By clicking ‘Accept’, you agree to the storing of cookies on your device for an enhanced experience as well as analytical and commercial purposes. To learn more about how we use cookies, please see our privacy policy.

Mac deployment in Active Directory environments

Preparation & Planning

 

Deploying new Macs or upgrading an existing suite of Macs to macOS Mojave 10.14 and the latest versions of your apps is an exciting time, and a great opportunity to evolve existing practices and workflows in a school.  A key phase of this process is developing a clear vision for the new / upgraded deployment of Macs.  What outcomes are the school trying to achieve for their staff and pupils, how can previous workflows be improved, and what opportunitites do today’s technologies introduce?  Here are some things to consider when you are developing your vision.


Cloud storage vs onsite storage


The move from local to cloud storage is well underway across the IT industry, and a time of significant client upgrade when workflows are likely to change anyway is an opportunity for schools to start considering this migration.  There are many cloud storage providers out there, and the majority offer free solutions to education and cross platform desktop and mobile client support.

The eventual cost savings of the move to cloud storage are significant, and as internet bandwidth challenges diminish across the UK this type of storage solution becomes very realistic for most usage scenarios.

The transition to cloud storage can also be a gradual one.  If you have clients with very large storage requirements (e.g. large media files) an element of LAN based storage can be retained for them, and in certain usage scenarios we’ve seen cloud based storage for ‘in progress’ files and archiving, with LAN based storage in place for submitting completed projects for assessment allowing simple access to OFSTED for inspection.

Whatever your deployment model is today, the transition to cloud storage in education is inevitable so have a longer term plan for that eventual migration and ensure that decisions made now make sense in that context.


Personalised learning environment


How personalised do you want the user experience on a Mac to be and why?  You may have deployed a completely personalised experience for the user previously, but is that really necessary in a shared device environment?

The ideal scenario is a one to one Mac deployment, where as we see with iPad the real power of the technology and software can be used to create a personalised learning journey for students, but as with iOS devices, Macs have to be used differently in a shared environment and depending on your deployment preferences it may not be sensible to aim for a completely personalised look and feel on a shared Mac for each user.

In key stage one and two where a completely personalised solution with user specific logins and home directories often isn't feasible, consider a generic or anonymous ‘logged in’ user on the Mac with the only user specific authentication required if connecting to a file storage area.


Network based home directories

 

Whilst it's still technically possible to configure network based home directories using the macOS built in Active Directory plugin, don't use them.  Storage and data access requirements of the Mac are way beyond the capability of most networks, and many applications simply will not address a user library based on a network volume.  The macOS and key applications are optimised for a local solid state storage and require at least a local spinning hard drive to function as designed.  

Schools using our managed service often deploy Macs to work with high end media applications (e.g. Final Cut Pro or Logic Pro X) and under no circumstances would we attempt this with network based home directories.

 

Data Security & preparing students for the future


One of the comforts of network based home directories was that it made data security and backup strategies fairly straight forward, even if at significant cost to the school for backup solutions.  This ‘institution managed’ approach to data is functional, but can leave students underprepared for the world outside of education.

Think about your data access and security plan, then compare it to the world that your students will face when they leave school where they are likely to be solely responsible for the access and security of their data in a globally available cloud storage solution.  Put the emphasis on your users to ensure that data is backed up to the schools cloud or LAN based storage solution, give them their own way of managing or resetting passwords and consider cloud storage solutions which are already likely to be a key part of their personal data management.

Transitioning methods of securing and backing up students data in school to those more in line with the methods they will face in their future professional life is surely fulfilling a key aim of any school by preparing students for future employment. 

 

Client Upgradability

 

Since the early days of full Active Directory support the macOS has been through plenty of major version releases, all of which have improved fundamental aspects of network protocols.  Alongside which have come the many hundreds of user based improvements that we have come to expect from a macOS release.

Consider this when you are designing your deployment.  Your plan should allow for clients to be upgraded to the next release of macOS without issue (aside from application compatibility of course).  An example of where design held Mac deployments back from upgrades was with earlier ‘magic triangle’ deployments and the dependancy of Mac clients on imaging and a Mac Server for MCX style client management.  The Mac clients and Server had to be running exactly the same version of the operating system, therefore any major upgrades to the macOS often required a rebuild of the whole deployment from scratch with all Mac clients and servers being upgraded.

A more progressive way of deployment which we always use on our managed service is to have no dependancy on internal servers for deployment or ongoing management. Client Macs are onboard to an MDM automatically using Apple School Manager and Device Enrolment, with management profiles, policies and apps distributed via a cloud based MDM like Jamf Pro.  In that environment the version of macOS is almost irrelevant, and you could potentially run a network with current and legacy versions of the Mac OS side by side if necessary for application compatibility.

 

Deployment Models

 

Deploying in an efficient manner, simple management once deployed and offering a reliable platform to users are the goals of any network manager for their Macs on a school network.  To achieve that we would only recommend two deployment models, each of which presume the use of Apple School Manager and Device Enrolment (DEP) with a cloud based device management solution like Jamf Pro for simple deployment and rebuild.

 

Model 1 - Generic local user account

 

Macs in Active Directory environments

 

In ‘Model 1’ each client Mac has two local accounts setup.  One being the generic ‘localadmin’ replicated across all clients, and the second being a unique local user with standard privileges named in accordance with the Mac name.

 

The Mac automatically logs in at startup as the standard user and offers a authentication prompt to access LAN or cloud based storage for the students files if necessary.

 

Management is delivered from a cloud based MDM solution.

 

Model 2 - Active Directory user accounts with forced local home directories

 

This model has been widely used for years in Mac environments where apps like Adobe Premiere or Final Cut Pro simply will not function with a network path to live files, or with other media applications where it’s not feasible to copy files to and from network / cloud storage at the start and end of each session as would be required in model 1,  so local home directories are required where a user can store their live files securely.

These local home directories should be considered temporary by the user and not a long term storage option.  Best practice by network managers clears down the contents of these user specific local home directories at set intervals.

The client Macs don’t login automatically with a standard user, they stop at the login window and are instructed by the cloud based management solution that they create a unique local home directory for each Active Directory user when they login.  The first time a network user logs in on a particular Mac they are authenticated against the Active Directory and have a fresh and blank home directory created on that Mac.

Users must login to the same physical mac every time to work on their files, or by using methods very similar to those in model 1 copy their files to LAN or cloud based storage solutions to make them available via another Mac. Thanks to Kerberos users should not have to re-authenticate for network service after logging in.

Challenges for this model are focussed around backup of users local home directories.  Even though they are not a permanent storage solution, live projects can be stored for many days/weeks on a particular Mac before completion.  If file sizes allow users should always be encouraged to take copies of their files to the authenticated LAN or cloud based storage for safety, but if that is not possible for practical reasons we would suggest a backup of the home directory from each Mac to a network storage location.

  

Summary

 

Driving a well thought out plan for significant upgrade of existing Macs or a deployment of new Macs needs an understanding of both the technology and teaching practices.  At a very early stage in the process IT management and key teaching staff should be involved in discussions to understand each others motivation in wanting to modernise the Mac deployment. Typically we see teachers wanting to get the latest software versions in to the classroom and technicians wanting to reduce the support burden. So there may be compromises required or new workflows to consider to make everyone happy.

 

Failure to consider either side of this equation normally results in one of two undesirables.  Do nothing and stick with old technology, or push a solution in to the classroom which isn't fully supported or understood by the teachers.

 

Go with a third option, plan properly, deploy wisely and harness the real power of the Mac!



Related Links

KRCS FirstClass Managed Service for Schools

Apple in Education - FirstClass - Case Studies

 

Contact us

education@krcs.co.uk

0115 985 1797

@krcs_education

 

Comment Below

Comments

    No Comments yet. be the first to comment.