Forgot your password?
Networking Apple IT

Large-Scale Mac Deployment? 460

Posted by kdawson
from the rolling-'em-out dept.
UncleRage writes "I've been asked to research and ultimately recommend a deployment procedure for Macs across a rather large network. I'm not a stranger to OS X; however, the last time I worked on deployment NetRestore was still king of the mountain. Considering the current options, what methodologies do admins adhere to? Given the current selection of tools available, what would you recommend when planning, prototyping, and rolling out a robust, modular deployment scenario? For the record, I'm not asking for a spoon-fed solution; I'm more interested in a discussion concerning the current tools and what may (or may not) have worked for you. There are a lot of options available for modular system deployment... what are your opinions?"
This discussion has been archived. No new comments can be posted.

Large-Scale Mac Deployment?

Comments Filter:
  • Virginia Tech (Score:2, Interesting)

    by TitusC3v5 (608284) on Monday September 21, 2009 @07:02PM (#29498349) Homepage
    I don't know anything about their deployment procedure, but here at Virginia Tech the Math Emporium [] has over 500 macs set up for student access. The courses I've had there have been boring, but the actual setup of the place is pretty neat.
  • by Tibor the Hun (143056) on Monday September 21, 2009 @07:05PM (#29498377)

    First we build and test a good image on a machine for a couple of weeks.
    Then we either use that image,if it was correct the first time, or build a new one from it if it required touching up.
    We use Apple's free Disk Utility which comes free with all macs.

    We then get about 10 - 15 firewire drives and copy that image on them. (You have to make sure the drives are bootable, you can actually deploy that same image onto the drive itself.)
    Then we line up 10-15 machines and use again the Disk Utility to image them.
    Depending on the size of the image, just about the time you have the next 10-15 unboxed and set up (very easy to do since they're all all-in-ones), the first batch is ready.
    Works for us, but then again, our schedule is flexible and we can afford a couple of days of leisurely imaging.

    Oh, yeah, and if you do have an image you can also work with Apple, they'll preload it on for you.

  • by Brian Gordon (987471) on Monday September 21, 2009 @07:08PM (#29498399)

    I preemptively beg mods not to bury this comment. We all know that Linux is great on hackers' workstations and on servers and in computing clusters, but not so great as a desktop system for average users.

    Well large managed networks is two miles away in the distance on the scale of things Linux is awesome at. Active Directory, Exchange, Terminal Services... Windows really does have a very impressive offering in this area, while Linux stays behind the scenes and rarely faces the user.

  • Re:Macs (Score:1, Interesting)

    by Anonymous Coward on Monday September 21, 2009 @07:52PM (#29498823)

    I'm a bit lost on this post!

    I work for a two year tech school and we have about 200 Macs and replace them every 4-5 years without many failures. We have alot more failures with our Dell systems and self built systems we use to have the IT Students build. They don't cost that much more, for the time we save with the macs with all the PC troubleshooting paying a little extra is worth it.

    Sounds like you didn't understand the Mac platform enough!

    Plus with todays Macs you can run Linux, Windows, and OS X on one machine if you choose to do so. We just purchased a bunch of iMacs for our telemarketing people because Dell couldn't match the price of what Apple gave them to us for and I expect we will have alot less failures. They will be running Windows only, but so far things have been running fine!

  • by Frosty Piss (770223) on Monday September 21, 2009 @07:53PM (#29498833)

    We all know that Linux is great on hackers' workstations and on servers and in computing clusters, but not so great as a desktop system for average users.

    We do? Well, we're not really talking about Linux here, we're talking about Apple, which is a whole different ball game. But as to your Linux comments, people repeat these anecdotes so many times, they are taken as fact even though there is really not much to back them up. Recent Ubuntu and Red Hat offerings (and to a lessor extent SuSE and Mandriva) prove this tired anecdote to be essentially no longer true. Just because the Über Geeks use Debian, *BSD, or roll their own doesn't mean that's a true representation of the current state of consumer and enterprise desktop Linux.

  • Re:Macs (Score:4, Interesting)

    by DurendalMac (736637) on Monday September 21, 2009 @08:08PM (#29498945)
    The hardware is more reliable than most OEMs unless you got burned by iMac G5s with bad caps, but that wasn't really Apple's fault. A lot of OEMs got hit by those damned caps.

    You should have just mailed in the damn Cinema Display. Service providers (at least non-Apple owned providers) can't replace anything on them but the power brick these days. Just mail it in and let the repair depot monkeys figure it out. I would never want to replace an LCD backlight (which isn't exactly a user-accessible part on ANY display) if it could ever be helped.
  • by rhavenn (97211) on Monday September 21, 2009 @08:14PM (#29498995)

    Egh, Active Directory is just LDAP with Kerberos and some proprietary crap thrown on top to make in hard to interoperate with other OS's. The group policy tree is just a centralized registry management system. So, no you're wrong. It isn't as plug and play, but a LDAP setup with single sign on via kerberos and a puppet system to manage the config files (Linux does not use a registry) thrown together with a custom package repository (the SUS equivalent) and you're good to go.

    However, where Microsoft wins out is that that isn't easy to roll out. MS has the marketing and the 5 clicks that lets a "manager / phb" install MS server and call themselves admins. The bottom 2/3rds of the Microsoft install base, at the server level, mostly don't know what they're doing and really don't understand the underlying tech of what AD is. Once you start rolling out large Fortune 500 style install bases you really do need to know your stuff and most admins at this level probably could do a Linux / UNIX / OS X setup of the same scale with a little work and reading. However, the end users / managers don't want this since they've been rather well indoctrinated by the MS marketing team.

    Personally, I like to sum this up by stating that with MS it's very easy to turn the key and go from 0-40MPH, but to make it all the way to 60MPH it gets difficult and the hood of your car is welded shut. The Linux's and BSD's of the world make you learn how the engine works first, but once you've got it figured out you still make it to 60MPH before MS does.

  • Re:Macs (Score:4, Interesting)

    by Mista2 (1093071) on Monday September 21, 2009 @08:45PM (#29499231)

    2007 Shuttle PC, dead after one year (just out of warantee)
    Custom PC tower, 5 years, finally fails to make it past post last week.
    2006 Mac Mini - still rocking on.

    Most of our corporate machines are towers or standard desktops, internals never upgraded since purchase. A fleet of 2009 minis would be fine for these, and iMacs for reception (or senior managers).

    Savings: no AV software, easier deployment of apps and policies, dont require MS Active directory or client CALs to manage them - however, not knowing month to month what hardware is going to come available from Apple would suck. Windows apps could be easily delivered using citrix or teminal server for those that need it.
    Ever tried to manage 100 notebooks and backup personal data? Howabout encryption software - finally available with bitlocker if you get Vista Pro or premium - but then system folders encrypted too, a pain to manage. I liek just the encrypted home folders - which can also be mounted from an OS X server - and replicated for laptops.
    Also how about common accessories like power adapters for 100 laptops and a single OS image that will work for everything?

    If you can break the MS monopoly then there are savings to be made up to a certain scale.
    However I will admit managing more than 1000 of these puppies could be challenging and I havent seen much that would help except maybe Zenworks from Novell - but then eDirectory is not cheap, but again savings from requiring fewer people to manage everything and fewer servers required.

    For a bulk deployment I'd also look at splitting home off from the boot drive, and have a spare boot image with minimum required apps on every Mac, and script an RSync to keep it fresh from a single image.

  • by Architect_sasyr (938685) on Monday September 21, 2009 @08:50PM (#29499269)
    I have a DeployStudio installation that supports 1132 laptops, iMac's and G5's, with only one IT member (who, to be fair, outsources any really difficult questions to me). Maintaining that is easy as hell - if a user complains too much about a problem, he tells them to netboot - they can choose which building they are etc. or he will VNC for them. Either way, 1 person scales well with DeployStudio - me, I'm an Apple Certified Systems Administrator, with a strong focus on Deployment, and I will push DeployStudio every time.
  • Yes (Score:1, Interesting)

    by Anonymous Coward on Monday September 21, 2009 @09:34PM (#29499607)


    There may be a couple reasons to run OS X Server, but the only one I can think of off the top of my head is if you need AFP. Apple's AFP implementation is not without problems, but there are a lot fewer of them than with any 3rd party AFP implementation I've looked at.

    Otherwise it's pretty miserable, and may God only help you if it doesn't work, which it won't in some non-trivial sense. Then it's back to the command line tools, which may or may not be the utilities and config files you expect, and may or may not do what you expect, and for which documentation may or (more likely) may not exist, so that the settings created by such may or may not be clobbered the first time you forget not to start the GUI tools.

    As far as I can tell OS X Server is an optimal solution for almost no one: it's not braindead simple, and if you're smart enough to figure out how to make it work you're probably also smart enough to realize it would be easier to accomplish the same thing with BSD and a lot less heartache. At least aside from running AFP.

  • by Z80xxc! (1111479) on Monday September 21, 2009 @09:48PM (#29499719)

    Novell solutions pwn Microsoft, sorry to say.

    Actually, no they don't. Not by a longshot. The school district I attend (with over 100 schools) uses ZenWorks, NDS, GroupWise, etc. Yes, ZenWorks is extremely powerful, and Novell has good integration. Yes, you can do a lot of cool stuff with it. Novell also happens to make incredibly slow software. Our district can't afford new computers on a standard 5-year cycle (or chooses to blow their money on computers twice as expensive as they need to be yet still with crap specs, but I digress), so many of our machines are 8 yearold Celerons and P4's with 256 or at best 512 MB of RAM. With the blank/minimal XP image on them, they run pretty decently. Not super fast, but quite usable. As soon as the Novell components get added onto the systems, boot times go up astronomically. It often takes more than 60 seconds for the login prompt to appear after the user presses Ctrl+Alt+Del, whereas it happens immediately with the standard windows login. The ZenWorks application launcher also takes a very long time to start up, and the systems are generally far slower once they've bee Novell'd. Novell may have superior designs, but at least with Active Directory the computer actually works.

  • by Anonymous Coward on Monday September 21, 2009 @10:08PM (#29499853)

    What makes it weird, from the perspective of a *nix admin, is that there are all of these daemons and utilities that look oh so familiar, but they're not quite right. They give them these cute little GUI's to help you manage it, but the true flexibility of the underlying utilities are hamstrung and if you actually know what you're doing it will only serve to frustrate. Yes, you can manually edit config files, but the side effects of making changes in the GUI are sometimes unexpected, rarely if ever documented, and just downright strange. And then there was netinfo, which has been finally ditched (thank god), but the replacement is no more useful in my opinion. And you will see dangling remnants of the heart of unix that were ripped out of it, for instance the /etc/passwd file, which might lull you into a false sense of security (no pun intended), but they are only there for backwards compatibility and aren't actually used by the system itsself. Getting open source software to compile can be tough to do, but at least there's macports to help you on your journey there. And bear in mind, I say this as a big fan of mac, I use nothing but for a workstation, for a laptop, etc. I am typing this right now on a Macbook, in fact. But for a server, there are much better, cleaner, leaner options out there. The fact that it really could be decent, a commercial BSD - practically the only one going right now with the potential for enterprise support - it could be really damn cool if only they'd more sharply separate it from their desktop version of their OS - that is the most frustrating part of all.

    Water, water, every where,
    And all the boards did shrink ;
    Water, water, every where,
    Nor any drop to drink.

  • by raddan (519638) * on Monday September 21, 2009 @10:16PM (#29499889)
    Sure, and by that measure Windows Server 2003 and Linux 2.4 experience is totally worthless, too.

    Apple's stuff may have gotten more pleasant to use, but come on, there haven't been any earth-shaking changes going on from a sysadmin's perspective. Besides, 10.4 Server came out in April of 2005. That's 4 years ago. I think you'll still find it widely deployed in Apple environments.
  • by udippel (562132) on Monday September 21, 2009 @11:18PM (#29500301)

    Not a native English speaker, and yet a regular Slashdot reader, an OT question: Why could this be considered funny?

  • by 99BottlesOfBeerInMyF (813746) on Tuesday September 22, 2009 @08:56AM (#29503337)

    Isn't this kind of the point? If You can spend 2 hours and have a domain deployment with all the features You need done by a average paid admin, why spend two weeks by a linux guru?

    I think the previous poster was quite clear it adds a lot of flexibility going forward, especially for large scale deployments. And it's not like you have to personally hire an on staff Linux guru. There are dozens of IT services companies happy to set this up for you and even manage it if you don't want to hire an admin. You don't have to pay any license fees going forward and any modifications you want done to the actual system can be done by multiple contract companies you can make bid on it, instead of just MS, if they feel like it.

    I happen to be working right now with a large organization that does have a nicely crafted LDAP setup with single sign-on, across the organization, portable preferences, calendaring, and pretty much everything you get from AD. I'm working with some commercial, some, custom, and some modified commercial tools and all of them work flawlessly with the system because the system is completely under the control of the organization. In my experience that never happens with AD, unless you limit your tools to the subset of commercial offerings that already do it.

    IT on a basic level is not something that adds immense value so why spend a lot on it?

    IT can have cascading and unpredictable costs going forward, especially when you lock yourself into a single vendor and make all your solutions going forward brittle. What new devices and services do you need to offer in 5 years? What about in 10? Will you need to pay to upgrade? Will there be cost effective devices and service that can't work with AD? Suppose this time next year Google Wave has proven itself to be vastly superior to traditional e-mail and messaging and individuals have begun adopting it left and right bypassing your e-mail and some of those users are people with more clout than IT has. It would be immensely useful to implement Wave servers in your organization for interaction with others and security reasons. Will it work with your AD smoothly or will you be forced to use a Web client for single sign on? Can you integrate the calendaring with Google Wave for online meetings? Are you going to be waiting for MS to think about implementing interoperability or do you have the ability to take bids from a dozen different firms to make it happen?

    Apply the above scenario to every device and technology to come out and think about how flexible your solutions are.

  • Re:Macs (Score:3, Interesting)

    by vux984 (928602) on Tuesday September 22, 2009 @11:42AM (#29505677)

    By your own admission it *WAS* a hidden cost to Macs. Now that you *CAN* find them 3rd party, you're whining about the past.

    Its still a hidden cost, its just less now.

    Plus the whole selling argument Apple makes for getting a Mac is to avoid stupid technical hassles. This is a stupid technical hassle that wastes tons of time -- that's a cost too. I can't count how often Mac users have to go scurrying about because they forgot the adapter in their car or office or at home. Nor can I count how often I've huddled around some dimwits 13" or 15" screen to watch a presentation in a conference room with a projector sitting right next to it.

  • Re:Macs (Score:3, Interesting)

    by vux984 (928602) on Thursday September 24, 2009 @11:44PM (#29536823)

    So you're convinced that hanging on to connectors created 10 or more years ago on laptops is a good engineering design call?

    They are a good design call until more people than not don't NEED it.

    Here's some light reading on the topic for ya.

    I have nothing against displayport. I have nothing against the progress it represents. You seem to think I somehow dislike displayport or progress in general. That couldn't be further from the truth. All 3 monitors on my desk are hooked up via DVI. And my newest one supports both displayport and hdmi as well, so it should be forward compatible with my next video card too.

    But it ALSO has a VGA port, which has proven useful on many occasions. And its good to have that legacy option, because despite the fact that its 'obsolete' its still MASSIVELY IN USE. And that's on a stationery device that never goes anywhere, where having an adapter or two isn't actually inconvenient, nor apt to be left behind or misplaced. Virtually all monitors and projectors you encounter right now take VGA and will have a VGA cable hanging off them ready to plug into your laptop... so yes that is the most sensible port to put on the laptop.

    If they want to add displayport too, that's awesome.

    Oh yeah, that article ends with three or four advertisements for places that sell cables... cheaper than Apple's.

    Glad to see you are coming around to my original argument then. That Apple grossly overcharges for them.

The bogosity meter just pegged.