Parallels Desktop 8 for Mac is lets you seamlessly run Windows and Mac applications side-by-side

Login | Register

Post new topic Reply to topic  [ 6 posts ] 

Thu Jun 17, 2010 11:52 pm

Offline
Site Admin
Joined: Wed May 12, 2010 7:45 pm
Posts: 179

Apple has a new (or updated) how-to white paper called Modifying the Active Directory Schema to Support Mac Systems, dated May 2010. Modifying the schema is one of three basic ways of adding Macs to an Active Directory network is to modify the schema on the server. (The other two are to install a Mac OS X Server, or to use a third-party product, such as Thursby Software’s ADmitMac, Centrify’s DirectControl, or Likewise Software’s Likewise.)

Although many system admins don’t like the idea of modifying the schema, the paper provides step-by-step instructions to do so, which Apple calls "extending the AD schema to manage Mac systems.”

What do you think? Is this a good idea? Post your opinion here.

_________________
John Rizzo
MacWindows.com



Top Top
  Profile

Mon Jun 21, 2010 6:45 am

Offline
Joined: Mon Jun 21, 2010 6:18 am
Posts: 5
Location: Arlington, TX

I would like to add a slight correction regarding Thursby Software being more than simply the DAVE product from the 1990s.

Thursby offers a specific AD integration product (since 2003) that's used by NASA, the army, colleges, Fortune 500s and high end video and media companies.

Thursby's ADmitMac 5 software is a client-based solution that includes DAVE and allows AD integration from
Windows Group Policy Objects (GPO) *and*
Mac Workgroup Manager (WGM)

For the army, it is the only solution that is certified to work with military grade CAC/PIV security cards, although Apple and some third parties offer some aspects of the solution, without certification and/or support and fall short of a complete, supported stack.

DAVE as a standalone product simply fixes problems in native OS X file/print integration, especially with DFS, and is pretty much required for any high-end workflows.

Centrify in particular does not include the functionality of DAVE and so users may unexpectedly incur costs not only for DAVE but also for the Centrify server component that is required along with clients for Mac OS X.

Bottom line, what's good and fine for generic UNIX/Linux/RHEL/Unbreakable/CentOS etc. (with standardized calls, clean code bases) may not apply as well in a Windows-Mac environment no matter how many youtube videos are prepared or old reviews against ADmitMac 4 are quoted.

_________________
"We deliver transparent Mac-Windows integration, managing Macs just like PCs, with over 50,000 Mac-Windows clients"
For more information, check out http://www.thursby.com/products/comparison.html



Top Top
  Profile WWW

Fri Jun 25, 2010 8:55 am

Offline
Joined: Mon May 24, 2010 11:56 am
Posts: 2

@John - Thanks for sharing the Apple document. Their goal is to show how to modify the Active Directory schema in order to leverage AD for Mac policy management, thus eliminating the need for a separate Open Directory server. However, most Windows-centric organizations won't support schema extensions of this type. And the end result is that Windows admins are using Group Policy and Mac admins are using Workgroup Manager to separately manage security policies. Most organizations are looking for a solution that doesn't touch the Active Directory schema and consolidates policy management in a single administrative interface. Our solution provides full authentication and Group Policy functionality without making changes to AD, which is especially useful in environments where a single Group Policy configuration based on Active Directory is desired.

@thursbysoftware - I appreciate the opportunity to clear up a few erroneous statements.

* Centrify is JITC certified to work with CAC/PIV cards on Mac OS X. You can see our certification letter here.
* Centrify DirectControl does not require a "server component"; agents communicate directly with Active Directory. You can read about the Centrify DirectControl architecture here.
* We support over 225 flavors of Unix, Linux and Mac, and a native agent is optimized for each specific platform.

I'm glad you enjoy the YouTube videos. More coming soon. ;)

_________________
Frank Elley, Centrify
Learn more about us on Centrify's YouTube Channel. Or request a free evaluation of Centrify DirectControl for Mac OS X.



Top Top
  Profile

Mon Jun 28, 2010 1:13 pm

Offline
Joined: Sun May 16, 2010 4:19 pm
Posts: 1

Hi Frank –

This isn’t really the place to debate some of this, but clarification to both John’s readers and our two companies is great. I thank John for the open forum where this can happen.

Simon’s main point in his “thursbysoftware” response was to clarify John’s reference to DAVE instead of the proper product ADmitMac.

There is a major philosophical difference in how many managers want to actually manage their systems. For years Macs were rather isolated in most organizations. As they grew, Apple implemented their Workgroup Manager. As complex networks really grew, management by Microsoft’s Group Policies became more important at some locations.

Our current product allows the customer to decide which approach they take. The individual can control the Mac, a Mac centric organization can manage it through WGM, or with our latest release we also support Microsoft’s GPO. As far as the Macintosh, companies like yours and Likewise only support the GPO niche.

Granted if the customer has a very diverse platform base that include “225 flavors” of Unix (I didn’t even know there were that many), then a product that specifically adds GPO to the mix probably makes a lot of sense. Unfortunately, that alone doesn’t address many of the true Mac-Windows requirements.

In the real world, Mac connectivity out of the box has serious limitations in the commercial world. One of the big items is DFS. An attempt to sell a solution to this by bundling another third party solution that adds Apple’s Filing Protocol to a server box goes against the management approach of most of our customers. The thought of having to add software of any kind to their servers simply goes against the philosophy of making Mac management as transparent as possible.

On your mention of being JITC certified, that by itself doesn’t mean that a product has government authorization to actually be used on a DoD network, it is only the beginning. Although we received our JITC certification nearly three years earlier then anyone else on the Mac, it wasn’t until the Army thoroughly tested it before a Technical Authority memo was issued both approving and requiring it to be used for joining AD environments. We are also the only company, including Apple, that has formal support for the next generation CAC/PIV cards.

As I previously said, there are definitely different approaches that customers can make. I believe that all of this is accurate and truly hope that both you and John’s readers can clarify any mistakes that I may have made.

Bill Thursby
President, Thursby Software Systems



Top Top
  Profile

Mon Jun 28, 2010 2:01 pm

Offline
Site Admin
Joined: Wed May 12, 2010 7:45 pm
Posts: 179

Thursby wrote:
Simon’s main point in his “thursbysoftware” response was to clarify John’s reference to DAVE instead of the proper product ADmitMac.


Quite correct -- that was an error on my part. (I do know the difference, but typed the wrong name.) I've corrected it now. Apologies to everyone.

_________________
John Rizzo
MacWindows.com



Top Top
  Profile

Sat Nov 15, 2014 6:54 am

Offline
Joined: Sat Nov 15, 2014 4:06 am
Posts: 13

Thank you for good communication.



Top Top
  Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum


Search for:
Jump to:  
cron

OS X Mountain Lion Server for Dummies
By John Rizzo

Simplifies the installation, configuration, and management of Apple's OS X Server software. Support Mac and Windows clients for file sharing, email, and directory services; Install software to your iOS devices and Macs. Incorporate a Mac subnet into a Windows Active Directory domain, manage Mac and Windows clients, and configure security options, and more. Click here for more.

Serving the cross-platform community since November 15, 1997. Copyright 2010-2013 John Rizzo. All rights reserved.
Powered by phpBB