PC Admins: How to Manage your Small but Essential Mac Environment

5 tips to trick your users into believing you’re an Apple Genius.

So you almost have it: the IT environment of your professional dreams. You’re finally on Windows 10, you seamlessly transitioned to 365, and every asset is tagged and accounted for. There’s just one problem: that pesky design department of five who insist on a fleet of Mac or iMac Pros, or that one VP who needs the macOS version of every whitelisted app because he insists on using his personal Macbook. You have no idea how to help them.

This is a real problem for many IT departments. At 9.6% of the PC market share, Apple’s presence in your company might not be high enough to justify hiring a dedicated professional who knows the very specific ins and outs of macOS, but Mac users tend to be the kind you can’t just ignore (not that you would ever do such a thing to any of your users *cough* Karen in HR who keeps deleting Chrome *cough*). Add in Apple’s constant software updates and changes, and you have a consistent thorn in your side.

So what do you do? Get certified? Ban Apple altogether? Hang up the phone when someone asks you to reset their keychain? Use these five tips to help coax those rogue Macs back into the fold.

1. Get away from binding

macOS and Active Directory still don’t play nice.

If you take only one practical tip away from this article, it is this. Joining a Mac to your domain so that your Active Directory users can log in with their network accounts is referred to as binding (for some reason), and it has never been a seamless process. It used to be much worse, but even now some of the most common problems that your Mac users will have in a mixed environment will be related to the keychain, where macOS stores all of its login passwords. Here are some alternatives:

  • NoMAD is a free, open-source, program that was built specifically to address this issue. It keeps your computers unbound, but syncs your users’ login passwords with AD remotely using Kerberos if a change occurs. It is constantly updated and has a large user base. They have a paid Pro option that offers more hands-on support, but the free option has all the features and thorough documentation.
  • Apple Enterprise Connect is fairly new, and works similarly to NoMAD. It’s a paid service, but comes with the implied Apple seal of approval and support network. You need an Apple Business account to access it.

2. Get involved in the Mac Sysadmin community

It is small but loud, and many admins on there have gone through what you’re going through.

  • The MacAdmins Slack channel is one of the best resources for tracking down common Mac problems that real people are dealing with right now. They have subchannels about every category of Mac product under the sun. The macsysadmin Subreddit is also good, though it may take longer to get a response.
  • JAMFNation is the central hub for JAMF users, and includes their free-to-read discussion forums. It is an invaluable wealth of information, and even includes a database of commonly used bash scripts.
  • Bookmark the big MacAdmin blogs. My weekly reads include Der Flounder, Mod Titan, and MacMule. These guys and girls are experts, and will frequently outline their workflows for you to copy. Learn from them.

3. Use your local Apple Store, but know their limitations.

Hardware here’s cheer, software steer clear.

  • Always buy Applecare. The peace of mind alone makes it worth the sticker price. Whether or not it’s “fair” or “right,” Apple makes it so almost any hardware problem can only be fixed by them or a certified repair technician who has access to their parts. The good news is that, with Applecare, all of those issues are fixed for free (barring accidental or water damage, of course). The bad news is that if an Apple store can’t help you, you’re SOL. Get the Applecare.
  • Software issues are another story. If you come into the Genius Bar with a software issue they will do their best to help you, but their area of expertise extends only as far as macOS does. They are purposefully ignorant of anything to do with Mac/PC integration, and will tell you so if you present them with a mixed environment problem like binding, finding network printers, etc. Most likely, all they’ll be able to do is wipe your machine which, hopefully, you can figure out for yourself. So when it comes to software, know your other resources.

4. Use DEP and MDM.

The Device Enrollment Program and Mobile Device Management are your friends.

  • A Mobile Device Manager (or MDM) allows a central server to deploy profiles to all of your Macs directly. A profile is a pre-configured setting that gives you standardized control over the machines in your network. Apple really really really wants you to start deploying profiles (really), even if its just with their in-house Profile Manager. This is the best way to standardize imaging and deployment, and the only method Apple will support moving forward.
  • The Device Enrollment Program (DEP) allows you to track all of your Mac assets if you buy them straight from Apple, and helps you enroll in an MDM solution them right out of the box.
  • JAMF is the Apple MDM industry leader, and their rates, while not dirt cheap, are definitely cheaper than the cost of hiring someone full time. JAMF Now is their cheapest option and and has fewer features, but it may be all you need.

Some admins do bootstrap together a bunch of free options (a combo of Profile Manager, NoMAD, AutoPkg and Munki, for example, would include a lot of the features that JAMF has). The benefit is, obviously, Free.99, but it might be more trouble than it’s worth to figure out how all the pieces work with each other.

Pro tip: Steer clear of a monolithic imaging solution like DeployStudio. Apple has gone from not actively supporting that method to actively NOT supporting it. DEP and MDM are the way of the future (and present).

And finally…

5. Hire a freelancer.

When in doubt, outsource.

If you do have some cash in your budget, but not enough for a full-time employee, consider hiring a freelancer for one to two days a week to come in and do some Mac-wrangling. Most users will understand when you explain to them that you can’t help them today, but an expert will be around to help them on Thursday.

This is just an opinion from my own work experience, but many Apple specialists in particular are open to this kind of job opportunity. A common career trajectory for an Apple admin is to start off by working in an Apple store, and then go into IT. Apple likes to hire quirky creative types who have their own artistic endeavors outside of work and who are more likely to be amenable to a Contractor/Freelance/Part-time relationship. A good tip when hiring: if their LinkedIn page features more than one career, they might be looking for something like this.

With these five tips in mind, you’ll be spending less time furiously googling what the hell SecureToken is, and more time basking in the Feng Shui of a well-organized asset closet.