I'm posting because I'm at a bit of a crossroads when it comes to a Mac network I'm looking after.
It's a small primary school consisting of around 35 iMacs (All running OS X Lion) and a Mac server (Lion Server) that is running Open Directory along with a pair of windows machines on a workgroup (yuck). We do have an old Windows server to use but it's pretty archaic an lockd on 2003 at the moment so I'm not sure it's even worth bothering.
As it stands, all of the Macs have been set up by another company and I'm aiming to kick them into shape by automating and regulating certain things as I would in a windows network (Perhaps my first mistake).
Currently users log on and all of their data is saved locally (yuck), everyone's bottom dock is different, they can place files on the desktop, etc. - All things I would have full control over from a central location if I was administrating from a Windows network (And all things I'd quickly change!).
So I've began making some changes in Workgroup Manager, and tried to change users to mount a network home drive (although I've seen a couple of 'This home drive is not in the normal place' error messages); removed certain items from the dock; rolled out proxy settings to all machines. I also had a play with profile manager but this seems like it's basically for iOS devices. However, at the end of it all I'm still left with a yearning for a more in-depth kind of Group Policy system and I want to get your opinion on what's the best route to go down before I configure something or purchase something that's not worthwhile.
I've taken a look at the Casper suite and I heard that can basically act as a replacement for Group Policy (or an equivelant) but it's too expensive.
Next I considered ARD. ARD looks very handy for remote tasks as I'm not based at the site and even then, it's easier to do things remotely then do things a hundred times over per machine.
I also considered StarDeploy as a means to deploy software (Again, as I would use in a GP environment) but the set up has to be done per-machine and in this time, it seems like I might as well re-image the lot and get more issues out of the way with.
I then read that a lot of Mac administrators achieve what I want by using DeployStudio to just reimage the machines for any major changes - and it looks like I'll have to do this anyway - but this doesn't really help for small changes like automatically mapping a new printer or changing a wallpaper.
My final conclusion was that I have to make the most of OS X's speedy imaging and the underlying Unix commands (I know how powerful and terrifying bash is), so I'm left thinking that I should create my standard image with all software, updates, etc. and add a login script hook that then pulls off networked login scripts to help me achieve any minor tweaks that can be done on login but also reimage the machines with DeployStudio if I need to administer a large upgrade or install big pieces of software?
Any input is greatly appreciated!
Do you currently run AD in your environment? If so I would suggest Centrify DirectControl and its price point isn't too bad. It will plug into your current AD and give you a full Group Policy offering for the Macs. I administer about 75 Macs with the Centrify solution and when the students login they all have the exact same dock no matter which lab or campus they are at. I also created a new AD group for who I wanted to have Admin rights on the Macs because I didn't want all my PC techs to have admin rights on the Macs also.
ARD is the way to go for remotely administering all your Macs. Via Centrify, you can manage who has remote access to the Macs via ARD also. I setup a Mac Mini server as a task server to deploy all my 3rd party software and 3rd party updates. You can also setup your Mac Mini server as an update server and point the Macs to it to control updates and also cut down on bandwidth usage. Using OS X Server's Software Update service with multiple Mac OS X client versions You can also manage printer setup and removal via the ARD UNIX commands. I use ARD for just about everything and I cant remember the last time I physically went to one of the Mac expect on a hardware failure.
Apple Software Update Server- OS updating (the munki client on the machine handles the actual updating of the machines as well as updating software like MS Office)
Workgroup Manager (moving to Apple's Profile Manager in the summer as WGM is thought to be going away)- Manages user accounts and MCX settings (MCX, if you don't know, is Mac's version of Group Policy however I find it a bit more flexible... it basically manages any .plist file either per user or per computer.)
Google- Generally with enough Google-foo you can find anything!
Mac administration is very hard work, mostly because not many people are as sadistic as we are, but it's very satisfying work!
Munki is up and running - well, I've tested it, I'm yet to start using it fully - but this looks like a great way to manage installing software.
I've installed DeployStudio and so far this piece of software has blown my mind with its usefulness. I've created a standard image to roll out and I can deploy this to one machine, rename the machine, bind it to OD and enroll it into a profile in around 10 minutes.
I've tried to stay away from Workgroup Manager as a lot of people have said that it's going the way of the dodo and Profile Manager is the next step (Not too sure I like it yet though).
I wasn't sure on the best way to implement login scripts as there doesn't seem to be a 'standard' way of going about it, so I've added a .plist that runs on login in my image and this then looks to a networked .sh script that I can alter at will.
Additionally, I've changed users so they all use a network home drive (It baffles me why they were set up in any other manner before). I was looking into creating a 'standard profile'/user as I read that you can script the replacement of profiles (eg. A user's program settings, dock layout, etc.) but I'm yet to fully test this to see its viability.
My only issue is, once I lock certain things down, do they stay that way? I've noticed that Workgroup Manager grays out options once it sets them (but I've moved away from using this) and Profile Manager doesn't really right with me yet, but I guess I'll have to get my head around using it.
And of course, Google has been my best friend so far!
I definitely feeling like I'm making some real progress at last.
A great way to push out login hooks is with Munki.
As for pushing out options and making them stick, Apples solution is WGM or Profile Manager unless you go the way of a Casper or FileWave (which, to be honest, just use profiles to push that stuff out anyways.)
Another good resource is the macenterprise.org mailing list and the PSU Mac admins conference which is coming up soon. They post their sessions on YouTube for all to enjoy