weave's Journal: My long post to Macslash about businesses switching to macs

I recently posted a long winded opinion over at Macslash in reply to their story, "Switch" coming to a Business near you?.

Reproduced below....

I'm an IT manager, responsible for 2,000 desktops. I "switched" at home to iMac a few months ago (well, not quite switched, added one to my several at home). I love it -- a lot, but I can't see deploying them at work. Why? Well, for one thing, control. Corporate IT is all about homogonizing the work environment, remote management, consistency, standard operating environments, etc.

So, before I would consider advocating any sort of switch, I'd need a Mac to do the following. Note, they may or may not be possible, but the point is, I don't know. Apple is not reaching me if this stuff is possible.

Group Policies: Ability to classify groups of users and machines and then apply policies to them. A policy controls how the machine works. It can tighten control, change behavior or appearance of an app, dictate where files are saved, define file permissions, and even be used to deploy applications remotely.

RIS: Remote Install Service Boot a PC, hit F12 on the bios startup screen, authenitcate to the domain controller, and get a list of install images that can be used on that machine. Select one, walk away, come back an hour later, machine back up to your standard operating environment including all needed applications. No install choices or interaction needed. For those familiar with Ghost, it's not Ghost. Ghost is very limited, where you need a literal image of each install type. RIS allows variations, does all hardware detection, and stores the "image" as plain files on the server, allowing them to be edited or manipulated.

Roaming profiles: If a user logs on to any machine anywhere on the network, their desktop settings and stored files follow them from place to place. This behavior can even be modified as needed through group policies, so for example, if an employee logs into an informational kiosk at HR, it can not roam, but provide a locked-down consistent interface for that one purpose.

Remote control: One thing my support techs are in love with is XPs new remote assistance feature. It's built into the OS. A tech can request control of any user's desktop and watch them work (with the user's explicit permission and knowledge), and even take over control to help them with a problem. Again, who can do this and where can be controlled through group policies. I know there are remote desktop features on Macs, but they are extra cost options per machine. A big extra cost. We had been using VNC for remote control and remote desktop, but scrapped it when we deployed XP. Much better. Remote desktop for servers is a big plus too...

Scripting of administrative tasks: I can script just about anything in Windows through vbscript and interfacing with WMI and ADSI (computer management, directory management). I know apple has Applescript, but I have no idea how extensive and useful it is. (For the record, anyone who claims Windows environments are easier to manage than Unix environments is just plain wrong. Everytime I want to do something that seems simple, like get a listing of disk quotas, you have to jump through so many hoops in Windows by writing a damn vb program to do it instead of a simple unix command or two piped into whatever filter to get the data you need...)

Delegation of authority: Control how much a user or IT technician has control over. I can, for example, create an OU (organizational unit) for a separate part of the company and delegate control of it to their IT staff while still having oversight control of it. They can create and manage users and desktops within that OU but not outside that OU.

I can't stress how important it is for a business to be able to control their desktops. While you may consider this IT nazi behaviour, it's a necessary fact of business life. While Renezvous sounds all nice and happy, I can't have staff just installing hardware devices casually and making them available to everyone. For example, someone gets the bright idea of plugging in a wireless access point into the computer so they can use their laptop to get to the net from an adjoining conference room. How nice for them, and how nice for the intruder sitting in the parking lot with a high-gain directional wireless antennae running kismit to gain access inside my firewall.

So, with that, let's discuss what really sucks about the PC from my experience. The file system is horrible. While NTFS certainly is nice when it comes to fine tuning ACL lists, it's overall weakness is its inability to remove or replace a file that is open. What you say? Unix based file systems have this neat feature where you can have multiple hard links to a file. When you "remove" a file, it just removes a link. If the file goes down to zero links and processes still have the file open, the file remains accessible to them and the final link won't be removed until all processes accessing them go away. can't do that on NTFS. That is why on Unix you can replace system libraries and commands and not have to reboot (although you should stop/restart processes that use them if, for example, the library is a security related issue). On NTFS, Windows, if the file or DLL is in use, must throw it in a temporary area and set up a process so next time the machine reboots, the DLL is copied into place during the reboot. That's why the damn things have to be rebooted so often. Rebooting a server while people are using it is a real drag.

The GUI in windows is too darn wired into the OS meaning a problem with the GUI screws the computer. While the Mac is kind of similar, I can at least boot into single user mode if needed and fix a lot of stuff without having to resort to a re-install to fix.

Windows registry sucks, nuff said.

Most Windows applications just aren't "logo compliant." That means they don't follow the rules making all that happy stuff above possible and that demands kludges. For example, Adobe products just insist on being able to write crap to their program directory and "HKLM" registry (trust me, it's just wrong). Autodesk products are bad too. Their answer, just give your users administrative privileges on their PC. "Ah, no, how about we just use Publisher instead of Pagemaker instead?" These vendors don't package their installers as .msi files that can easily be deployed through group policies either, forcing IT staff to follow a problematic and time consuming process of "re-packing" it.

Well, I've gone on far too long. I just don't think Apple cares. They have a niche market and are happy with it. If they want to get into business, they need to provide solutions and then get to IT managers and let them know they exist. Microsoft has all kinds of migration papers detailing, for example, how one can switch from Apache to IIS. Does Apple have anything like that geared to the Windows IT professional detailing how they can integrate Macs into a PC world and how they can effectively manage them en masse?