By Cassa Niedringhaus Posted December 26, 2019
What does macOS® Catalina™ fleet management look like? For most IT organizations, it consists of user and system management.
Of course, the challenge for admins is that traditional IT fleet management tools struggle with non-Windows® platforms, including Macs. Historically, IT organizations have leveraged Microsoft®-based solutions such as Active Directory® (AD) and System Center Configuration Manager (SCCM) for managing Windows systems.
However, IT infrastructure continues to expand, incorporating Mac® and Linux® systems, cloud-based resources like AWS® and GCP, G Suite™ and Office 365™, and a multitude of web applications.
In response to this expansion, IT admins have sought cross-platform solutions that integrate natively with macOS, among others. But what’s the best way to manage mixed-OS environments, including macOS Catalina, without becoming overloaded with AD add-ons?
macOS User Management
User management is the process by which admins manage identities and control user access levels. They can, for example, change access levels for users by department or role. As a central part of security, user management is core to organizations’ directory services.
Ideally, IT management tools should enable user-management functionality such as provisioning, deprovisioning, and modification of user access. Additionally, they should allow for password complexity requirements and multi-factor authentication (MFA) to step up account security.
With the release of macOS Catalina, Apple has modified how IT admins can manage user access to their machines. macOS has a tightly integrated user management model in which a user’s local account is also connected to FileVault 2 and KeyChain. This creates a number of challenges, as Apple has introduced new ways to control user account creation and management to make it more secure. Specifically, the company introduced the concept of a Secure Token, which is required in order to enable FileVault on machines.
Although historically managing Secure Tokens was painful, with Catalina, Apple enabled mobile device management (MDM) tools to manage the Secure Token process remotely. The release also allowed account management via SAML — but it did not address local account creation or the original Secure Token users. Admins still face challenges in creating Mac accounts at scale and navigating the trust chain originally required for Secure Tokens (in which the original trusted user needed to create subsequent trusted users).
A comprehensive user management solution should create Mac accounts and navigate the trust chain, as well as provide tight control over user access to systems, applications, files, networks, and other IT resources.
macOS System Management
System management is another important component to consider, as admins control such devices as iMacs, Macbooks, and macOS servers with policies to make them more secure, easier to manage, and configured properly.
Mac admins want GPO-like policies for macOS — i.e. full disk encryption (FDE) through FileVault2, screen saver lock, patch management, password requirements, and other policies. This type of configuration management helps admins ensure their users work on clean and secure systems. They should also look for a solution that enables command execution for tasks such as system checks, compliance reports, and software installation.
Another important component of system management, for both Mac and other operating systems, is monitoring to understand what is occurring on those systems and look for red flags that might signal a bad actor. IT admins should seek a solution that allows them to review and analyze user authentication and access System Insights™ and data via reports. They should also be able to access information about the systems themselves, such as storage space remaining, applications installed, or CPU utilization.
Ideally, this system management solution would work not only for macOS Catalina but also for Windows and Linux platforms to suit heterogeneous environments at scale.
Altogether, IT admins should seek comprehensive user and system management capabilities, ideally through a central identity provider, to streamline critical processes and increase security.
If you’d like to learn more about implementing macOS Catalina user and system management, consider browsing Quantifying the Value of Directory Services, a guide that examines management from the cloud. You can also check out our resources page for more information.