How we had to learn how to manage poppies in the corporate network

Bring Your Own Device (BYOD) is already quite a real headache for admins, who have not only Macbook top manager, but also iPad (or even iPhone) his deputy appeared in the corporate grid. This year we surveyed in the US more than a hundred system administrators of large companies - what they use to manage mobile gadgets in a corporate network mainly occupied by PCs running Windows. Won the options "nothing" and "strong language / alcohol / tears." At the same time, 45% admitted that their companies already purchased Macs for business purposes. This means that the task must already be solved, since through BYOD devices used by managers and key employees, information can cost millions of rubles, and it is vital for them to comply with corporate policies.

In this post we want to tell how we implemented our own solution for managing Macs in a corporate environment - Parallels Mac Management, in our own company, where we started and what we encountered in the process (including purely psychological aspects of the behavior of our employees). And also to speculate on whether a Mac is really needed in a corporate network (and get your opinion about it), for what, and who uses what to manage.

"Terrible" reality

Despite the fact that not all IT departments of companies can find the answer to the question of why they need a Mac in a corporate environment, their growth is a fact (see the studies of Greyhound Research and independent experts ). The growth in sales of our own desktop and mobile products for the corporate market (Parallels Desktop for Mac Enterprise Edition, the same Parallels Mac Management and the business version of Parallels Access) also confirms this. Plus, the survey , which says that 95% of those who work on Windows, will gladly move to Mac OS X, as soon as they can use a single PC management system on various platforms.

Let's be honest - for many companies, in terms of saving costs and resources, it is more profitable to choose a PC under Windows: Macs are more expensive, the ecosystem of specialized applications under Mac OS X is much less developed, they are less accustomed to massively manage them. Why does Apple continue to aggressively penetrate the corporate environment?
')

Have your device work? And if you find?

In the same survey, we were told: the Mac platform is more reliable - less “glitches” and viruses (77% of respondents said), easy to maintain (65%) and help attract employees (also 65%). But it seems to us that the reason is still in the growing popularity of the very concept of BYOD, which is caused by the following factors:

First , this is the explosive growth in the number of mobile devices - phones and tablets - and their reorientation towards professional tasks. It is becoming more and more wearable gadgets that can do everything that only recently computers could do. This applies to both smartphones and tablets. In 2013, more than 195 million tablets were sold (62% for Android, 36% for iOS). At the same time, the number of used phones on the Android and iOS X platforms in the world exceeded 900 million (the iPhone share is 15.2%, Android is 78.6%). And this year, people will buy more tablets than portable computers.

Secondly , the fashion on BYOD, quite possibly, reflects new relations between employing companies and employees. These new trends are gradually penetrating us from the West, and are expressed in the fact that employees are less likely to see themselves as part of the organization, or are not even in the state. For example, contractors (“contractors”) in the United States are not considered employees, the company has the right to tell them what to do, but not how. Staff members behave the same way. With this approach, employees have fewer restrictions, and it is de facto imposed on all market participants, including employers. And since it doesn’t matter how the tasks are solved, you can use any device that is dear to your heart. Questions of their technical support are rarely discussed, since they are not directly related to the business. In addition, BYOD removes the cost of purchasing devices from the employer and transfers them to the employee.

Why include a Mac in a corporate environment?

Perhaps it is easier to ignore individual cases of their appearance? We believe that it is necessary to do this with exactly the same goals with which we control the PC under Windows. For example, in our company they are as follows:

• Prevent data loss on a laptop due to a technical failure or user leaving the company.
• Inventory of software and hardware for accurate planning of updates, compliance with licensing requirements and a correct forecast of IT costs.
• Simplify remote administration - deploying standard OS images, deploying or updating software products, remote management to resolve incidents, configurations that comply with policies.
• Specific goal for us: the experience of the practical application of proprietary products.

How did the implementation project begin?

Having come to understand why we still need to learn how to manage our own Macs (we think every IT department asks itself this question, but, from experience, the answer in the case of Macs may be unexpected), we opened a new project. When choosing a Mac administration tool, we proceeded from the premise that the corporate environment, by definition, has a single directory of Microsoft Active Directory-based accounts and a VPN infrastructure to provide remote users with access to the corporate network, and that users are interested in IT to solve their problems. . This is important, because a careless and disinterested employee can easily delete an agent on a Mac, and then assure that “everything does not work”.

At the end of 2012, we identified 3 potentially useful products: Centrify User Suite Mac edition, Microsoft System Center 2012 SP1 (currently at the Customer Technology Preview, CTP stage) and version 1.0 of Parallels Mac Management (hereinafter referred to as PMM). From Centrify eliminated the need to pay for a license. The license for System Center is provided to Microsoft partners for free under the Microsoft Partner Network (and we are members of it). An additional number of client licenses (Client Management License, CML) for System Center has already been purchased earlier for the task of deploying System Center Configuration Manager 2007 in the Russian office. These licenses are also needed to deploy PMM, because the content of Product Use Rights * on System Center 2012 clearly indicated that CML is required for each managed device, without reservation to the origin of the agent. By the way, the SCCM 2012 server distribution could only be obtained when purchasing CML: there was no server license in the Microsoft nomenclature, and access to the distribution on the Volume Licensing Service Center was tied to the acquisition of CML.

The ability to control a Mac at the time the project started was only announced for SCCM 2012 SP1. The release of its release was scheduled for early 2013, so the difficulties were obvious. RMM then agreed to test several partners of the company, and when our own IT service took up the deployment of RMM “inside”, a new goal appeared - to get feedback faster to speed up the product refinement. Naturally, developers received them from “their own” in a shorter time, because the process “sales engineer” - “product manager” - “development manager” is usually delayed through the usual chain. In addition, the partners were in the United States (and this difference is also in time and in language). But there are no greenhouse conditions for our IT: contact PMM technical support in a general manner, setting targets for revision in the general queue, according to the revenue brought (and since there is no revenue in this case, the modifications will be performed only if one of the paying customers demands ). As a result, the IT service gained experience in the detailed description of the user case for each new function, and its implementation depended on whether one of the customers wanted it.

PMM Deployment

For this, all Mac employees who did not develop or test products were selected. Geographically, they were located around the world: in offices in Renton, Washington state in the USA, Moscow, Novosibirsk, Munich, Singapore, Tokyo; remote employees in the USA, EU countries, Australia and countries of Southeast Asia.
It was assumed that the system administrators of these offices will be able to facilitate the performance of their duties due to the PMM features: remote management, centralized installation of standard software packages and updates, centralized application of security policies (based on Mac OS X Profile), installation of standard OS images, hardware inventory.

Highlight the task of remote administration of Parallels Desktop for Mac (familiar to Mac users, desktop virtualization product, we wrote about it here ) and distribution of standard virtual machines for it. Remote administration includes setting the optimal VM settings, activation and installation of updates. Standard virtual machines (Windows 8 with Office 2013) were chosen for reasons of document compatibility and user habits for the Office interface for Windows, which is significantly different from the Office for Mac interface, and because many applications still have no versions for Mac OS X.

To solve the entire set of tasks, it was decided to install a SCCM Primary server in Renton and one Distribution Point in offices with a significant number of users — Renton, Munich, Singapore, Moscow and Novosibirsk. Remote users connect via VPN to the nearest data center (Renton, Munich, Moscow or Singapore), from where their traffic is forwarded through the corporate MPLS network to the Distribution Point to which the user is assigned.

Our extension integrates into the System Center Configuration Manager interface.

The server part of the PMM was installed on the Primary server. Client installation was done manually, partly by the users themselves, and partly by system administrators. The users sent a letter with a hyperlink to the distribution kit of the agent, the intervention of the system administrator was required only in cases when the installation did not end successfully. Starting with PMM 1.7, installation, including updating the agent version with an SCCM command, was successfully performed in automatic mode in about 90% of cases. In most cases, when installing the agent on a computer where it was not there before, failed, the reason was that the user did not follow the installation order (you can start the installation without connecting to the VPN, but for successful completion you need access to a domain controller that is accessible only via VPN ). Now the current version of PMM is 3.1, childhood diseases can be considered overcome, and further development is aimed at expanding functions.

Deployment summary

From a technical point of view, the deployment of PMM in Parallels can be considered successful. The agent is installed on more than 95% of those selected within the Mac company (more than 150). Software packages can be delivered to managed Macs, the use of a password policy that meets the company's complexity and lifetime requirements, through Mac OS X profiles, and virtual machine settings. Starting from version 2.0, an automated OS installation is possible, although there is no experience of mass OS updating in this way yet, since the built-in Mac OS tools themselves cope with the task of updating the OS. Also in the third version appeared such new functions as the self-service portal for work with applications, support for the HTTPS SCCM infrastructure and SCCM applications. Improved SCCM client support; FileVault 2 encryption system with private keys is also supported.

Parallels Mac Management Self-Service Portal

One of the most difficult obstacles to the implementation of PMM was the study of SCCM. We had no experience with this product at all, so one of the system administrators had to study it first independently and then on Microsoft certified courses. The latter allowed to systematize independently acquired knowledge and experience, as well as to get answers to the questions accumulated during independent attempts to install and use SCCM. A significant part of the problems that arose during the installation and deployment of PMM was ultimately due to the non-optimal SCCM configuration. CONCLUSION ONCE: it is possible to take on the deployment of PMM only when the organization has experience with SCCM, and if it is not already there, then formal administrator training is necessary.

The second obstacle was a psychological-legal property. Some employees in EU countries objected to the installation of the agent, stating that in this way the IT department would invade their privacy. This opposition had to be overcome with the help of the general attorney, who explained that the computers belonging to the company were not a place for personal information. Such objections can, however, have much more solid ground in the case of BYOD. Since, by definition, there can be no technical solution for them (an agent capable of reinstalling the OS can access any data), the solution should lie in a contractual plane. CONCLUSION TWO: BYOD employees should be asked to agree in writing to installing the agent as a condition of entering into an employment or contractual relationship.

What the coming day prepares for us

As a result, all difficulties are overcome, and Parallels Mac Management is in commercial operation and implemented in a number of companies, the largest of which can be mentioned Rackspace, Samsung and McAfee. At the same time, we did not finish our own internal project: the next stage is the training of our technical support staff in using PMM in daily practice. This will require, first of all, to teach them the basics of SCCM, since all operations are performed through its interface (Macs in it are controlled the same way as computers). We also plan to implement the Application Self Service Portal for self-service applications, so that employees can install the software recommended and corresponding to corporate policies.

Now Parallels Mac Management has the largest sales growth compared to other Parallels solutions - more than 50% per year. This suggests that the task of incorporating Macs into the corporate environment has become acutely relevant, and when the practical opportunity finally came to solve them, the implementation was not long in coming.

As a result, we can draw the following conclusions: first, in addition to “nothing,” “tears,” and “strong expressions”, there are still products that will help solve the problems of managing Macs (and even beyond our own). Secondly, you will have to handle various conflicting aspects of PC and Mac interaction on the same network, including the unexpected and psychological ones (not all employees will consider the benefits of BYOD along with the responsibility for the content of this D).

And we are really interested in what you yourself think about it: do we need Macs in a business environment and what scenarios of use can there be? So write your thoughts and questions in the comments, we will try to answer each.

* Product Use Rights is the main document that defines the rights to Microsoft software transferred to the licensee under volume licensing programs.
The author of the article is Vitaly Khozyainov, Senior Project Manager at Parallels (USA)