Windows still owns the mainstream business PC market, but Apple’s decent toehold on the enterprise market – $25 billion annually, according to CEO Tim Cook – will only grow.
You almost certainly already have Macs in your business, connecting to your network and downloading key business documents. You just don’t know how many of them there are, who is using them, what they’re doing with them or when they last got updated anti-virus software.
Your office PCs are likely controlled by group policy that manages everything from what applications can run to what the desktop wallpaper looks like. You’re probably doing mobile device management of smartphones and tablets to enforce password strength, encryption and remote wipe, or at least tracking what connects to your mail server.
So why do so many businesses let their Macs sit unmanaged, like a security and compliance problem waiting to happen?
“A lot of it is just an awareness issue,” says John Uppendahl from Parallels, which has developed a Mac management plugin for System Center Configuration Manager to add support for more Mac settings than SCCM supports out of the box, intended to work without needing new infrastructure, new staff or new skills.
“CIOs and IT folks are very smart people, but when it comes to Macs they are lost puppies. If I ask them how many Macs they have, the usual answer is ‘I don't know.’ When I ask ‘what kind of I don't know are we talking about?’ the answer is something like ‘maybe 1,500.’”
Part of the problem is that Macs haven’t come into business through the usual purchasing channels. “Macs started coming in from the top down, with the executives, and they can't say no to executives,” Uppendahl says. “Now Macs are coming in from creatives and through BYOD; they're slipping in from everywhere. That little tribe of Macs they aren't looking after has been growing significantly. Why aren’t they managing them? It's denial, it's procrastination. They didn’t want to go there but now Macs are getting big enough that they have to.”
Chip Pearson, co-founder of JAMF, which produces the Casper Suite Mac management software that IBM’s Mac at Work services are based on, agrees that few businesses know what their Mac exposure is. “A lot of times, senior executives in IT are told, and believe, that an organization doesn't have Macs. A lot of organizations are surprised to find out that a) they have Macs and b) they have as many as they do.”
The number of Macs at work is likely to keep increasing, and not just because IBM’s deal with Apple to help them in the business market includes some ambitious sales targets. Seventy percent of all mobility spendin, including hardware and increasingly including laptops, is now outside IT and in lines of business, points out Nick McQuire of analysts CCS Insight. “If Macs are being bought by the business and IT is left without the tools and without the clout to put images on them, then it's left in this limbo until IT figures out what the best approach is.”
Those Macs aren’t just accessing email. Executives are working with confidential documents, designers are working with corporate assets and developers have access to your company databases. Remember, if you’re doing any iOS development in your business, your developers are doing it on Macs.
In a recent survey, Centrify found that 59 percent of Macs are used to access “confidential company information” and 65 percent to access “sensitive or regulated customer information.” But only 28 percent of Apple devices (which includes both Macs and iOS devices) have company management so on and only 35 percent have encryption turned on – even though OS X includes FileVault full disk encryption, as well as remote lock and wipe features. To enable those for all your Macs you need a tool like AirWatch Mac Management, Caspar Suite or Parallels Mac Management, and some knowhow about the Mac platform.
There’s often no sense of urgency because many IT teams don’t expect Macs to become common. “Many admins in the Windows world are waiting for this fad to pass,” Pearson notes. “They're not seeing it as a longer term trend of Macs coming into the enterprise. They think by next year it will not be a problem. If they ignore it for long enough, they won’t have to deal with it – but if they start accepting and normalizing Macs, they’ll have more of them.”
Bill Mann of Centrify, which has a Mac version of its Identity Service, sees the same assumption. “The IT organization always thought it was going to be a couple of machines in the business coming in with the executives and that’s it, but we’ve had this rapid rise of Mac adoption in the enterprise. We're having to educate them on how to find out how many Macs you’ve got, and pointing out that you want to manage those Macs in the same ways as you manage PCs because you want to have governance done the same way.”
Unknown, unexpected and unfamiliar
The real problem is that few IT teams have expertise in managing Macs. Familiar techniques for managing PCs don’t help and the best practices for dealing with Macs in a complex enterprise infrastructure can be convoluted, and are not widely known.
With no server-grade hardware to run Mac OS Server on, some organizations are unwilling to put in parallel infrastructure for Mac management, whether that’s OS X Server, Open LDAP integration in their Active Directory environment for distributing certificates, or other changes to their Active Directory. Parallels Mac Management tool plugs in to Microsoft System Center Configuration Manager and can be used without OS X Server for many (though not yet all) tasks, but some admins are concerned about third-party plugins that may not be updated on the same schedule as System Center.
“There is a lot of momentum in IT departments for supporting Windows. They have the tools, the history and the expertise,” Pearson points out. “A lot of the tools used to manage Windows have advertised that they can support the Mac as well, but the functionality of the Windows product is often not what it does on the Mac. When the IT team tests the tool and it's inadequate, the message is that ‘the tools don't do what we need, so we shouldn't do it.’”
Sometimes Pearson says he finds hostility towards the Macintosh, with a few people “hanging on to the PC-Mac divide as if it was a holy war,” but often it’s a more subtle problem. “Because these IT practitioners are strong in their abilities, when they have to deal with something they’re not strong in, it can make them uncomfortable. It’s almost a psychological thing.” Plus, IT departments have been busy dealing with mobile devices and the rise of BYOD. “With the proliferation of mobile platforms to deal with, many people have got used to putting Apple lower on the priority list.”
The combination of underestimating Mac numbers and the very visible problem of smartphones and tablets reinforced that, Bill Mann says. “The thing that hit them like a brick wall was everyone using iOS and Android, and they’ve been on a rapid pace to bring in endpoint management for mobile with MDM. Because of that, they didn't feel they needed to address the Mac issue; their thinking was PCs are still going to be here and we'll have mobile too.”
Even IT teams that are ready to manage their Macs have a steep learning curve because of the differences between Windows and OS X. If you try to track all the executable binaries on a Mac the way you would on a PC, for example, you’re going to be tracking most of the executable code that makes up the operating system, which is going to slow your management server down significantly. “You have to rewrite your definition of what you need to be finding on a Mac,” says Pearson, “because that's different from a Windows machine.”
Getting past the reasons for reluctance needs a firm direction from the CIO or CTO, he suggests. “They need to be saying we have these devices and we’re going to deal with them responsibly, and it’s a question of how we’re going to do it, not a question of if we’re going to do it.”
Macs aren’t entirely like PCs when it comes to management options, but they’re not covered by most company mobile policies either. Given those aren’t universal, perhaps it’s not surprising Macs are routinely unmanaged. “Only 30-50 percent of larger businesses have a formal policy around mobility,” says Nick McQuire.
He also puts the blame on the still small number of Macs in businesses, combined with the next stage of the transition in how devices are managed; from familiar PC management systems for desktops and notebooks, and the increasingly common MDM for phones and tablets, to more comprehensive enterprise mobile management (EMM) systems.
"The installed base of Macs is growing and becoming critical, but they're still not widespread in enterprise, and managing them is a crossover strategy. Is it EMM? Do you have that and can you light that up [for Macs] or do you use Config Manager or some other management tool? There’s a lag in the technology; the management EMM vendors have only started supporting Mac management with any gusto in the last 12 months, so the only options that IT had a year ago were system management. It's straddling between the old world and the new, and things are in limbo because the base is often quite small. As we start the whole migration of PC management into EMS, we may start to see more clarity and consistency from enterprise on how they deal with this.”
Increasingly, enterprises want to have devices, including Macs, connect to Active Directory so they can enforce basic device security and distinguish known devices; but they also want to push applications to and remove them from devices, and have single sign on to applications and services, with contextual security based on the user account, the state of device, and factors like location, making this as much about identity and authentication as device management – which is the promise of EMM.
Between having to manage Macs differently and the shift to holistic device management, managing your Macs might also change the way you manage PCs, suggests Bill Mann, moving away from unnecessary restrictions that slow systems down (and may well have driven some users to Macs in the first place). “In the modern enterprise, they're realizing they can't have that old, heavy-handed approach to managing these endpoints – be they PCs, Macs or mobiles – because they are personal devices as well.”
Despite the popular view that Macs are more secure, they are far from invulnerable, points out John Uppendahl; “It's a myth because any unmanaged device is vulnerable. They’re unmanaged devices, when any unmanaged device on the network is an attack vector.” The increasing number of Macs in business has made them far more of a target and when GFI Software tallied up the exploitable vulnerabilities on different software platforms earlier this year, they put OS X and iOS at the top of the list.
Managing Macs isn’t optional, says Uppendahl. “If I’m in IT, my job is on the line if I don't lock down the network. How can you justify not managing Macs when the employees' kids are playing on the work computer at night downloading games? They get it infected, they reconnect - and it takes down the network. If your answer is ‘I wasn't managing those devices’, you're fired. This is cheap insurance for job security, and for network security.”