Large-Scale Mac Deployment? 460
UncleRage writes "I've been asked to research and ultimately recommend a deployment procedure for Macs across a rather large network. I'm not a stranger to OS X; however, the last time I worked on deployment NetRestore was still king of the mountain. Considering the current options, what methodologies do admins adhere to? Given the current selection of tools available, what would you recommend when planning, prototyping, and rolling out a robust, modular deployment scenario? For the record, I'm not asking for a spoon-fed solution; I'm more interested in a discussion concerning the current tools and what may (or may not) have worked for you. There are a lot of options available for modular system deployment... what are your opinions?"
make sure you have lots of lube (Score:4, Funny)
that is a whole lot of gay to be rolling out
Re: (Score:3, Interesting)
Fine.
Not a native English speaker, and yet a regular Slashdot reader, an OT question: Why could this be considered funny?
Re: (Score:2)
Large scale Apple managed LAN? (Score:5, Insightful)
Re:Large scale Apple managed LAN? (Score:5, Insightful)
radmind ftw
Re:Large scale Apple managed LAN? (Score:4, Informative)
Mod parent up. Radmind [umich.edu] is the only way to deploy a managed Mac OS environment.
Re: (Score:3, Informative)
I was referring to the functionality you see in RDP, where any client edition of the OS can connect to any box running Terminal Services (XP Pro and all Server Eds.) without licensing more crap.
I may have misstated the licensing terms, but I firmly believe they're bullshit enough that such doesn't matter.
Re:Large scale Apple managed LAN? (Score:5, Interesting)
I preemptively beg mods not to bury this comment. We all know that Linux is great on hackers' workstations and on servers and in computing clusters, but not so great as a desktop system for average users.
Well large managed networks is two miles away in the distance on the scale of things Linux is awesome at. Active Directory, Exchange, Terminal Services... Windows really does have a very impressive offering in this area, while Linux stays behind the scenes and rarely faces the user.
Re:Large scale Apple managed LAN? (Score:5, Insightful)
Active Directory
You can't be serious on this one. LDAP + Kerberos can easily take on that role plus some.
Exchange
Email is easy enough to offer but shared address books and calendaring may give Exchange the edge. No harm in deploying Exchange on the back-end and using Evolution or Thunderbird or web based Exchange on the front-end.
Terminal Services
This is the most outrageous of your claims. Linux, Solaris, *BSD all come up trumps in this. You've got X11, NX, VNC, and the most advanced thin client solution at the moment, Sun Ray [sun.com].
Re: (Score:3, Informative)
Darwin Calendar Server. Open Source, free, runs on Linux. I thought I read in the mailing list that address book sharing is coming, though I can't be positive on that. Still, makes a great calendar server and it works with Thunderbird, though Thunderbird is not an awesome calendar client. Some howtos for installation: http://dcswiki.org/ [dcswiki.org]
Re:Large scale Apple managed LAN? (Score:4, Insightful)
please... X11, NX, VNC and Sun Ray all suck ass compared to RDP. i use them all on a daily basis, and RDP is far and away the best of them all. authentication, remote devices (USB, printing), sound, mapped drives, etc. etc. none of these other solutions even touch on any of those features. not to mention, the performance of RDP smokes all of those others completely out of the water.
Re:Large scale Apple managed LAN? (Score:5, Informative)
With puppet [reductivelabs.com] of course.
Re: (Score:3, Insightful)
You don't, you use the many available tools to do what you want to all the machines via scripts. This is the same thing you do when you realize that group policy only exists for a couple things and everything else you are on your own.
Re: (Score:3, Informative)
You don't, you use the many available tools to do what you want to all the machines via scripts. This is the same thing you do when you realize that group policy only exists for a couple things and everything else you are on your own.
I admin both 'doze and 'nix, and although what you say about AD is true, you're not completely correct. AD is so handy to create GPOs with batch files to apply to machines automagically when they are thrown in an OU. Sure, you can always add computer names/IPs to a config file for automated scripts in cfengine, but AD is easy for subordinates to deal with.
Re: (Score:3, Interesting)
We all know that Linux is great on hackers' workstations and on servers and in computing clusters, but not so great as a desktop system for average users.
We do? Well, we're not really talking about Linux here, we're talking about Apple, which is a whole different ball game. But as to your Linux comments, people repeat these anecdotes so many times, they are taken as fact even though there is really not much to back them up. Recent Ubuntu and Red Hat offerings (and to a lessor extent SuSE and Mandriva) prove this tired anecdote to be essentially no longer true. Just because the Über Geeks use Debian, *BSD, or roll their own doesn't mean that's a true rep
Re: (Score:3, Informative)
I would argue this.
Linux may be less prefered for a stand alone desktop mainly because of the windows apps that consumers like to clutter their computers up with. Linux excels in large deployment, standardized desktops.
Simply put, linux workstations are easy to setup against LDAP with NFS home directories. You can tighten the desktops up to limit apps. Use Terminal Server and RDP for necessary windows apps. You can run specific applications on centralized servers and access them via remote X sessions on
Re:Large scale Apple managed LAN? (Score:4, Insightful)
LDAP, thunderbird w/ lightning plugin (or openexchange, citadel or similar), XDMCP.. Updates? Your own local ubuntu/debian mirror w/ custom packages, etc. Lots of equivalents.
....and still no replacement for active directory.
This is really the only practical reason why windows is still on top.
Re: (Score:3, Interesting)
Egh, Active Directory is just LDAP with Kerberos and some proprietary crap thrown on top to make in hard to interoperate with other OS's. The group policy tree is just a centralized registry management system. So, no you're wrong. It isn't as plug and play, but a LDAP setup with single sign on via kerberos and a puppet system to manage the config files (Linux does not use a registry) thrown together with a custom package repository (the SUS equivalent) and you're good to go.
However, where Microsoft wins out
Re: (Score:3, Insightful)
P.S. I love hacking just as the next guy and linux on enteprise is my pet peevee.
Re: (Score:3, Interesting)
Isn't this kind of the point? If You can spend 2 hours and have a domain deployment with all the features You need done by a average paid admin, why spend two weeks by a linux guru?
I think the previous poster was quite clear it adds a lot of flexibility going forward, especially for large scale deployments. And it's not like you have to personally hire an on staff Linux guru. There are dozens of IT services companies happy to set this up for you and even manage it if you don't want to hire an admin. You don't have to pay any license fees going forward and any modifications you want done to the actual system can be done by multiple contract companies you can make bid on it, instead of
Re: (Score:3, Funny)
Re:Large scale Apple managed LAN? (Score:4, Insightful)
"Egh, Active Directory is just LDAP with Kerberos and some proprietary crap thrown on top to make in hard to interoperate with other OS's."
Yep, and Linux is just a couple of C files, written by underpaid engineers in their spare time.
ActiveDirectory is much more than 'just LDAP with Kerberos'. It has nice management tools and integrates with almost all Microsoft applications. And most important: it actually works just fine. And you can easily interoperate with AD because using simple LDAP.
I've tried to make a replacement for AD in Linux network. Even after spending a week I was not completely successful. For example, I still have no idea how to make offline logins using cached credentials. Or how to integrate Kerberos authentication and IPSec.
Re: (Score:3, Insightful)
However, where Microsoft wins out is that that isn't easy to roll out.
That's got to be a strong contender for "laughably inaccurate understatement of the year", right there.
The Linux's and BSD's of the world make you learn how the engine works first, but once you've got it figured out you still make it to 60MPH before MS does.
Bollocks. Even an entry level, nothing-but-the-MCSE Windows admin could setup an simple AD environment in a day or so. On the other hand, a highly qualified Linux admin is going
Re:Large scale Apple managed LAN? (Score:4, Informative)
Not even that. OpenLDAP supports user-defined schemas. Active Directory doesn't. You have to go out and buy something if you don't like the stock set. Kerberos and one or more LDAP servers come standard with all the major Linux distros.
100% wrong, AD does allow schema customizations, using a simple command-line tool. Many applications do exactly this, not just Microsoft software. Developers steer clear of it, because a forest-wide schema change terrifies most PHBs, but it's actually rather trivial if you need it. Microsoft does request that if you sell boxed software that makes schema extensions, then you should register your schema IDs with them to prevent conflicts, but that's not enforced or anything.
Oh look.. it's even documented for you:
LDIF Scripts
http://msdn.microsoft.com/en-us/library/ms677268%28VS.85%29.aspx [microsoft.com]
What I especially like about AD is that once you've extended your schema (say by adding a few attributes to the User class), you can then write a management console add-in that adds an extra tab to the User property dialog box. Nifty.
Re:Large scale Apple managed LAN? (Score:4, Insightful)
No, there are many historical reasons Microsoft has its leadership position. It has, in fact, been convicted for many of them.
Active Directory is useful: its management interfaces are very useful for modest size environments. Scaling it down to small shops that can't spare dedicated, expensively licensed servers or scaling it up to large environments that require subtler control and redundancy, however, is extremely painful. Its underlying technologies are all more manageable with a more intelligent database behind it and a superior auto-configuration setup. These components are:
DNS
DHCP
Kerberos (authentication)
LDAP (user account and machine resource management)
That's basically it. And given its lack of sanity checking of its own configurations, the difficulty of scripting its operations, and its mishandling of the addition or re-configuration of new resources, I don't recommend it for large environments.
Re:Large scale Apple managed LAN? (Score:5, Informative)
Novell solutions pwn Microsoft, sorry to say.
Re: (Score:2)
Wrong! Novell Zenworks is on Linux too - so why can't you have a heterogeneous large scale Linux and Windows rollout? There is Zenworks for Mac but none of our customers (though there is quite a few Macs) use it. If you are going to roll out Novell stuff you may as well do Novell Groupwise while you are at it. Novell solutions pwn Microsoft, sorry to say.
This is the only real solution anyone has listed. The only downside is that both your microsoft and mac fanboy users will complain about having to use it.
Re: (Score:3, Interesting)
Novell solutions pwn Microsoft, sorry to say.
Actually, no they don't. Not by a longshot. The school district I attend (with over 100 schools) uses ZenWorks, NDS, GroupWise, etc. Yes, ZenWorks is extremely powerful, and Novell has good integration. Yes, you can do a lot of cool stuff with it. Novell also happens to make incredibly slow software. Our district can't afford new computers on a standard 5-year cycle (or chooses to blow their money on computers twice as expensive as they need to be yet still with crap specs, but I digress), so many of our ma
Re:Large scale Apple managed LAN? (Score:5, Funny)
Agreed. It's the only OS for seriously large botnets.
Re:Large scale Apple managed LAN? (Score:5, Informative)
There are many huge Mac deployments: universities, school districts with 1-to-1 laptop programs where every student gets a laptop, Google (thousands of Macs), the Fountainbleau hotel in Miami, and more. Apple gear isn't always used to manage everything: most of these sites are probably using Active Directory or some UNIX-based LDAP service for account management. But there are plenty of large Mac deployments out there.
Re: (Score:3, Insightful)
This is so far of the mark it can only come from a windows centric operation. What happens when the business' interest lies in a non microsoft solution? How does MS AD handle that?
If it's so simple to deploy then why are so many large companies so hesitant to upgrade?
I hear this a lot but have not seen it work with a mixed environment yet. Windows does not play well with others. If you care to lock yourself down to windows fine with me. I manage over 15 companies and the only common software they have is i
Re: (Score:3, Insightful)
Is there even such a thing in this world?
Yes. Next question?
Seriously, it's obvious from the story that there is, indeed, "such a thing in this world." Windows users love to accuse Mac and Linux users of fanaticism, but honestly, there's nothing more fanatical than a Windows drone who can say something like "[Windows] really is the only OS built for very large enterprises" and believe it.
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
Re:Large scale Apple managed LAN? (Score:5, Funny)
Among my experiences (mostly historic): ... get coffee as much of the btree is traversed
-Some shims/extensions installed to compensate for hardware issues were unconditionally loaded, even on hardware that didn't need/couldn't boot with them. That made reusing disk images on slightly different hardware revisions... fun.
-Wake on LAN should do... stuff. Consistently.
-I've autodiscovered a shared printer which I'll share with everybody. I've autodiscovered a shared printer which I'll share with everybody. I've autodiscovered a shared printer which I'll share with everybody...
-What's that? The mounted ASIP resource disappeared for a few seconds and now everyone's trying to reconnect? At once? And their workstations are beachballed until the share comes back, even though they have no open resources on it?
-Restoring resource forks from backup always works!
-What do you mean by "the QuickTime update broke the AppleScript methods for a completely unrelated subsystem"?
-I've autodiscovered the same printer share which I'll share with everybody...
-ls -lr on a folder with a few hundred files in subfolders
-I've connected to this resource before, so I'll make a new alias for it with a subtilely different name
-What do you mean you've deleted stuff to the network trash and now it's locked?
-I've autodiscovered the same printer share which I'll share with everybody...
Re: (Score:2)
DeployStudio or LanREV (Score:5, Informative)
I have had great success out of both DeployStudio (http://deploystudio.com/) and LanREV (http://www.lanrev.com) in K-12 schools with 200+ machines.
Re: (Score:3, Informative)
Re:DeployStudio or LanREV (Score:4, Interesting)
Re: (Score:2)
I second LanREV, and they will have a Linux agent component in the next 6 months and a Linux server after that. Make sure all your desktop machines have the same administrative password (or groups of them do). Also make sure the firewall is turned off for SSH from your LanREV server. Then it'll scan subnets, SSH in and remotely install the agent. Then you have a lot of capabilities.
I do agree with the GP, this is really Microsoft's strength, AD+Kerberos+System Center/Forefront or whatever they call it n
Planning (Score:2, Funny)
Man, I'd update your resume because they won't need you anymore. Or, insist that some MS products are still around because of ... of...email ...no...um...well, that's your problem.
Suggested reading: (Score:5, Informative)
Check out the following:
http://www.macenterprise.org/
http://www.deploystudio.com/Home.html
http://rsug.itd.umich.edu/software/radmind/
is there alternative to ASR? (Score:2)
Now that NetRestore is going the way of the dodo, is there anything out there better that Apple Software Restore, it is pain in butt because another boot disk is needed, NetBoot sets without NetRestore more work
Have you looked at the features.. (Score:4, Informative)
.. of OS X server [apple.com]? It doesn't require client access licenses like Windows server versions do, and many of the services seem tailored to providing the best administration possible for an OS X network. I don't have any personal experience, but that's the first place I'd look if I had to admin an entirely OS X network.
Re: (Score:2, Informative)
Re: (Score:3, Informative)
Re:Have you looked at the features.. (Score:5, Insightful)
Sorry but no.
Based on your anecdotal example...bla bla bla. Buy you readily say you're buying sub-par equipment. So i'm not sure how you can compare "good" equipment. If i bought a $300 clearance PC and compared it to a $800 enterprise-class PC i'm sure i'd see more failures in the cheapy one.
Moving on...to the smaller end of 'large' business - 2500 users and ~4000 computers in my enterprise. Similarly configured Macs cost us about twice what a PC does. Apple doesn't give on hardware unless you're buying them by the truck load and even then it's not nearly as much as other large suppliers.
Go negotiate pricing with 7-figure yearly spending and Dell, HP, etc. will give a LOT more than Apple. Yes, Macs are pretty but we're talking about enterprise. Pretty takes a back seat.
Re: (Score:3, Insightful)
Similarly configured Macs cost us about twice what a PC does.
The last actual study I read on this, Macs cost about 20% more than the average PC on the market. That put them right in line with Sony and several other reputable computer manufacturers. Apple systems also rated best in the industry for hardware failure rates both DOA and within the first 2 years and had the best rating for support solutions to both hardware and software problems. That pretty much justifies placing them in the premium hardware category don't you think?
When you say Macs sot more than PC's y
Re: (Score:3, Insightful)
Does price matter in enterprise, where the hard cost of the machine is maybe 10% of it's 3-4 year cost in IT labor, software, upgrades, and downtime?
Fact is, and NOONE argues this, the PC simply costs 2-3 times the amount of time investment anually, plus requires additional software and agent licenses not required on the mac side (and no, I DO count AV for both Mac and PC, I'm refereing to image software, central management agents, and extras like PDF writers, etc that all come free with a Mac).
Even if the
Re: (Score:3, Insightful)
http://www.apple.com/server/macosx/specs.html [apple.com]
What standards is your Windows Server / gaming platform, based on?
Re:Have you looked at the features.. (Score:5, Insightful)
We have an OS X server.
It really does suck.
It's kind of like a crippled BSD server with weird management utilities and a lot of buggy modified utilities.
You might as well just use a normal Linux server, since all the same daemons are available, and much easier to manage.
Re: (Score:3, Informative)
I second that one wholeheartedly. The GUI admin, which is billed as this "any average Joe can run a network" (which is how I got stuck with it with no training) is completely inadequate if you're doing anything completely non-trivial, but thinks it know better than you and clobbers any edits you make to the config files.
Also, the DHCP and NAT fail tremendously. I told the server to serve DHCP and provide NAT services to the subnet so that my cluster would have one forward facing IP address. This worked g
Re:Have you looked at the features.. (Score:5, Insightful)
For instance, in 10.4, any change to the GUI would overwrite your
If you're a very small shop, and you want a simple drop-in fileserver, Mac OS X will probably work for you. If you want a simple Open Directory, and don't have an existing directory system, Mac OS X will probably work for you. But get any more complex than that and you might as well use something else.
Re: (Score:3, Interesting)
Apple's stuff may have gotten more pleasant to use, but come on, there haven't been any earth-shaking changes going on from a sysadmin's perspective. Besides, 10.4 Server came out in April of 2005. That's 4 years ago. I think you'll still find it widely deployed in Apple environments.
Options (Score:5, Informative)
You have two choices in general on the Mac side:
-- UNIX-y utilities, usually on the command line and a bit crufty in places, but free and nicely configurable
-- Mac-type utilities with marvelous interfaces that will probably set you back a nice chunk of change
When I was in the business, we used Carbon Copy Cloner, but g4u, Remote Desktop 3, or just plain old rsync are all pretty good bets depending on what type of imaging you're planning to do. CCC actually has one foot in both of the two camps I just described.
Of course, I even remember the crusty old days of Assimilator.
Apple Software Restore + Radmind + ARD (Score:5, Informative)
We could probably come up with something clever using a boot partition, but this works fine for us. If you want to get fine-grained, have a look at Radmind [umich.edu] but keep in mind that Adobe apps will thwart your every attempt to manage them at that level.
All of the above are Free/free. We handle patching using Apple Remote Desktop (not free, but well worth the money). You can also configure your machines to authenticate against an Active Directory (like we do); if you're willing to modify your schema, you can even manage your installation from your MMC snap-ins like you can with Windows boxen.
Re: (Score:2)
Yeah except if you want rsync to preserve resource forks, you invoke the broken and shitty part of the code.
rsync -E runs out of memory on anything approaching a large data set, and it also considers the resource forks "dirty" every time you sync, so it's slow as hell too.
Waste of energy (Score:3, Informative)
If you post on slashdot a question on the best way to deploy lots of Macs, all you'll get is trollish comments from pre-pubs.
Really. It's the car equivalent on asking how to adjust the stock Caliber SRT4 wastegates on a Honda Civic SI site.
For real answers, check out System X [vt.edu]. The hardware FAQ and history links will provide lots of useful info.
Re: (Score:2)
That's demonstrably untrue. At this point in this thread's life there are a couple of funny comments, a couple of 'don't do it' comments, and the rest are thoughtful and full of good information. There are inevitably trolls on every slashdot thread. So what? Thanks for the question!
Re: (Score:2)
5. Profit!
I see now.
Re: (Score:2)
Easy Steps (Score:3, Informative)
For initial deployment, Deploy Studio: http://www.deploystudio.com/
For authentication and settings management, use OpenDirectory.
For ongoing control and user support, use Remote Desktop (from Apple).
For a more advanced option, try Radmind to keep the Macs in sync: http://rsug.itd.umich.edu/software/radmind/
Virginia Tech (Score:2, Interesting)
JAMF Casper (Score:5, Informative)
We have a 300 Mac exclusive network (Score:5, Interesting)
First we build and test a good image on a machine for a couple of weeks.
Then we either use that image,if it was correct the first time, or build a new one from it if it required touching up.
We use Apple's free Disk Utility which comes free with all macs.
We then get about 10 - 15 firewire drives and copy that image on them. (You have to make sure the drives are bootable, you can actually deploy that same image onto the drive itself.)
Then we line up 10-15 machines and use again the Disk Utility to image them.
Depending on the size of the image, just about the time you have the next 10-15 unboxed and set up (very easy to do since they're all all-in-ones), the first batch is ready.
Works for us, but then again, our schedule is flexible and we can afford a couple of days of leisurely imaging.
Oh, yeah, and if you do have an image you can also work with Apple, they'll preload it on for you.
you still have to do the firmware updates by hand (Score:2)
you still have to do the firmware updates by hand and with apple some time they are needed for a newer os / update to work.
Deploy Studio (Score:2)
Need more info.. (Score:4, Informative)
Net Boot Based Installation and Monitoring (Score:3, Informative)
Also, if you have the bandwidth, you can centralize your OS installs as server based images that are never installed on the thin clients. If you get it to work, it makes upgrades and deployment very easy.
If you want to discuss some of the problems we faced and our solutions, please feel free to contact me.
radmind (Score:5, Informative)
I used to run a network with hundreds of apples with radmind. We installed the initial images with NetRestore (multicast for the larger influxes), and upon reboot, the computers would download their radmind certificate from LDAP and install all of the software that it needed.
It takes more up front time to set up and configure radmind, but it works wonderfully for almost anything you want to do.
Re: (Score:2, Informative)
A previous poster argued that you have to choose between unix-ey freeware and pricey, pointy-clicky commercial software, but radmind actually bridges that gap nicely. It is a free set of unix command-line utilites with several GUI applications that can bind it together on the client and server sides -- if you like that sort of thing. In my implementation, we use perl scripts to actually do most of the heavy lifting. Moreover, it's relatively to give end users more-or-less control over the rest of the syst
DeployStudio (Score:3, Informative)
OS X Server + method of your choice (Score:5, Informative)
Apple has a robust remote installation suite with OS X Server, which is darn cheap compared to most other commercial offerings.
10.6 includes a first party version of NetRestore (full system image deployment, similar to Ghost or Flash Archive on Solaris), but most people deploying across a large number of systems should roll their own images with packaged based tools like DeployStudio or InstaDMG:
http://www.deploystudio.com/ [deploystudio.com]
http://code.google.com/p/instadmg/ [google.com]
Some other good sites for finding info:
http://www.afp548.com/ [afp548.com]
http://www.macenterprise.org/ [macenterprise.org]
try serverfault (Score:3, Insightful)
Try asking this on serverfault.com. Lots of advice can be found there.
Radmind (Score:5, Informative)
It's been mentioned a couple of times, but mostly with -1 scores, so it's easy to miss: Radmind. It's a very powerful deployment tool with a totally transparent mechanism so you can tweak it to do *exactly* what you want in terms of mucking with files on the disk. I've seen people complain about it being hard to use, but I thought it was pretty straightforward -- install an app, run the change detector, tweak as desired (if at all), build an app image, deploy.
http://rsug.itd.umich.edu/software/radmind/ [umich.edu]
Why ask on /.? Plenty of info elsewhere... (Score:4, Informative)
Why on earth is this being asked on Slashdot? Head to afp548.com and macenterprise.org (particularly its mailing list). You'll find info on InstaDMG, DeployStudio, even Radmind.
Re:Why ask on /.? Plenty of info elsewhere... (Score:4, Informative)
The above are good resources, but also check out the OS X Server list [apple.com]. It is a good, geeky community of people actively building and working on OS X Server networks.
So... (Score:2, Funny)
This is a Big Mac deployment? Sounds like a job for my tummy!
Open Directory and Remote Desktop (Score:4, Informative)
Open Directory [apple.com]
By centralizing information about users and network resources, directory services provide the infrastructure required for managing users, groups, and computers on your network. Directory services can benefit organizations with as few as 10 people and are essential for enterprise networks that have thousands of users. Deploying a directory server helps reduce administrative costs, improve security, and provide users with a more productive computing experience.
Remote Desktop [apple.com]
Apple Remote Desktop is the best way to manage the Mac computers on your network. Distribute software, provide real-time online help to end users, create detailed software and hardware reports, and automate routine management tasks -- all without leaving your desk. Featuring Automator actions, Remote Spotlight search, and a new Dashboard widget*, Apple Remote Desktop 3 makes your job easier than ever.
* You'll notice Open Directory has no Dashboard widget. It's because it isn't uniquely Apple and therefore isn't polished to a blinding shine.
from experience (Score:5, Informative)
You're likely to get some laptops in addition to desktops. Get yourself a large room, a dozen or more firewire cables, power strips together. Before the machines arrive, use a macbook pro or macbook (a laptop) to develop your base image. Install all software on it that is going to be on most of the machines. Test thoroughly. Be sure all your remote access is tested. (ARD/SSH)
Use netrestore to create the base image. When the computers arrive, copy the base image to a group of laptops, with netrestore app. The number varies depending on how many computers you are going to be imaging, the size of your base image, and how much help you have. 8-12 is typical if only one person is going to be restoring.
First thing you should do with machines out of the box is label them, have labels made up in advance. Then set them all up imaging over firewire, just get an assembly line going. You CAN do netrestore over the network, but it's been my experience it's less reliable. (machines randomly fail to restore, sometimes entire groups fail at an annoying 99% etc) Firewire is usually faster anyway since your fileserver or switch is very unlikely to be able to keep up with imaging a dozen at once. FW800 imaging is an amazing thing.
Once machines are imaged, there should be a folder of scripts sitting on each machine's local admin acct, one for each group of machines. The script will prompt for computer name and run. When run it will rename the computer and delete all the apps that should not be on that particular image. This can also be done by running the script remotely over apple remote desktop. If you don't have ARD, *get it now*. It will save you incredible amounts of time. Using this removal script method adds only a few minutes of time per image but you're doing them in parallel so its negligible, and saves you the major headache of managing a half dozen different base images.
As long as you made the image on a laptop, it should have full hardware support for the camera etc. Different images are required for PPC, but fortunately that's not a headache you have to worry about. (I did, PAIN)
Boot camp adds a level of complexity, requiring you to partition the hard drives before restoring to them, and then using something like Ghost or Acronis. One person can image between 40-80 machines in 8 hrs depending on how things go. Helps to have grunts to do the minor things like unpacking and delivery to stations. Find some carts so you can move machines several at a time. Inform the cleaning staff that you're going to have a mountain of packing material to dispose of. Keep 1 box for every 20 machines in case you need to box them up to send to a repair shop down the road.
If you insist on using netrestore over the network, be sure you have multicast enabled on the switches. It doesn't like crossing subnets but can be made to work.
also with boot camp windows part will need alot of (Score:2)
also with boot camp windows part will need alot of images for differnt hardware.
you know... (Score:3, Informative)
Virtualization? (Score:2)
Bombich Software (Score:3, Informative)
I worked at a school district for some time with a significant Mac deployment. We used Mike Bombich's software [bombich.com] extensively, and especially for deployment, his NetBoot utility.
It does take a little bit of configuration on the server-side to start, but it looks like some other posters have already linked to tutorials for setting that up. MB has a utility to create a net-bootable-image that can used to image that machine with your choice of disk images (we had different images for different architectures, and different software packages), or can be automated to pick an image automatically.
His NetBoot software also has the ability to run a shell script to complete configuration settings that may need to be done on a per-machine basis (setting the computer network name for example).
For running updates, and modifying settings after the initial imaging, Apple's remote desktop is actually very useful. Although the feature set is limited, it DOES allow for the execution of shell commands from the Remote Desktop interface, which makes upgrading or changing settings on a large number of machines fairly easy.
Radmind (Score:4, Informative)
I managed a deployment of roughly 800 Macs across the campus of a large university using Radmind [radmind.org]. I've also managed the campus Linux, Solaris and OpenBSD kerberos servers, web servers and file servers with the same software. Radmind's learning curve is a little steeper at first, but it's one of the most flexible deployment options out there once you get the hang of it.
Radmind's not really a competitor with tools like NetRestore. When used correctly, NetRestore is great for total reimaging of deployed hardware: nothing beats a block-copy installation for speed. Where NetRestore falls down is when dealing with deployment entropy. After imaging, the machine is in an unknown state ("post-image"), and the only way to be sure all machines are in the same state is to blow away the entire disk and reimage, usually at a cost of gigabytes of bandwidth per machine.
This is where Radmind excels. It's basically a tripwire with software deployment and roll back, all based on the differences between what should be installed and what's actually on the disk. The core utility, fsdiff, looks at all files and directories designated as managed by the administrator and generates a list of differences. You can capture those changes as a loadset and upload them to the Radmind server for deployment to other machines, or you can undo any changes detected by fsdiff and restore the client to a known good state.
The great thing about this method of management is that there's minimal bandwidth used. If fsdiff detects no changes on the filesystem, there's no reason to download anything: your system is in a known good state. On the other hand, it makes deploying Apple's system and security updates pretty damn easy. Grab the updater from Apple's website, install, and run the Radmind tools to capture the changes. Store the changes on the server, add the new loadset to your machines' profile (command file), and let your clients pull down the changes.
The Radmind community is very helpful. Most questions to the mailing list (hosted on SF.net, Google groups mirror here [google.com]) are answered very quickly, and people are eager to share details about local setups and scripting solutions. A typical setup for a Radmind-managed Mac OS X client usually involves a few possible methods for initiating updates, most of which involve iHook [ihook.org] as the UI:
Since we relied on students to help run our labs, we also deployed a special, unprivileged local user account, whom the students could log in as. This also triggered a Radmind update. And of course you can trigger updates over ssh (which works well in combination with something like pdsh).
We combined Radmind with NetBoot for rapid, consistent deployments. Once the hardware was in place and on the network, we netbooted, used ASR to install a minimum and relatively recent system, and let Radmind bring everything up to date, including per-host license files and location specific software.
Radmind's not perfect. It manages at the file level. If you want something to manage, say, config files on a line-by-line basis, Radmind isn't going to fit the bill (yet). Generally speaking, though, Radmind manages Mac OS X with ease. Once you've got Radmind managing your Macs, you'll find you have a lot of extra time to do interesting things instead of troubleshooting problems brought on by stale deployments.
The Radmind wiki [umich.edu] is a decent place to start looking. Good luck.
Mass Mac Deployment for Dummies (Score:3, Informative)
I do this for the federal government, after coming from a university environment where I grew up with the Mac from the bad ol' days of the late 90s through Apple's phoneix-like rise from those ashes into the titan it is now. Truth be told, not much has changed.
For mass deployments, I'm about to look into Casper, but NOTHING I've seen or heard about beats netboot/netrestore -- and mind you, I live and breathe Mac. I use PCs to manage Remedy tickets, and that's it. The ability to create a master image, upload it to a server, restart a machine with the n key pressed and have it image itself was and is nothing short of magical, and it's the deployment solution I'm moving toward for the portion of the Treasury Department network I control (if I die, money will cease to be printed). Unless Casper can top that, netinstall + n is still my deployment solution of choice, and one that the folks where I used to work are still trying to replicate three years later. There's nothing faster or more foolproof.
Prototyping is just as easy. I deal with everything from banknote designers (pull out a bill. Isn't it pretty? My designers drew all that stuff on their Macs) to executive management, and though they use their machines differently, they all have the same baseline needs -- a rock solid configuration that's hardened to IT Security's exacting (if evolving) standards, and Office to handle collaboration. My base image is a hardened installation of Leopard with fully-patched Office. That's standard across all machines. This base image is what I run in regular user mode on my personal production machine so I will know firsthand exactly what the user experiences from day to day. I customize the default user environment on the standard image to suit _my_ tastes and allow the users to tweak and refine that environment as they see fit. I learned years ago that this is the best approach for standardizing a user's desktop because I know how to work around the various quirks of OS X that can become annoying after using it for an extended period of time, and they usually haven't been on Macs long enough to have figured these things out. The more experienced of my newest users typically bristle at this since to a person they always think their approach/way of configuring the Finder/desktop is THE way to have their machines work, but I usually don't hear a peep from them after a week or two of working in my environment. The biggest compliment to me is when I cease to get trouble tickets from my bitchiest users because they find that I've already anticipated and addressed their most obvious complaints in the standard image.
On top of the standard image, I install applications specific to the machine's role. The designers, for instance, get Adobe CS 4 and additional design-focused applications such as Quark and a font manager. My video people get Final Cut Studio. My engravers get the same package as the designers. My method of choice for deploying to these disparate groups lately has been to install the specialized applications on the standard image and create secondary images applicable to specific groups. Banknote design machines, for example, have their own special image and the video production machines have an image all their own. This simplifies things mightily because all I have to know when I want to deploy a new workstation (or repair a broken one) is where it's going. Oh, this is a replacement banknote machine? Put the banknote image on it. Copy the _user folder_ -- and nothing else -- from the old machine, create an account on the new machine, point it at the old user folder, and voila. Completely new hardware, and the user has no idea anything's changed. I've upgraded users from Tiger-running G5s to Leopard-running 8 core Mac Pros, and the only difference they noticed was the machine was "a lot faster." And the Apple menu's a different color. That's the power of Mac OS X.
Security, as I'm sure you well know, is not an issue on the Mac, but given the sensitivity of what my users do, I
Re:Macs (Score:4, Insightful)
Guess what? It would be you, not the Macs. I'd have fired you for wasting the time needed to tear a display apart instead of sending it to the manufacturer to be repaired.
Re:Macs (Score:4, Insightful)
Taking it apart yourself is worse than paying somebody else $400/hr to take it apart for you?
Re:Macs (Score:4, Funny)
400 dollars an hour?! What are you using? Lawyers? How does that work?
1) Monitor breaks
2) Sue Apple
3) Free monitor?
Re:Macs (Score:4, Informative)
Stupid post.
2 would never happen and would cost WAY more than 400 bucks in time alone.
Get Applecare and it's covered for 3 years. Ship it back to Apple while they fix it. That's what we do.
Re: (Score:3, Interesting)
By your own admission it *WAS* a hidden cost to Macs. Now that you *CAN* find them 3rd party, you're whining about the past.
Its still a hidden cost, its just less now.
Plus the whole selling argument Apple makes for getting a Mac is to avoid stupid technical hassles. This is a stupid technical hassle that wastes tons of time -- that's a cost too. I can't count how often Mac users have to go scurrying about because they forgot the adapter in their car or office or at home. Nor can I count how often I've huddl
Re: (Score:3, Interesting)
So you're convinced that hanging on to connectors created 10 or more years ago on laptops is a good engineering design call?
They are a good design call until more people than not don't NEED it.
Here's some light reading on the topic for ya.
I have nothing against displayport. I have nothing against the progress it represents. You seem to think I somehow dislike displayport or progress in general. That couldn't be further from the truth. All 3 monitors on my desk are hooked up via DVI. And my newest one suppor
Re: (Score:3, Funny)
....fucking Apple Cinema Display
Damn! Is there a video? I tried googling "apple cinema display fucking" and "apple cinema display porn" and nothing.
So, what was it fucking? The DVD drive? or the USB port?
Re: (Score:2)
Rule 35 on "apple cinema display"
Re: (Score:3, Funny)
Oh, the fail.
Re: (Score:2)
there are softwares that only run well on Mac, and the two macs (four and six years old) at my house don't have hardware problems. businesses don't care about your backlight replacement struggles, they can 3 year applecare protection like God or was it Steve Jobs intended
Re:Macs (Score:4, Interesting)
2007 Shuttle PC, dead after one year (just out of warantee)
Custom PC tower, 5 years, finally fails to make it past post last week.
2006 Mac Mini - still rocking on.
Most of our corporate machines are towers or standard desktops, internals never upgraded since purchase. A fleet of 2009 minis would be fine for these, and iMacs for reception (or senior managers).
Savings: no AV software, easier deployment of apps and policies, dont require MS Active directory or client CALs to manage them - however, not knowing month to month what hardware is going to come available from Apple would suck. Windows apps could be easily delivered using citrix or teminal server for those that need it.
Ever tried to manage 100 notebooks and backup personal data? Howabout encryption software - finally available with bitlocker if you get Vista Pro or premium - but then system folders encrypted too, a pain to manage. I liek just the encrypted home folders - which can also be mounted from an OS X server - and replicated for laptops.
Also how about common accessories like power adapters for 100 laptops and a single OS image that will work for everything?
If you can break the MS monopoly then there are savings to be made up to a certain scale.
However I will admit managing more than 1000 of these puppies could be challenging and I havent seen much that would help except maybe Zenworks from Novell - but then eDirectory is not cheap, but again savings from requiring fewer people to manage everything and fewer servers required.
For a bulk deployment I'd also look at splitting home off from the boot drive, and have a spare boot image with minimum required apps on every Mac, and script an RSync to keep it fresh from a single image.
Re: (Score:2)
You sound like a real pro. Do you have any actual advice?
Re: (Score:3, Insightful)
"Ever replace a backlight in a fucking Apple Cinema Display? That's 3 layers (and a thousand assorted screws and layers of tape)"
Sounds like replacing a backlight in every LCD monitor that has ever existed.
Re:Macs (Score:4, Interesting)
You should have just mailed in the damn Cinema Display. Service providers (at least non-Apple owned providers) can't replace anything on them but the power brick these days. Just mail it in and let the repair depot monkeys figure it out. I would never want to replace an LCD backlight (which isn't exactly a user-accessible part on ANY display) if it could ever be helped.