Apple and the enterprise: A complicated relationship

It's been one step forward, two steps back over the past 15 years for Apple and enterprise customers

When Microsoft shipped Windows 2000 and Active Directory, Apple didn't really have a solution for identity management or for linking Macs to an enterprise network. The company was just beginning the transition from its classic Mac OS -- the first version of which had shipped on the first Mac in 1984 -- to OS X. Although Apple did ship a public beta of OS X in second half of the year, the final release didn't arrive until March 2001.

The classic Mac OS was not for multi-user systems. It offered limited user account creation and management for file sharing between Macs, but there was no built-in mechanism for logging into an individual Mac -- it booted right to the desktop, where you had full access to the entire file system and all installed software.

Apple did make a couple of attempts to create a multi-user system, however. In the early 1990s, the company shipped At Ease, which provided some multi-user support, first on a single Mac and later for multiple Macs on a network. But At Ease never gained much traction beyond some pockets of the education market for it which it seemed to be designed.

In planning the transition to the true multi-user environment of OS X, Apple added a modicum of multi-user functions in Mac OS 9 that allowed each Mac to support multiple users with basic file permissions, individual user settings and preferences, and limited account-based restrictions. Apple also created Macintosh Manager, which redirected Mac OS 9's multi-user functions to a server-based data store and copied certain settings and configuration files from that data store to an individual Mac. It wasn't really an enterprise-grade solution, even when incorporated into the first few releases of OS X Server, but it was a functional pre-OS X stop-gap.

Apple tries going it alone

Apple's first real move toward enterprise functionality, including identity management, came with OS X and OS X Server. The first release of OS X was essentially the Unix-based core of NeXTStep with an Apple-inspired GUI on top of it. NeXT gave OS X solid enterprise bones right away, including support for local and network user accounts.

NeXTStep and the first releases of OS X and OS X Server relied on a proprietary user and client management system known as NetInfo. Functionally, NetInfo served many of the same roles as Active Directory. It allowed for centralized user and computer accounts and user authentication for access to network resources; worked with the file system to support a POSIX permissions model; and it could be used to define user settings and experience in the same way group policies do in Active Directory.

Although NetInfo worked and remained in the mix of Apple's enterprise components for several years, it had some serious limitations. The biggest one: It was proprietary and didn't integrate with other platforms.

The other achilles heel for NetInfo in early OS X releases was that it didn't support directory server replication. That meant that either a single server had to support the enterprise identity functionality for an entire organization or multiple servers -- each with a unique directory of users, computers and configuration data -- had to be deployed. Even though it was possible for Macs to search for enterprise identity data across multiple servers, the process was far from the multi-master replication capabilities of Active Directory domain controllers.

The proprietary nature of NetInfo led Apple to sell a complete end-to-end solution to enterprise IT. Today, Apple is well known for its end-to-end approach to technology; in many ways, it's been a winning strategy because it allows Apple to maximize profits and create a controlled ecosystem. It's also the same strategy that allowed Apple to disrupt industries so effectively and deliver some of the most polished products on the market. iTunes, with its link to the iPod and iOS, is the greatest example of what Apple can achieve using it.

Apple didn't have a lot of luck selling that end-to-end system to enterprise IT. Part of that was because of the proprietary nature of Apple's solutions. But the company was also still pulling back from its near collapse in the mid-to-late 1990s. At the time, its market share was abysmally low and it was a complete outlier in virtually every business market.

Panther brings a new approach to enterprise

OS X Panther (and Panther Server) was one of the most important releases of OS X from an enterprise perspective. It rectified the limitations of NetInfo by introducing a broad-based solution for enterprise identity and directory services. It also added support for Active Directory. That represented a major shift in Apple's strategy, as the company quietly acknowledged it couldn't succeed in business without really offering support for existing enterprise systems.

Open Directory was technically a collection of directory and identity technologies that included NetInfo support, with a connection for legacy NetInfo server as well as for storing local accounts and records as well as an LDAP-based replacement for NetInfo's proprietary data store. In practice, Open Directory became synonymous with Apple's LDAP implementation; as that was integrated with Kerberos, it represented a replacement for NetInfo. In addition to being based on open standards, the Open Directory architecture included support for directory server replication. Even so, it remained a master/slave replication environment that was more like Windows NT's use of a primary server and one or more backup servers than Active Directory.

The scalability advances, which continued to improve in later OS X and OS X Server releases, were only part of the advantage Apple gained by deprecating and eventually discontinuing NetInfo. The other was a move to open standards, including LDAP and Kerberos, the technologies at the foundation of Active Directory. As a result, Apple was able to offer Active Directory integration on Macs running Panther and later releases.

Out of the box the integration was pretty limited. Apple's Active Directory plug-in for Open Directory only mapped three attributes for user account records (username, password, and home directory), but Apple offered three ways to deepen that integration: extend the Active Directory schema to include the new records and attributes used by Open Directory, map the Apple-defined records and attributes to existing but unused Active Directory counterparts, or use what was called the magic triangle. That involved Macs that were joined to the Active Directory domain for enterprise identity and user authentication and to an Open Directory domain for Mac client management.

Apple also allowed third-party companies to produce their own Open Directory plug-ins to support additional directory types like Novell's eDirectory or provide new capabilities when using Active Directory. Centrify, an enterprise identity management developer, was one of the first companies to offer more powerful Active Directory integration. Its Direct Control for Mac, which is still on the market, allows Active Directory admins to manage Macs using group policies stored in Active Directory without modifying the schema. Group Policy options are available for virtually every Mac client and user management option available from Apple.

Leopard changes everything

2007 was a big year for Apple. It introduced the iPhone that summer and it OS X Leopard that fall. Leopard was among the most feature-packed OS X releases to come out of Apple and boasted more than 300 features and improvements. The most notable enterprise identity change in Leopard was that Apple finally phased out NetInfo, which was until then still used for storing local user accounts on Macs.

Leopard Server, on the other hand, included key features that would eventually determine Apple's current place in the enterprise. The first was a new option for joining Macs and Mac servers to an Active Directory domain. To streamline Mac integration with Active Directory, Apple created a new type of Open Directory mechanism known as augmented records. It essentially simplified the magic triangle approach. A user's Active Directory data still managed his or her enterprise identity and authentication, but Leopard Server could automatically include just the Apple-specified records needed for OS X Server services or client management. Everything else was passed to Active Directory.

This streamlined approach was part of a new form of OS X Server setup and administration. For small organizations or Mac-centric workgroups at a large company, Apple introduced simplified management by way of a new tool called Server Preferences. It allowed users with limited technical skills to set up and manage a server running a subset of the most commonly used business services: file and printer sharing, email and chat, websites and wikis, backup and VPN access.

This approach showed that Apple was willing to work with existing enterprise technologies. Specifically, it showed that Apple was happy to leave enterprise identity in the hands of Active Directory. And it marked one of the first instances of Apple marketing an enterprise product, in this case, Leopard Server, directly to users rather than to IT shops. That approach has been viewed as fueling the success of iOS devices -- and the BYOD trend -- in business.

Though it wasn't obvious at the time, Apple was also the beginning to refocus OS X Server as a small business solution rather than an enterprise server OS.

The iPhone before it was enterprise-ready

While Leopard Server was quietly changing Apple's approach to the enterprise, the original iPhone -- clearly not an enterprise product -- was released. A year later, in 2008, Apple began to give the iPhone some enterprise chops. In addition to launching the iPhone 3G and the App Store, which would revolutionize smartphone software development across the board, Apple included two important capabilities in what was then called iPhone OS 2. The first was support for Exchange Active Sync. This allowed access to key Exchange features, including push notifications; the enforcement of a handful of security policies through Exchange; and the ability to remotely wipe lost or stolen iPhones.

The second change was configuration profiles. These XML files, which could be created from scratch or by using the iPhone Configuration Utility, were the first method Apple offered for IT departments to pre-configure user iPhones, provision them with security certificates, and impose a range of restrictions on what a user could do with a managed iPhone. The process of deploying configuration profiles was cumbersome because they either needed to be installed by hand, emailed to users, or hosted on an company's intranet -- not an ideal solution to iPhone management. Seen through the lens of a BlackBerry-dominated enterprise, the Apple process looked crude and resource intensive. But it was a beginning and one that foreshadowed the iPhone as an enterprise device.

iOS 4, mobile management and third-party solutions

Three months after releasing the iPad in 2010, Apple shipped iOS 4 -- it was the most significant iOS upgrade yet from an enterprise perspective. iOS 4 answered many of the enterprise IT complaints about the iPhone and iPad. In addition to the basic Exchange policy support introduced two years earlier, Apple unveiled broad security and device management capabilities.

The security advantages alone were a big deal and included APIs that allowed developers to easily create encrypted data stores on a device. That made it possible for enterprise apps (and even some consumer apps) to store content in a secure manner. Even if the device itself wasn't passcode protected, the data within an app could be secured if that the device was lost or stolen.

The bigger news, however, was Apple's mobile device management (MDM) framework. Although based on the existing configuration profiles, Apple's MDM system made it possible to apply policies directly over the air and query devices for a range of information, including what configuration profiles and apps were installed. The release also offered several new management and feature restriction capabilities. While Apple hadn't replicated the classic BlackBerry system with its 500+ management options, it did cover the most important areas, making it possible for enterprise IT to comfortably support iOS devices.

An even more important aspect to iOS 4's MDM model was that Apple opened it up to third-party vendors instead of creating a single and proprietary Apple management console. In fact, it wasn't until a year later that Apple shipped its own MDM solution when it released Lion Server. That's significant because it was the first time Apple adopted a truly a hands-off approach to enterprise IT. The result was an explosion of mobile management vendors offering the ability to manage iOS devices in enterprise environments. While each company provided essentially the same core management capabilities, they differentiated based on a variety of factors, including support for other mobile platforms, IT-focused integration features and additional capabilities based on an agent that could be installed on a device.

Apple pulls out of the data center

1 2 Page
Free Course: JavaScript: The Good Parts
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies