above mentioned the requirement for an osx server for management. Where can you get an enterprise class osx server that is supported by Apple these days? I would argue that even when they produced the Xserve it was not fit for enterprise.
Paul Ducklin
You don’t need a computer classed as “Apple server hardware.” OS X Server, for all the hardware-sounding name, is actually a $20 App Store download that you install on top of OS X on any Mac for access to a bunch of management tools and other stuff. In Apple’s own words:
Designed for OS X and iOS devices, OS X Server makes it easy to share files, schedule meetings, synchronize contacts, develop software, host your own website, publish wikis, configure Mac, iPhone, and iPad devices, remotely access your network, and more.
If you do want dedicated hardware for the purpose for a network of Macs…check the Mac Mini. I don’t want to sound like a fanbuoy, but it *is* a thing of beauty.
Gob
However you could not class a mac mini or other apple desktop device running the server upgrade as server hardware fit for a corporate datacentre. We have had probably a dozen XServe’s and Raid units over the years and found them to be very temperamental. Sneeze near one and it would break.
A big step Apple could make to help infiltrate into the corporates would be to sort out their CIFS/SMB implementation. It is still very flakey if not using third party tools to connect to a Windows file server.
Simon
Yeah, that’s the problem. Mac Mini – how are you RAIDing that? Or swapping out the hard disk when it fails. I assume it has a redundant power supply and can be managed via a UPS? Thought not.
If I need to swap a disk on any of our windows or linux servers, I walk over press the release and pull the drive out. To do the same with a Mac Mini, I need custom tools and an afternoon reading an iFixit guide.
It’s just not fit for purpose.
Dan Arthur Jackson
Apple’s Profile Manager will let you do basic management of your organisation’s Macs, but if you want to do it properly, you want Casper Suite. Companies like IBM and Apple themselves use Casper internally to manage their Macs (source: guest speakers from Apple and IBM at the 2015 JAMF Roadshow) so if it’s good enough for them it’s good enough for you.
We have Sophos Endpoint Security for our Macs so we’re covered on the antivirus side, and as a bonus it also detects PC viruses so that Macs don’t become “carriers”.