There is. The Mac Workgroup Manager is a powerful tool to centrally manage users and computers across your organization. It lets you specify standard configuration information that applies to particular computers or users. It is also easily extendable by ISVs to support application-specific settings. Moreover, Apple has done a great job of keeping it up-to-date with OS releases.
Unfortunately, unless you’re running Mac OS X Server, it’s unlikely that you’re using it to manage the Macs in your company. Without OS X server it’s possible that you might not have even heard of Workgroup Manager.
Mac Workgroup Manager requires a central place to store its settings. It can store settings in Mac OS X server or in any LDAP server. At many companies, the main LDAP server is Microsoft’s Active Directory (AD) server. Organizations that run Windows computers in significant numbers likely use AD to authenticate Windows users. Unfortunately, storing data in that LDAP server is not trivial. The prescribed way of storing Workgroup Manager data in AD requires schema changes to the directory.
Many organizations are reluctant to make schema changes for any reason and unlikely to want to make them for reasons particular to the Mac. At many companies, Active Directory is administered by Windows-folk who may know little about Macs and who may be disinclined to make changes to AD to adapt it for the Mac. Schema changes are virtually un-doable. Once made, reversing them is difficult.
Convincing an organization to deploy Mac OS X servers solely to support Mac Workgroup manager may also be difficult if your company uses Macs only as desktops or laptop computers.
Integrating Workgroup Manager and Active Directory
Apple and other vendors supply software to integrate Macs with AD. The Apple Active Directory Plug-In allows Macs to authenticate users with AD. Other vendors supply similar functionality as well as providing “group policy†features that provide functionality similar to that of Mac Workgroup Manager. Likewise Software, however, provides authentication functionality and the ability to integrate Workgroup Manager with AD group policy. Let’s see how this works.
First, the Likewise Enterprise product, integrates user authentication with Active Directory in a fashion similar to that of the Mac Active Directory Plug-In. Users can log into their Macs using the same username and password that they use on Windows computers. Second, Likewise provides a mechanism that allows Workgroup Manager settings to be stored in AD Group Policy Objects (GPOs).
Group policy is the Microsoft mechanism for centralized configuration of user and computer settings. Group policy objects are stored in Active Directory and polled by Microsoft Windows computers that detect and apply policy changes as necessary. In AD, GPOs are associated with organizational units (OUs) and GPO settings are applied to the computers and users that are contained in those units.
In Figure 1, an OU called Marketing has been defined. Two computers have been added, or joined, to the OU and two users have been created in the OU. Any GPOs associated with the Marketing OU will be applied to the two computers and the two users in the OU.
Likewise Enterprise contains a utility to join Macs (and other non-Windows computers) to Active Directory. Once a computer is joined to AD, it can participate in AD-based user authentication and in group policy processing. In figure 1, this utility has been used to join Mary Smith’s Mac to the Marketing OU.