I am a Windows Admin, tasked by our new VP with integrating Mac OS X clients into our environment. Been spending a good deal of time the last two weeks getting to know OS X, but would like some expert help in determining viable solutions. Due to security policies and whatnot, we require certain abilities for central management of all computers.

1. Mac Os X Device Manager
2. Mac Os X Onvif Device Manager

Looking for thoughts and recommendations you may have on the following:1) Centrally managed Anti-virus. Need clients to report back their status and alert us when virus detected on a machine. As well as verify they have current signatures for scanning.2) Application Deployment/System configuration/compliance reporting. Need to be able to install software, inventory software and system settings and re-mediate out of compliance system settings (or at least notify of non-compliance)3)OS Patching/Software updates. Need to be able to deploy patching and verify which systems are currently up to date.I have searched through and looked at many of the responses for this type of information and most of it is at least a few years old.

Hoping for more current solutions as we will be incorporating only Mt. Lion and Mavericks (and newer OS as they become available). So having a product that responds quickly to Apple's OS releases is highly desirable.

Thanks in advance! First: What is your existing AntiVirus solution? Many of them offer a Mac client. I recommend Sophos.What is/are your existing Deployment/System configuration/compliance reporting product(s)?OS Patching/Software updates.You can use OS X Server to locally host Apple updates and control what is available to clients.Management can be done through MCX (still works in 10.8 and 10.9 but with a number of caveats), Apple Profiles,and even hand-cranked scripting should you want to go that route. Commercial offerings are JAMF Casper, Absolute Manage,free offerings are Munki, Reposado, radmind.I've worked with Dell Kace and Macs and while you're relying on their community more than their official support, and those instructions are outdated and incomplete, I did get things working for software distribution. Someone else took care of imaging, but it works.Imaging: DiskUtility for monolithic images (don't, just don't go that route, it's 10 years behind the times), InstaDMG & AutoDMG, deployment via Apple Netboot & Netinstall for DeployStudio.Patching can be done via Munki, Apple Remote Desktop, Updates supplied via ReposadoThose are some current and very excellent and active products and software projects.But tells us more please about what you -currently- have in place.Edited Oct 31, 2013 at 22:12 UTC.

We centrally manage our Windows environment using SCCM 2012. We use System Center Endpoint Protection for AV. While I know SCCM can now manage Macs, the AV client for the Mac is not centrally managed like it is on the Windows side of SCCM, MS is also only commiting to having support for new Mac OSs 6 months after release. We need a tighter schedule on that and central management of the AV is a security must have.I got OS X Server the other day and am giving it a whirl. Looking at Apple Remote Desktop as well. Interested in what else may be out there and what experiences (good, bad, gotchas) that they have.

Yes, Puppet is also well-regarded.As for ARD: Some are reporting problems using ARD 3.7 to connect to Windows hosts via VNC, but I never bother. For Macs I use ARD, and for WIndows hosts I use Microsoft Remote Desktop, seeYou can manage Macs via MCX without OS X Server if you extend your AD schema but many come up against resistance. And MCX is 'officially' deprecated as of 10.7 even though it does still work. Profiles are limited in comparison. But there is Tim Sutton's excellent mcxToProfile tool as well -With OS X Server, a common setup is what's known as 'Golden Triangle' where your Macs are bound to AD for authentication and OS X Server for management via OpenDirectory and MCX. Which is still entirely legitimate, but longer-term, signs now point to Profiles. Not sure how much you can do to the Macs with SCCM 2012 (yet).

If you can transfer files and get SCCM to run command lines on your Macs, you can do a lot to them. The main issue isn't running installers, applying settings, etc. The real challenge is getting confirmation of actions back, reporting on them, verifying things are set, etc. That's the challenge.We went with JAMF Casper Suite to meet our security and reporting needs. Haven't rolled it out yet, just got everything stood up. It was the product that got the reporting we needed, could do everything we needed, etc.

Gregory Collins wrote.That is the starting point.Joe0126 wrote.we will be incorporating only Mt. Lion and Mavericks (and newer OS as they become available).Apple is notorious for having creative issues with item immediately after their release. It can take quite a while before fixes are available (if ever).Joe0126 wrote:I am a Windows Admin.we require certain abilities for central management of all computers.So having a product that responds quickly to Apple's OS releases is highly desirable.Stop thinking like a Windows Admin, OS X ecosystem is different. DavidCSG's thoughts are good (JAMF & all). Expect to develop & budget for OS X specialty bits, and/or have a OS X specialist on call (v2consulting.com/etc).

I know a lot of time has passed since this thread was active, I hope that either you've made your decision and are happily moving towards a Managed Mac environment, or that some of this info helps you out. I stumbled upon this post quite by accident, but thought I would chime in.There is some very good info in the posts above, especially from DavidCSG. Your decision should be largely based on the existing experience you have within your support organization and the number of Mac OS workstations you need to accommodate. My company has 3300 employees and are about 75% Mac OS based globally (advertising), below are some of my thoughts, but if you are significantly larger or smaller organization, your needs may be very different.For Managing Macs:I've been using the JAMF Casper Suite to manage our Macs since 2007 and it's a great product, their support teams are incredibly responsive and helpful, which can be especially useful if you don't have a lot of Mac OS expertise on staff.

JAMF has a pretty extensive training/certification program as well, and also a JumpStart program to help you get started once you choose to purchase their product. The Casper Suite, and tools like it, will provide Imaging, Software Deployment, Patch Management, Inventory, Remote Control and much more. They will also allow you to largely replace the above-mentioned Open Directory Golden Triangle or extending your AD-schema by managing Apple Managed Preferences/MCX (think Windows Group Policy) or the newer Profiles without an Apple-based infrastructure.

If you are annoyed that Apple does not sell enterprise-grade servers or let you virtualize the Mac OS on non-Apple hardware, this may be huge for you. You can run JAMF, or tools like it, from Windows Server or Linux if you already have expertise in those areas. I've almost completely eliminated Mac OS Server from my environment and am working on Reposado, hosted on Linux, to get rid of the last of it (replaces Apple Software Update Server).My largest gripe about the JAMF Casper Suite is that your administrators will need a Mac to use many of the tools and remote control functionality. I am currently in the market for a cross-platform remote control tool, I'm eyeing a server-based product like Screen Connect.Obviously my experience is biased towards JAMF Casper Suite, but I have evaluated other tools over the years:Apple's own Apple Remote Desktop is a fine tool, especially for a small environment. It's mostly a very full-featured Remote Control tool with the ability to do some management and data gathering.

It's inexpensive, but also won't do much automatically. Also, it only runs from a Mac.

I use this as a companion to JAMF Casper Suite.Of the paid-tools, Absolute Software's Absolute Manage is another great tool, but I don't have direct experience with their support, feature-wise it is close to JAMF Casper Suite plus it can manage Windows PC's (JAMF is Mac-only). I've also evaluated other tools like Dell KACE, LANDesk, Altiris, and SCCM. KACE and LANDesk have 'ok' Mac OS support, but are well behind JAMF and Absolute. Altiris requires too large a team just to administer the tool, and SCCM (2007) only worked on the Mac with very limited 3rd party plugins, plus it's infrastructure requirements were too high for a company our size and as geographically distributed (30 offices).The Open Source products can do most of the same stuff, but you'll need to do a lot of self-learning, or have more Mac guys at the ready. In my environment, Advertising, deadlines are short and employees won't wait for me to fiddle and learn something. It's nice having a dedicated JAMF Support rep just an email or phone call away. With that said, there are a number of Open Source tools that are very complimentary to JAMF Casper Suite, such as the aforementioned Reposado, and Deploy Studio.Lastly on this topic, I don't know how many Macs you have, but a 6-month delay in supporting new versions is huge.

Apple is on an annual OS release schedule, and they have a very annoying habit of forced OS upgrades for new hardware purchases after a new OS release (you can often NOT downgrade a new Mac to an older OS). So unless you can delay new purchases for half the year, every year, I would avoid anything that takes 6 months to catch up.AntivirusMy company deployed Sophos antivirus in the last two years for all of our Windows PC's and servers and we are now starting to deploy it to Macs as well. In speaking with our Sophos admin he dislikes the Sophos console, but believes the AV agent is one of the better available for an enterprise environment.

He also believes that the Mac agent runs more reliably and is less problematic than the Windows agent in regards to reporting in to the management console. I've not used the console directly, but have the Mac agent on my machine and it has caught some things coming in through email that I could have easily passed on to others. They seem to keep their agent up to date and it runs with minimal intrusion and resource consumption. Mac Users are often not familiar with AV software, so keeping it low-key will help prevent an uprising.You should also be aware that there is built-in mechanism in modern Macs (since Mac OS 10.6 I believe) called XProtect in which Apple can update certain definitions to detect/remove/prevent Malware. This tools checks for updates once per day. In addition to malware, it can also disable some internet plugins that have been identified with a major vulnerability, most commonly Adobe Flash Player and Java. If you get your Macs into a managed state and are diligent on security updating, you can disable certain parts of XProtect so that you can do your Flash and Java updates on your schedule instead of Apple's.

XProtect is useful for people at home that aren't paying attention, but is mostly annoying in a well-managed enterprise environment. OS Patching / Updates:Different management tools do this in different ways. JAMF Casper Suite can simply trigger an Apple Software Update using the built-in OS mechanism, and easily allows you to redirect your worktations from the public Apple servers to an internal replica (called an Apple Software Update Server).

You can enable/disable specific updates on internally hosted replica's giving you a bit more ability to control what people get. I am testing Reposado (linked earlier by DavidCSG) as my internal replica which has some benefits over the Apple offering, mostly in that I can have a Test Branch of updates and a Release Branch so that some machines can be subscribed to the Test Branch and validate updates before I do the entire population.Some tools completely replace the Apple Software Update mechanism and do their own method of retrieving updates from Apple and deploying them. I don't have a particular preference for one method over the other. I'm largely disappointed in Apple's Software Update Server product, but think that Reposado may simplify my life greatly.Active Directory Integration:You didn't ask about this, but you should think about it.

Apple provides a way to join Macs to Active Directory, but it tends to change with each major OS release, can be buggy, and sometimes breaks altogether with an OS update. For a large, or mixed Mac OS environment, consider options available from Centrify or similar companies, they even have a free version available. Their tool is consistent across Mac OS versions, and typically supports a new Mac OS on the date of it's release.

Their paid tools will allow Macs to honor Windows Group Policies, or even allow traveling Mac Laptops to connect via their Cloud service.Good luck.-Mike. Thanks so much all of you for the input.

Mac Os X Device Manager

Funny enough, we've pretty much gone the way you have described Mike. It turned out our parent corp was also implementing a new Mac management system (Casper) so we were able to piggyback on their licensing. For us the main hesitation with Casper wasn't the licensing cost but the required jumpstart cost (given we anticipate about 20 Macs near-term, maybe up to forty or so in a few years that seemed like a huge cost to get started), having that split with our parent company made the decision easy.We decided to go with Sophos for A/V also (I would rather beat on my fingers with hammers than try to resolve issues with Symantec support).

Mac Os X Onvif Device Manager

Very cost-effective for what you get, and might even move over to it for our Windows, given the number of viruses that have gotten past MS System Center Endpoint Protection of late.We're currently going with ASUS for Apple Updates, but might give Reposado a look when I get a little more time. We had purchased Server already and figure we'll give it a whirl and see how it goes for us before trying anything else.