Large-Scale Mac Deployment?

UncleRage writes "I've been asked to research and ultimately recommend a deployment procedure for Macs across a rather large network. I'm not a stranger to OS X; however, the last time I worked on deployment NetRestore was still king of the mountain. Considering the current options, what methodologies do admins adhere to? Given the current selection of tools available, what would you recommend when planning, prototyping, and rolling out a robust, modular deployment scenario? For the record, I'm not asking for a spoon-fed solution; I'm more interested in a discussion concerning the current tools and what may (or may not) have worked for you. There are a lot of options available for modular system deployment... what are your opinions?"

We have a 300 Mac exclusive network

[Tibor+the+Hun]

First we build and test a good image on a machine for a couple of weeks.
Then we either use that image,if it was correct the first time, or build a new one from it if it required touching up.
We use Apple's free Disk Utility which comes free with all macs.

We then get about 10 - 15 firewire drives and copy that image on them. (You have to make sure the drives are bootable, you can actually deploy that same image onto the drive itself.)
Then we line up 10-15 machines and use again the Disk Utility to image them.
Depending on the size of the image, just about the time you have the next 10-15 unboxed and set up (very easy to do since they're all all-in-ones), the first batch is ready.
Works for us, but then again, our schedule is flexible and we can afford a couple of days of leisurely imaging.

Oh, yeah, and if you do have an image you can also work with Apple, they'll preload it on for you.

Re:Large scale Apple managed LAN?

[Brian+Gordon]

I preemptively beg mods not to bury this comment. We all know that Linux is great on hackers' workstations and on servers and in computing clusters, but not so great as a desktop system for average users.

Well large managed networks is two miles away in the distance on the scale of things Linux is awesome at. Active Directory, Exchange, Terminal Services... Windows really does have a very impressive offering in this area, while Linux stays behind the scenes and rarely faces the user.

Re:Macs

[DurendalMac]

The hardware is more reliable than most OEMs unless you got burned by iMac G5s with bad caps, but that wasn't really Apple's fault. A lot of OEMs got hit by those damned caps.

You should have just mailed in the damn Cinema Display. Service providers (at least non-Apple owned providers) can't replace anything on them but the power brick these days. Just mail it in and let the repair depot monkeys figure it out. I would never want to replace an LCD backlight (which isn't exactly a user-accessible part on ANY display) if it could ever be helped.

Re:Large scale Apple managed LAN?

[rhavenn]

Egh, Active Directory is just LDAP with Kerberos and some proprietary crap thrown on top to make in hard to interoperate with other OS's. The group policy tree is just a centralized registry management system. So, no you're wrong. It isn't as plug and play, but a LDAP setup with single sign on via kerberos and a puppet system to manage the config files (Linux does not use a registry) thrown together with a custom package repository (the SUS equivalent) and you're good to go.

However, where Microsoft wins out is that that isn't easy to roll out. MS has the marketing and the 5 clicks that lets a "manager / phb" install MS server and call themselves admins. The bottom 2/3rds of the Microsoft install base, at the server level, mostly don't know what they're doing and really don't understand the underlying tech of what AD is. Once you start rolling out large Fortune 500 style install bases you really do need to know your stuff and most admins at this level probably could do a Linux / UNIX / OS X setup of the same scale with a little work and reading. However, the end users / managers don't want this since they've been rather well indoctrinated by the MS marketing team.

Personally, I like to sum this up by stating that with MS it's very easy to turn the key and go from 0-40MPH, but to make it all the way to 60MPH it gets difficult and the hood of your car is welded shut. The Linux's and BSD's of the world make you learn how the engine works first, but once you've got it figured out you still make it to 60MPH before MS does.

Re:Macs

[Mista2]

2007 Shuttle PC, dead after one year (just out of warantee)
Custom PC tower, 5 years, finally fails to make it past post last week.
2006 Mac Mini - still rocking on.

Most of our corporate machines are towers or standard desktops, internals never upgraded since purchase. A fleet of 2009 minis would be fine for these, and iMacs for reception (or senior managers).

Savings: no AV software, easier deployment of apps and policies, dont require MS Active directory or client CALs to manage them - however, not knowing month to month what hardware is going to come available from Apple would suck. Windows apps could be easily delivered using citrix or teminal server for those that need it.
Ever tried to manage 100 notebooks and backup personal data? Howabout encryption software - finally available with bitlocker if you get Vista Pro or premium - but then system folders encrypted too, a pain to manage. I liek just the encrypted home folders - which can also be mounted from an OS X server - and replicated for laptops.
Also how about common accessories like power adapters for 100 laptops and a single OS image that will work for everything?

If you can break the MS monopoly then there are savings to be made up to a certain scale.
However I will admit managing more than 1000 of these puppies could be challenging and I havent seen much that would help except maybe Zenworks from Novell - but then eDirectory is not cheap, but again savings from requiring fewer people to manage everything and fewer servers required.

For a bulk deployment I'd also look at splitting home off from the boot drive, and have a spare boot image with minimum required apps on every Mac, and script an RSync to keep it fresh from a single image.

Re:DeployStudio or LanREV

[Architect_sasyr]

I have a DeployStudio installation that supports 1132 laptops, iMac's and G5's, with only one IT member (who, to be fair, outsources any really difficult questions to me). Maintaining that is easy as hell - if a user complains too much about a problem, he tells them to netboot - they can choose which building they are etc. or he will VNC for them. Either way, 1 person scales well with DeployStudio - me, I'm an Apple Certified Systems Administrator, with a strong focus on Deployment, and I will push DeployStudio every time.