Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Sunday, 11 March 2018 22:46

Enterprise Mac - the case for OS X in your Windows Active Directory environment


Conventional wisdom said Macintosh devices have no place on a Windows enterprise network. Yet, this thinking stymies innovation and, according to IBM, may even be costing the company money.

Apple’s fortunes have risen - and risen and risen. The iPod, the iPhone and the iPad have turned Apple into the major force it is today, and in turn, interest in its laptop range has grown accordingly.

Younger readers may never know the company’s struggles in the 1990’s and how an unlikely ally in Microsoft invested $US 150m, speculation being Microsoft was keen to avoid Government interference if it was perceived as holding a monopoly.

While Microsoft benefited immensely from its early ties to IBM, providing the PC-DOS operating system which every IBM competitor wished to similarly license as MS-DOS, Apple uniquely tied its operating system into its own hardware. The IBM PC clone market grew while the Apple hardware market was largely niche - education, graphic designers, musicians, and other creative types.

Microsoft released a desktop and a server edition of its flagship Windows operating system, and this has long been the staple of enterprise identity and authentication, especially in the small to medium enterprise market. Large enterprise embraced UNIX and Linux servers for back-end server grunt, but it is hard to dispute Microsoft’s Active Directory and associated group policy ecosystem has been the way systems administrators control logins, manage devices, rollout policies, push software, share printers, restrict and permit file sharing, and so much more.

Apple released a server add-on to it’s OS X platform; it wasn’t a distinct operating system in its own right, but provided DHCP, DNS, and other networking and administrative controls within a single app. That OS X server product has progressively diminished its capabilities with each release, Apple shaving off more and more, recognising various open source products do a better job but correspondingly requiring skilled talent to configure and tie these disparate parts together.

So, we come to the modern day where many a managed services provider will deny any ability to support Apple-based products, and where the force of history and training promotes a Microsoft-based approach to setting up an Active Directory domain, establishing policies, and joining Windows-based computers to this domain and its control mechanism.

This is underpinned by Microsoft’s own certification tracks and reinforced by the collective experience of Windows administrators as they go from job to job.

However, today’s network isn’t the network of 1997, nor even the early millennium. We live in a world where the cloud is the new normal and we speak of applications that are no longer constrained by devices or network firewalls and allowing users access to their data on any device at any time from any location.

We speak of the ability for the cloud to drive innovation; to fail fast and cheaply, to experiment rapidly, to spin up resources that expand and contract based on usage and with per-second billing. We speak of the need to be agile. In my Wired CIO column, I’ve espoused the need for the CIO to bring transformation to the business and I have said good IT may come at a price but not a cost.

I dispute that such a thing exists today as “an IT project.” It is my passionate and deeply-held belief internal-facing IT departments - that is, not sales and consulting - exists to optimise the rest of the business. It is here to put forward solutions, to enable the rest of the organisation via leveraging technology. If your company’s IT is hindering the business then it’s doing something wrong. I’ve met IT Managers like this who took capricious and perverse pleasure in restricting what people could do under the guise of “security.” In my view, these IT Managers used a stream of words to hide what was actually incompetence.

However, I digress; the point is simply we have a conflict - how can we be agile and a business enabler, but at the same time impose restrictions which probably could be solved? This is where I would seek to put my effort: solving problems that prevent staff enjoying greater freedom to work in manners of their choosing while still maintaining security, rather than being an inhibitor.

I’ve had - and no doubt you’ve had - new starters ask if they can have a MacBook Pro over the traditional company Windows laptop.

Sure, we will have anecdotal experiences of users telling you they absolutely, truly, sincerely need “an Apple” and if you ask them about Finder or if they know to use Command-K to connect to network shares they will give a blank stare proving their love of Apple hardware may not be significantly deeper than brand.

Yet, for a power user, Apple hardware is very elegant. I’ve not experienced a Windows laptop which sleeps and wakes as effectively, it’s efficient with battery life, it contains a genuine UNIX terminal, has a magnificent screen, intuitive and responsive touchpad gestures and simply exudes power and performance. In fact, for a platform so characterised by a GUI - and for the longest time a one-button mouse - you may be surprised to know just how many keyboard shortcuts it has for the savvy and in-control.

With the growth of the cloud, so too applications are becoming web-based or packaged nicely as apps available from the various stores, including Apple’s App Store. We are no longer in the days where it could be rightly claimed Windows had the lion’s share of software. Mainstays Microsoft Office and Adobe Creative Suite are cross-platform and should you have legacy applications you can very nicely run a Windows virtual machine integrating right into your OS X environment using Parallels or VMware Fusion.

Of course, the reverse is true: if we argue modern applications are operating system agnostic, then it stands to reason they will run equally well on Windows. This does not refute the need to evaluate Macintosh hardware as an option but rather further demonstrates the point a Windows-based laptop is not an essential requirement.


“It’s a UNIX system, I know this” is the famous - yet cringe-worthy - line from Jurassic Park. Ok, your Chief Marketing Officer isn't going to utter these words, but leveraging OS X’s underlying UNIX makes it also a natural choice for network engineers with familiar, natural command-line tools.

Ultimately, there are plenty of use cases for why OS X and associated Apple MacBook hardware are smart choices - performance, compatibility, functionality - that stand apart from brand.

Yet, even so, it is still prudent that such a device has to be supported and has to be managed. Having your users hand out a MacBook Pro to a new starter and letting them do with it as they wish will only result in problems when they try to share files, when you wish to enforce a password complexity policy, when you need to restrict printing to black and white by default, when you wish to push out software. Device management and authentication isn’t about restriction but in about seamless enablement, while simultaneously protecting company assets and data from loss and exposure to risks.

It might be reasonably stated a modern enterprise will have a PC imaging process already established, and this works because the company is diligent on consistent hardware, using business-grade Windows-based laptops and volume licenses.

However, just as the cloud disrupts the conventional idea of on-premise servers - formerly a no-brainer - so too the rise of mobile technologies has disrupted imaging. VMware’s AirWatch and similar products allow an enterprise to enforce policy and control via MDM - Mobile Device Management - and these same facilities have been similarly implemented in Windows 10 and Mac OS X High Sierra under the moniker EMM, or Enterprise Mobility Management.

With an EMM product like Microsoft’s InTune, or JAMF or AirWatch or others, your users can receive a new laptop directly and sign-in during the first startup, and the device’s configuration will be downloaded to it. You can still control and manage the device but instead of cloning and imaging a configuration prior to deployment, it sets itself upon the first run.

There is a little more to it; your Mac hardware needs to be under Apple’s Device Enrolment Program (DEP) to prove you have rights to lock it down, and you will need to license an EMM platform, but on the other hand you no longer have to refresh images to update drivers and pay your hardware supplier to image your devices. Or, perhaps your organisation takes the device out of the box and images it yourself before sending it on. Even if so, those days are gone as well. Or maybe your organisation isn’t even imaging and you set up new computers one-by-one - well, although you ignored the advice to look into imaging you can just skip that and move onto EMM.

JAMF offers management of three devices for free so there is no barrier to giving it a try, with simple instructions throughout.

Fetch your CFO, because there is another reason to seriously consider a MacBook Pro as your next business laptop: contrary to the perception Apple hardware has a premium price, IBM’s Fletcher Previn, VP Workplace as a Service stated “Every Mac we purchased makes and saves IBM money.”

Previn spoke about IBM’s experiments in offering staff a choice of laptop since 2015. His talk was not simply anecdotal, crunching the numbers - and serious numbers at that, with over 90,000 employees in the multinational choosing a Mac laptop. 1,300 Mac laptops are deployed weekly and the company has 50 support staff dedicated to Mac and iOS devices.

IBM’s experiment found PC users drove twice the number of support calls as Mac users, and of these only 5% of Mac support tickets required an on-site visit to resolve compared to 27% of Windows hardware support tickets. So, conventional helpdesk tickets in a PC environment were more frequent and needed more on-site time. Or, given that was the status quo, the result actually was a decrease in support requirements with the Mac rollout.

Breaking up costs, IBM found they were spending less on device management software, on support staff and service desk resources for their Mac users than their Windows users, on a per-device basis.

Ultimately, IBM calculated they spent, on average, $535 less for each Macintosh laptop than for Windows laptops, despite differences in upfront purchase prices.

Here is the story for yourself:

This finding is remarkable and goes against the traditional, institutionalised, entrenched thinking on running corporate networks and devices. Yet none other than IBM found offering MacBook computers to staff decreased cost and increased satisfaction.

In my view, this makes the challenge in integrating Mac devices in a previously Windows-only environment well worth solving. This is a reasonably straightforward, yet transformational, action you can pioneer in your business - unless you believe your CEO won’t like the dual good news about decreased costs and increased satisfaction.

Some businesses are more extreme; Google supports Windows, OS X, Linux and its own ChromeOS, but says any employee who wants to use a device other than a Mac must now submit a business case why.

Along with IBM, TechRepublic identified the six largest publically-disclosed Mac deployments in technology companies, including GE, Concentrix (18,000 Macs), Oath (15,000), SAP (14,000) and Capital One (12,000). Consequently, it is safe to say deploying Mac hardware in an enterprise is a solved problem.

What do you think? I’ve recently begun this journey of user choice in my own company which has already met with excitement and I look forward to seeing IBM’s experiences for myself.


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



Some of the most important records are paper-based documents that are slow to issue, easy to fake and expensive to verify.

Digital licenses and certificates, identity documents and private citizen immunity passports can help you deliver security and mobility for citizens’ information.

Join our webinar: Thursday 4th June 12 midday East Australian time


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.



Recent Comments