TECH TRENDS—Enterprise IT

Macs go to work

Capitol MacWhen you think of the Apple Macintosh, you might think of a smooth-running, elegantly designed, though comparatively expensive, laptop or desktop computer that is used largely in homes. But can Macs also play a part in the workplace?

The answer seems to be, increasingly, yes. For instance, the Orange County, Calif., Sheriff’s Department recently purchased 175 iMacs and MacBook laptops, which will work within the department's Microsoft Windows environment. "They are used in regular office space for all types of assignments," said Assistant Sheriff James McDonald.  "We also use them in the training room and we use some for video editing and podcasting."

Orange County is not alone. A recent study conducted by analyst firm Information Technology Intelligence Corp. (ITIC) seems to suggest Apple is creeping into the enterprise. A survey of 700 organizations — about 9 percent of which were government agencies — found that 23 percent reported that they have a significant number of Macs in their organizations. Significant, in this study, means more than 50 percent of the desktop computers.

"There is a distinct, discernible trend" of more Apple hardware use in the enterprise, said Laura DiDio, a principal at ITIC.

The rise of Macs seems to be the result of several factors. One, of course, is the quality of Apple — its products are renowned for their relative ease-of-use and secure settings. But perhaps more pertinent is that Apple's recent shift from using IBM PowerPC to Intel microprocessors lets users run Microsoft Windows programs, either through a dual-boot or virtualization arrangement.

Other factors include the Apple iPhone and iPod. Consumers have flocked to these devices, and a few were so impressed with them that they bought Macs.

"You had a situation where the consumers who loved Apple came into the office and asked the IT manager to use a Mac for work," DiDio said.

Daily use
Many government offices that have Macs are using them for specialized functions.

For instance, one of the largest clinics of the Veterans Affairs Department, the VA Palo Alto Health Care System, uses about 80 Macs for CT scans.

The clinic's doctors found that 3-D images provide far more information than 2-D ones, though 3-D images require more processing power. At first, the clinic set up its 3-D imaging software, OsiriX, on a set of Windows 2000 servers. This caused delays, however. So, instead, the unit equipped each doctor with a Mac powerful enough to run OsiriX, said Dr. Roy Soetikno, chief of the clinic's Gastrointestinal Section and Endoscopy Unit.

"Now we can have hundreds of people doing imaging on their desktops," Soetikno said.

The Army Research Laboratory in Aberdeen, Md., uses Macs to run modeling and simulation projects to help create safer vehicles for soldiers. The Army Aberdeen Test Center uses a fleet of Mac Pros for high-definition video editing. Forensics labs also seem to like Macs. Both the New York State Police and the Miami-Dade County Forensic Labs use them for computer forensic analysis. San Antonio just completed a proof-of-concept evaluation of whether it could use Macs for city operations.

The Mobile County, Ala., District Attorney's Office runs only Apple hardware. It has about 100 employees, all of whom use Apple MacBooks or MacBook Pro computers, said Lisa Lemler, the office's technology administrator.

The office’s IT staff has only three people, so the use of Apple computers helps streamline a lot of the low-level configuration duties that often besiege Microsoft Windows or Unix administrators. The Macs are "ready to go out of the box," Lemler said. Instead of Active Directory and Microsoft Exchange Server, the department uses Apple Open Directory and Apple Mail Server. "Information is granted based on the account on the laptop, so someone can't come in from the outside and jump on the network," Lemler said.

The district attorney's office uses iCal server for calendaring, and the tech team uses Apple Remote Desktop for updates and troubleshooting. The computers run Microsoft Office for Macs as the productivity suite.

File formats used to be a bigger problem than they are now, said District Attorney John Tyson. Microsoft Office documents now work reliably on PCs and Macs, and a lot more people use Web-based formats that all computers can understand.

"With people going more and more Web-based, it is a nonissue," Tyson said.

Enterprise support
Systems administrators suffer the enthusiasms of their users, trying to make some shiny new gadget or software work safely within the network. For this reason, they might mistrust Macs. But they should not fear the Apple. Contrary to popular belief, Macs have enterprise support tools and can coexist in a Windows world.

"Is there enough enterprise-management software [for Macs]? No, there is never enough," said ITIC’s DiDio. “Are there some? Yes.”

The first product any administrator should consider is Apple Mac OS X Server, which can act as a console for managing all the Macs on your network. It has a number of features that can streamline routine management tasks.

After installing the Macs, administrators will need some tools to keep them humming. Apple Remote Desktop can be a Swiss army knife for administrators. It can inventory all the Macs on a network and report on memory size and component use. It can download software to a large number of machines and be used to take control of a client's machine for remote diagnostics and repair. Administrators also can use the software to execute routine scripts that automatically perform actions across all the machines on a network.

Another essential tool is Apple's Workgroup Manager. Think of it as Active Directory for an Apple network. It allows administrators to set permissions for everyone on the network by specifying which users and groups of users can access which folders and programs. "Say you had a bank of machines that you wanted to prevent people from burning CDs on," said Eric Zelenka, senior worldwide product manager at Apple. “You can [specify] that these machines won't burn CDs and DVDs.”

The underlying technology for setting permissions for Macs is Open Directory, which is available on OS X Server. Open Directory uses Kerberos network authentication protocols and Lightweight Directory Access Protocol. Because both are open standards, administrators can also use third-party tools to set permissions for Macs.

A Mac in a Windows world
Administrators who have been around for a while might remember past headaches caused by integrating Macs into a Microsoft Windows environment. However, before they reach for the aspirin, they should take a look at what Apple and others have done to establish a peaceful coexistence with the software offerings from Redmond, Wash.

For example, OS X clients have the option of using Active Directory as the authenticating agent. So when a user logs in, the Microsoft Exchange server grants the necessary permissions.

"You point your client or your server at Active Directory, and your [operating system] will call Active Directory whenever its needs to view a user group lookup or any sort of authentication," Zelenka said. "Your Mac will adhere to whatever the security policies were that was set by Active Directory."

File sharing also has gotten easier in recent years. Mac OS X and OS X Server now include the Server Message Block client and server software, which allows authorized Mac users to browse files on Microsoft Windows computers. It also allows Microsoft Windows users to do the same on Mac computers.

Even if your organization uses Microsoft Exchange for e-mail, Mac users can easily send and receive e-mail messages. Exchange supports the Internet Message Access Protocol, and Mac uses IMAP to download and send messages through Apple's Mail client, the e-mail client in Microsoft Office for Mac or any other e-mail client that supports the protocol.

For better or worse, most enterprise networks are deployed from a Microsoft Windows environment. So it would be nice for the administrator to control all the Macs in the shop from a Microsoft Windows machine. To this end, a consortium of vendors have banded together as the Enterprise Desktop Alliance to offer a coherent toolset for managing Macs from a Windows environment. Companies include Centrify (for identity management), Parallels (for virtualization), Atempo (data security) and GroupLogic (for file and print services).

Steps to go
Although plenty of software is available for Apple enterprise support, questions remain about Apple's ability to support the hardware and software. A quick browse of the Apple Fed-talk mailing list finds no shortage of government employees trying to find answers to problems they've encountered as they try to get Macs to work in official environments.

Apple is "in position to support large sales of MacBooks," DiDio said. "I'm not sure they are in a position to...provide the large-scale technical support to the enterprise, should issues arise." As one IT manager told DiDio, "Look, I can't have people running to the mall when I have a problem."

Historically, Apple has been slow to support government-led standardization initiatives, such as the Common Access Card for military users. Apple now offers a guide for equipping Macs for CAC use, but not before more than a few administrators tried tackling the problem.

The Navy Marine Corps Intranet, for example, doesn't support Macs. Mac users can still access the Web-facing portions of their NMCI services. However, since 2006, logging on to NMCI services requires a digital certificate on a CAC or USB key drive. And Mac users with such certificates have found it difficult to access NMCI services, especially if their computers run the Tiger (OS X 10.4) or Leopard (OS X 10.5) operating systems. Fortunately, Dennis Hayes, chief technology officer at EDS, which manages NMCI, recently posted a set of procedures so Mac users can access NMCI's public-facing Web services, such as e-mail and calendar functions.

Hayes and other members of the EDS team worked with Apple's federal office to create a standard process for certifying NMCI users. EDS and Apple spent about two months creating, documenting and testing the procedure, Hayes said.

Apple has some catching up to do on the Federal Desktop Core Configuration, too. FDDC is a set of secure configurations for operating systems that federal agencies are mandated to use. Microsoft and the National Institute of Standards and Technology have hammered out a Windows configuration, but one is not in place for Mac OS X. The good news is that a team in the Army's chief information office is in the early stages of developing a comparable configuration model for Apple Macs.

The price of intangibles
When you buy Apple computers, you pay top dollar. DiDio said the price disparity between Macs and Windows computers has shrunk in the last few years, but a disparity still exists.

A recent scan through the General Services Administration's GSA Advantage finds that a MacBook could be acquired for as little as $1,900. This model, from reseller Portable One, has a 2.16 GHz processor, a 13.3-inch screen, 1G of working memory, a 120G hard drive, and a DVD read-and-write drive. A Windows laptop with a roughly similar set of attributes, an Acer Aspire 5315, could be acquired for $738.

Can this additional cost be justified? Some think so.

Mobile County’s Tyson said Macs establish an environment in which employees can think more creatively. "There are few people as creative as lawyers preparing their cases for trial and assembling their facts and various bits of evidence for their arguments," Tyson said. Having an operating system that supports a creative environment helps the agency tackle novel problems with greater ingenuity, the argument goes.

Apple Macs and their software have long been loved by creative types — a factor that is perhaps hard to quantify but easy to recognize by the degree of enthusiasm expressed by their users.

At the Embedded Systems Conference in Boston last fall, influential software developer Joel Spolsky talked about many of the intangibles that come with IT products.

For instance, he looked at the iPhone and the MacBook Air, both of which look totally seamless. "From an engineering perspective, you get the feeling if you accidentally swallowed [an iPhone] it'd go right down," he said. It wasn’t an engineering necessity to remove all the protrusions that break the lines of other laptops and phones, but the psychological effect does translate into greater sales and greater perceived satisfaction among users.

Can such psychological effects lead to real performance improvement?

"In order to marshal the resources necessary to [take on our] fights, we have to reach well beyond the limitations of our agency," Tyson said. "You can immediately see the advantages of having a robust and clever technology that allows successful communication across the board."

Reader Comments

Thu, Apr 23, 2009 CIO Bethesda, MD

This is a nicely balanced article that should help in further demystifying Macs in the enterprise. Unfortunately, you missed the #1 reason to introduce Macs in the workplace: security. I know, some of your sponsors may not like to be reminded again of the constant security threat Windows represents. Talking about cost, the time my staff spends guarding against and fixing Windows virus, worms, and other critters easily triples the TCO of Windows systems. Yes, Apple is behind on FDCC. Why wouldn't they be? FDCC was created specifically and exclusively to mitigate the impact of vulnerabilities in the Windows OS! All my Mac users have access to a local admin account on their machine and they haven't gotten me in trouble yet.

Sun, Mar 8, 2009 tom termini washington dc

For more than 20 years I've helped build IT solutions in the federal space, with Macs. Three companies, tens of millions in contracts, and most of the time, I just haven't mentioned that the solution has been built with or runs on Apple technology. All my customers know is, it works.

Wed, Mar 4, 2009 Trails

I've been doing INFOSEC / IA for the government for about 10 years. After a lot research and years of frustration, I bought an Intel-based 17inch MacBook Pro with 2GB. It wasn't cheap, but from the time I booted it the first time to now more than 2.5yrs later, I haven't any issues that I didn't cause myself! (loaded OpenOffice vs. NeoOffice... oops?) I've recruited a few people that I know, including my 70 year old father in law. That alone has saved me hours upon hours of trying fix their windows machines. If I had it my way, we'd all be using them at work too...

Wed, Mar 4, 2009 Christopher Martin LA

This article is short-sighted and incomplete. The prices & specs for the Acer vs. MacBook are wrong. The model described by the article would go for $909 for institutional purchases, based on my sales sheet. Also, you don't factor the virus, malware and spyware factor. Routine virus maintenance is about 1 hour a week in enterprise. Even at $20 an hour that is a $1000 productivity loss (and that bars drastic maladies) whereas a Mac averages about 1 hour a month. Macs have far less maintenece issues than PCs as a rule - Macs are more cohesively built and designed, whereas every PC is built by the 30 lowest bidding contractors that week. If you lose your PC for just one hour a month for conflict issues, drivers, viruses... the Mac comes out way ahead on TCO.

Tue, Mar 3, 2009 AMSR

Also, the comparison of the Acer Aspire 5315 to the Macbook isn't really a fair comparison. The Acer is a very basic laptop with a Celeron processor (vs. the Macbooks C2D chip). The C2D based Acer laptops are very close in price to the Macbook line. That would have been a better comparison.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above