Slashdot Mirror
Large-Scale Mac Deployment?
UncleRage writes "I've been asked to research and ultimately recommend a deployment procedure for Macs across a rather large network. I'm not a stranger to OS X; however, the last time I worked on deployment NetRestore was still king of the mountain. Considering the current options, what methodologies do admins adhere to? Given the current selection of tools available, what would you recommend when planning, prototyping, and rolling out a robust, modular deployment scenario? For the record, I'm not asking for a spoon-fed solution; I'm more interested in a discussion concerning the current tools and what may (or may not) have worked for you. There are a lot of options available for modular system deployment... what are your opinions?"
that is a whole lot of gay to be rolling out
Is there even such a thing in this world? Folks like to disparage Windows, but it really is the only OS built for very large enterprises. Linux solutions don't really compare to Windows solutions - there, I said it...
I have had great success out of both DeployStudio (http://deploystudio.com/) and LanREV (http://www.lanrev.com) in K-12 schools with 200+ machines.
Check out the following:
http://www.macenterprise.org/
http://www.deploystudio.com/Home.html
http://rsug.itd.umich.edu/software/radmind/
Guess what? It would be you, not the Macs. I'd have fired you for wasting the time needed to tear a display apart instead of sending it to the manufacturer to be repaired.
You have two choices in general on the Mac side:
-- UNIX-y utilities, usually on the command line and a bit crufty in places, but free and nicely configurable
-- Mac-type utilities with marvelous interfaces that will probably set you back a nice chunk of change
When I was in the business, we used Carbon Copy Cloner, but g4u, Remote Desktop 3, or just plain old rsync are all pretty good bets depending on what type of imaging you're planning to do. CCC actually has one foot in both of the two camps I just described.
Of course, I even remember the crusty old days of Assimilator.
Check out the Mac management software from JAMF software. It pretty much covers it all, from package management to image deployment to remote desktop to inventory. Used in many mac-based school districts and Universities.
First we build and test a good image on a machine for a couple of weeks.
Then we either use that image,if it was correct the first time, or build a new one from it if it required touching up.
We use Apple's free Disk Utility which comes free with all macs.
We then get about 10 - 15 firewire drives and copy that image on them. (You have to make sure the drives are bootable, you can actually deploy that same image onto the drive itself.)
Then we line up 10-15 machines and use again the Disk Utility to image them.
Depending on the size of the image, just about the time you have the next 10-15 unboxed and set up (very easy to do since they're all all-in-ones), the first batch is ready.
Works for us, but then again, our schedule is flexible and we can afford a couple of days of leisurely imaging.
Oh, yeah, and if you do have an image you can also work with Apple, they'll preload it on for you.
If you don't know what AltaVista is (was), get off my lawn.
Here is an excellent resource (at least last time I checked and it has been awhile, they used to be called macosxlabs.org). http://www.macenterprise.org/ As far as tools, the built in tools are very good. A third party tool that can be very useful for bootable drive images is Carbon Copy Cloner. When you say large, do you mean hundreds or thousands, or less? It will definitely change things for you. I think that you will be surprised by both the ease of the transition, and the things that should be easy that are not. Really I don't know how we can help you unless you have specific areas where you are interested in learning solutions (and I don't say that to be a jerk, I'll try to answer questions where I can). How many servers? Directory Server? File Sharing? Exchange Server/POP/IMAP? Calendaring? Centralized home directories? Budget per user? Of course there are cool things that cost money and are not really needed, and hard things that are cheap but work well once set up etc. I would help more, but I don't know where to start... take a look at the link above, and ask questions as you get a better idea of he scope
400 dollars an hour?! What are you using? Lawyers? How does that work?
1) Monitor breaks
2) Sue Apple
3) Free monitor?
For justice, we must go to Don Corleone
I used to run a network with hundreds of apples with radmind. We installed the initial images with NetRestore (multicast for the larger influxes), and upon reboot, the computers would download their radmind certificate from LDAP and install all of the software that it needed.
It takes more up front time to set up and configure radmind, but it works wonderfully for almost anything you want to do.
Apple has a robust remote installation suite with OS X Server, which is darn cheap compared to most other commercial offerings.
10.6 includes a first party version of NetRestore (full system image deployment, similar to Ghost or Flash Archive on Solaris), but most people deploying across a large number of systems should roll their own images with packaged based tools like DeployStudio or InstaDMG:
http://www.deploystudio.com/
http://code.google.com/p/instadmg/
Some other good sites for finding info:
http://www.afp548.com/
http://www.macenterprise.org/
It's been mentioned a couple of times, but mostly with -1 scores, so it's easy to miss: Radmind. It's a very powerful deployment tool with a totally transparent mechanism so you can tweak it to do *exactly* what you want in terms of mucking with files on the disk. I've seen people complain about it being hard to use, but I thought it was pretty straightforward -- install an app, run the change detector, tweak as desired (if at all), build an app image, deploy.
http://rsug.itd.umich.edu/software/radmind/
Apple Software Restore, which comes "in the box". We set up a base machine, populate the /System/Library/User Templates/English.lproj/ and then make a disk image to our fileserver using ASR. Then, boot new machines in Target Disk Mode and deploy the image using your workstation.
We could probably come up with something clever using a boot partition, but this works fine for us. If you want to get fine-grained, have a look at Radmind but keep in mind that Adobe apps will thwart your every attempt to manage them at that level.
All of the above are Free/free. We handle patching using Apple Remote Desktop (not free, but well worth the money). You can also configure your machines to authenticate against an Active Directory (like we do); if you're willing to modify your schema, you can even manage your installation from your MMC snap-ins like you can with Windows boxen.
You're likely to get some laptops in addition to desktops. Get yourself a large room, a dozen or more firewire cables, power strips together. Before the machines arrive, use a macbook pro or macbook (a laptop) to develop your base image. Install all software on it that is going to be on most of the machines. Test thoroughly. Be sure all your remote access is tested. (ARD/SSH)
Use netrestore to create the base image. When the computers arrive, copy the base image to a group of laptops, with netrestore app. The number varies depending on how many computers you are going to be imaging, the size of your base image, and how much help you have. 8-12 is typical if only one person is going to be restoring.
First thing you should do with machines out of the box is label them, have labels made up in advance. Then set them all up imaging over firewire, just get an assembly line going. You CAN do netrestore over the network, but it's been my experience it's less reliable. (machines randomly fail to restore, sometimes entire groups fail at an annoying 99% etc) Firewire is usually faster anyway since your fileserver or switch is very unlikely to be able to keep up with imaging a dozen at once. FW800 imaging is an amazing thing.
Once machines are imaged, there should be a folder of scripts sitting on each machine's local admin acct, one for each group of machines. The script will prompt for computer name and run. When run it will rename the computer and delete all the apps that should not be on that particular image. This can also be done by running the script remotely over apple remote desktop. If you don't have ARD, *get it now*. It will save you incredible amounts of time. Using this removal script method adds only a few minutes of time per image but you're doing them in parallel so its negligible, and saves you the major headache of managing a half dozen different base images.
As long as you made the image on a laptop, it should have full hardware support for the camera etc. Different images are required for PPC, but fortunately that's not a headache you have to worry about. (I did, PAIN)
Boot camp adds a level of complexity, requiring you to partition the hard drives before restoring to them, and then using something like Ghost or Acronis. One person can image between 40-80 machines in 8 hrs depending on how things go. Helps to have grunts to do the minor things like unpacking and delivery to stations. Find some carts so you can move machines several at a time. Inform the cleaning staff that you're going to have a mountain of packing material to dispose of. Keep 1 box for every 20 machines in case you need to box them up to send to a repair shop down the road.
If you insist on using netrestore over the network, be sure you have multicast enabled on the switches. It doesn't like crossing subnets but can be made to work.
I work for the Department of Redundancy Department.
We have an OS X server.
It really does suck.
It's kind of like a crippled BSD server with weird management utilities and a lot of buggy modified utilities.
You might as well just use a normal Linux server, since all the same daemons are available, and much easier to manage.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The only problem with Mac OS X Server (and this is speaking from 10.3-10.4 experience; maybe 10.6 server is better) is that if Apple's grand vision for your network doesn't fit your own vision, then Mac OS X Server is next to useless. The problem is that Apple has preconfigured a number of built-in services, and changing them causes major headaches.
/etc/smb.conf. What's worse is that Apple often runs old versions of this software. If, say, you want to go out and run the latest Samba, nothing is stopping you, but expect parts of Apple's system to break. Sure, I admit, lots of people go this route and have many workarounds for Apple's stuff, but for us, we figured: if we're going to do all this work to circumvent Apple's packaged stuff, why not just run Linux? So that's what we run on our backend now. We even run Netatalk, which has to be the simplest daemon I've ever configured-- it basically worked with PAM+winbind right out of the box, and so we're able to authenticate our AFP clients against AD, too.
For instance, in 10.4, any change to the GUI would overwrite your
If you're a very small shop, and you want a simple drop-in fileserver, Mac OS X will probably work for you. If you want a simple Open Directory, and don't have an existing directory system, Mac OS X will probably work for you. But get any more complex than that and you might as well use something else.
I managed a deployment of roughly 800 Macs across the campus of a large university using Radmind. I've also managed the campus Linux, Solaris and OpenBSD kerberos servers, web servers and file servers with the same software. Radmind's learning curve is a little steeper at first, but it's one of the most flexible deployment options out there once you get the hang of it.
Radmind's not really a competitor with tools like NetRestore. When used correctly, NetRestore is great for total reimaging of deployed hardware: nothing beats a block-copy installation for speed. Where NetRestore falls down is when dealing with deployment entropy. After imaging, the machine is in an unknown state ("post-image"), and the only way to be sure all machines are in the same state is to blow away the entire disk and reimage, usually at a cost of gigabytes of bandwidth per machine.
This is where Radmind excels. It's basically a tripwire with software deployment and roll back, all based on the differences between what should be installed and what's actually on the disk. The core utility, fsdiff, looks at all files and directories designated as managed by the administrator and generates a list of differences. You can capture those changes as a loadset and upload them to the Radmind server for deployment to other machines, or you can undo any changes detected by fsdiff and restore the client to a known good state.
The great thing about this method of management is that there's minimal bandwidth used. If fsdiff detects no changes on the filesystem, there's no reason to download anything: your system is in a known good state. On the other hand, it makes deploying Apple's system and security updates pretty damn easy. Grab the updater from Apple's website, install, and run the Radmind tools to capture the changes. Store the changes on the server, add the new loadset to your machines' profile (command file), and let your clients pull down the changes.
The Radmind community is very helpful. Most questions to the mailing list (hosted on SF.net, Google groups mirror here) are answered very quickly, and people are eager to share details about local setups and scripting solutions. A typical setup for a Radmind-managed Mac OS X client usually involves a few possible methods for initiating updates, most of which involve iHook as the UI:
Since we relied on students to help run our labs, we also deployed a special, unprivileged local user account, whom the students could log in as. This also triggered a Radmind update. And of course you can trigger updates over ssh (which works well in combination with something like pdsh).
We combined Radmind with NetBoot for rapid, consistent deployments. Once the hardware was in place and on the network, we netbooted, used ASR to install a minimum and relatively recent system, and let Radmind bring everything up to date, including per-host license files and location specific software.
Radmind's not perfect. It manages at the file level. If you want something to manage, say, config files on a line-by-line basis, Radmind isn't going to fit the bill (yet). Generally speaking, though, Radmind manages Mac OS X with ease. Once you've got Radmind managing your Macs, you'll find you have a lot of extra time to do interesting things instead of troubleshooting problems brought on by stale deployments.
The Radmind wiki is a decent place to start looking. Good luck.
Sorry but no.
Based on your anecdotal example...bla bla bla. Buy you readily say you're buying sub-par equipment. So i'm not sure how you can compare "good" equipment. If i bought a $300 clearance PC and compared it to a $800 enterprise-class PC i'm sure i'd see more failures in the cheapy one.
Moving on...to the smaller end of 'large' business - 2500 users and ~4000 computers in my enterprise. Similarly configured Macs cost us about twice what a PC does. Apple doesn't give on hardware unless you're buying them by the truck load and even then it's not nearly as much as other large suppliers.
Go negotiate pricing with 7-figure yearly spending and Dell, HP, etc. will give a LOT more than Apple. Yes, Macs are pretty but we're talking about enterprise. Pretty takes a back seat.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.