Haatch Mac Deployment

Ever since I first introduced Macs (and plenty of other Apple devices) into our previous life at Kiddicare I’ve always been looking to improve the deployment of these and even on a relatively small scale now within Haatch. At Haatch we’re all Apple users and our setup consists of a MacBook Air or Retina with Thunderbolt Display each as our main daily driver. We all have the latest iPhones, iPads & some of us Watches. We’ve then got a bunch of Apple TVs and a few iMacs between offices & various homes.

As a small team we’re not interested in BYOD (all our devices are personal & work, in-fact what is the difference between personal and work for us?, nothing!) or enterprise management, we simply want to jump on any device, in any location (we travel lots) and not have to worry about a thing.

From my perspective (Apple boy) I want everything to be as seamless as possible and require the smallest percentage of my time to manage.

Our Deployment

The 4 key components of our setup (there is many more pieces of software we use) are OSX Server, Dropbox, Bushel & Google Apps.

Dropbox & Google Apps are relatively straight forward, all our files live within Dropbox and we use Google Apps for email & calendar. Currently, when we jump onto a new device we have to login to Google Apps & Dropbox natively however i’m hoping to make this more seamless using Bushel when I get some spare time (more on that later).

OSX Server

OSX Server started as a desire to manage users centrally and by manage I mean reset a password and allow anyone to login to any device with 0 config, this quickly turned into the bane of my life however now I’ve simplified our implementation, OSX Server works just as I originally planned.

We have a single Mac Mini running the latest OSX Server with some key roles enabled; Caching, File Sharing, Time Machine, VPN, DNS & Open Directory.

OSX Server – Caching

Let’s cover the quick ones first. Caching is a really nifty tool which once turned on, requires 0 config (outside of setting storage limits). Caching means any “Apple Download” (so that means iTunes, iCloud, Software Updates & App Store) on our internal network is Cached – perfect for when we all discover a really cool App, we only have to download it from the Internet once and every download from there on is local. This also makes software updates and iCloud restores blazingly quick, perfect when we’re always upgrading devices!

OSX Server – File Sharing & Time Machine

I’m going to group File Sharing & Time Machine together because as I mentioned above we use Dropbox for all our files. Having File Sharing enabled is a Time Machine requirement and outside of these the only other share we have today is a wallpapers folder, meaning our Haatch desktop background is stored on the network. I’ve always used Time Machine personally however fell out with it in a previous version of OSX when it started dumping local backups on my HD and taking all my space however this has clearly improved since then. I’m testing Time Machine via the server with my own devices at the moment and no-doubt we’ll roll this out soon with some new network storage.

OSX Server – VPN

VPN, not much to say here – means I can login to the server remotely, that’s the only thing I use it for and i’m the only user.

OSX Server – Open Directory & DNS

Now for the fun one, Open Directory (and a little DNS). OD is the real reason I deployed OSX server here, I wanted the ability (just like in an AD environment) to be able to manage users centrally and enable anyone to login to any device – great for the “floating” iMacs we have in the office and those times we forgot our laptops! (Also, when someone forgets their password – no names mentioned). This has an added upside of allowing “guests” to login when we have events like our monthly code club.

Open Directory wasn’t the easiest to get setup however after some trial and error with DNS & certificates it was pretty straightforward! Now the first step I take when we get any new device is to create a Local Admin account and bind the device to our Open Directory. We then create a mobile account using the network account (stay with me here) so once you have logged in on a device, you can login from any location without a connection to the server – password changes etc sync the next time you connect in the office. Part of me would like to improve this however i’m not sure sharing open directory on the WWW is a great idea or even essential for a small team like ours.

DNS is a fun one, we use DNS so our clients can connect to the server via hostname and for Open Directory to work (this took a lot of forum reading) however I would like to rollout DNS to replace our standard DNS service which is powered by our Airport as we have a few static IPs and reservations on the Network, one for the to-do list I think.

OSX Server – Improvements

One role which I initially enabled and rolled out however have since retired is Profile Manager. We have no real need for device management however the ability to be able to asset tag, monitor software versions & push new updates I feel has some benefit even in a small environment like ours. Profile manager caused some issues for me and in one of the recent OSX Server upgrades there was a massive bonjour service conflict created when using a .local domain (something we do) and profile manager needed a full re-build. Instead of re-building I simply turned it off (with a big smile on my face) in search of a replacement…

Whilst reading about the IBM global rollout of Apple devices, which is super fun (fun if you’re into that kind of thing like me) one of the most interesting points was how they manage devices (aka profile manager 2.0). IBM use Casper suite and Apple DEP so they ship a sealed (yes sealed) device from Apple to an employee (well over 100k employees) and when that employee logs on, all services are automatically deployed. Okay, this is way overkill for us (we’re a handful of people) but it’s super cool! Casper is a big bit of software and not something i’d ever looked at seriously however this week I came across Bushel which is made by the same business but targeted at people like us! This ones right on my spare time to-do list. First step, auto Google Apps configuration with standard OSX clients when a user logs in.