We have a small number of iMacs (25) and we currently use Workgroup Manager to manage them with a bit of stuff done during the Imaging process via DeployStudio. I'm very interested to see how other people do it as we didn't receive much training when the original solution was implemented and we've been picking stuff up, however we've got lots of quirks and bits not working as we'd like.
I'm about to have a look at using SCCM to manage them, does anybody use this? If so, how do you find it - was it worth paying for?
If you use something different, please let me know!
Some of the key things we need / do:
- Integrate with AD so that users can login using their Windows AD Account
- Mount their Windows "home drive" based on user
- Mount shared drivers based on user
- Restrict access to certain features esp. parts of System Preferences
- Deliver proxy settings
We have had particular issues with keychain access (asks for login keychain password, which we don't know!)
If happy to, it may be a great help if I would be able to come and see your system in action - client side and server side. I'm based in Derby, so Midlands area would be ideal!
How are you creating client images? If they are of the golden master variety (i.e. booted image with software preinstalled) then your user template has been poisoned and contains the login keychain from your booted image. If you were to use a tool like instaDMG or AutoDMG or Apple's own System Image Utility they create non-booted images that don't contain poisoned user templates.
If you are primarily a Windows shop then SCCM would be a good choice, but if your Mac PC to Windows PC ratio leans toward the shiny variety then an MDM like Casper or Meraki (free!) would be a better choice.
I personally use a myriad of pay and FOSS tools. For user and group management I use the OSX Server.app. For computer level client settings I use Profile Manager. For user and group level settings I use Profile Manager, Munki, and for any remaining MCX settings I use Workgroup Manager. To deploy software I use Munki. Imaging is a mixture of an instaDMG image and Deploy Studio to image the clients. I'm on the other side of the pond so unless you want to come out to the American Midwest that's the best I can do to describe our current mac environment.
Yep we pre-install all of the software onto a clean install of OS X, take an image and then deploy via DeployStudio which also binds to OD/AD etc.
I was under the impression that login keychain was user specific? I've only logged onto the Mac as the Local Administrator account prior to the imaging process, which is an account that I do log into anyway even when the Mac is in a built state ready to use.
I'll have to have a look at the alternatives. The way we do it was ideal because of complex install procedures for certain pieces of software that we have. Some software has complex activiation processes and others have to be installed in a specific ways etc.
I've had a quick look at Profile Manager, however i've not heard great things about it!
New versions of Profile Manager are much, much better. The new server app for OS X Mavericks for example.
Originally Posted by _kstone
If you want to use OSD on the macs (for the Windows side) you cant. Apple decided it was a good idea to make the GUID on each machine the same. SCCM as a fit!
Originally Posted by stevehp
If you aren't copying anything manually to the User Template or allowing Deploy Studio to do it then it's most likely the System keychain in /Library/Keychains/ that's giving you problems. I won't get into which one is better argument. The internet is filled with mac sysadmins that go back and forth with each other about it. The work up front to package software so that activation and setup procedures don't bug users seemed daunting to me, but in the end I can just plug those packages into Munki or if need be into my image workflow. It works great for me, but I won't crusade for it since sysadmins need to make there own minds up about this particular subject.
Profile Manager was a major pita in Lion, got better in Mountain Lion and much better in Mavericks. You need to have a machine with plenty of ram and the highest spec processor you can get. It's a major resource hog, and it's not exceptionally great to contend with in large deployments. I have right around 1200 devices enrolled into your Profile Manager instance and it crawls some days.