110 comments

[ 2.5 ms ] story [ 194 ms ] thread
(comment deleted)
I know I (as someone in charge of a campus) and others I know in the same position are really considering a migration to Mac

The problem with Windows 8 and Metro is Microsoft's upending things to the point where Windows doesn't resemble its own standard anymore. Windows 8 is as much a culture shift as the Mac would be.

Beyond that just about every corporate app has gone web based at this point. Only the oldest code bases are still Windows (and it's so old that it runs perfectly fine in a virtual box). So there are no apps to keep us on Windows.

So now that the question isn't "should we change" it becomes "which platform is superior" and I think most would choose the Mac in that comparison. I know (as the article says) most users feel that way.

As crazy as it seems we might finally be at the end of the Windows era.

One of the two main cited reasons people prefer Macs was this:

> Many of today's corporate PCs are saddled with management, backup, and security agents that can bog down a PC. Employees want their PCs to boot in 10 seconds, not 10 minutes...They're drawn to uncluttered Macs...

I don't see how this shows superiority of Mac over PC; presumably if the Mac were running this software it would have these problems too.

The difference: when you use a Mac, you don't need that software.

- You don't need to run third party antivirus or antispyware software on the client, only on your mail server (to protect Windows users if you forward Windows executables). OS X has built-in malware protection.

- You don't need third party management software, you can use NetInstall/NetBoot or ARD.

- Using NetBoot also solves the backup problem on the client, even though OS X does have built-in backup and recovery solutions built-in (Time Machine, Versions).

In other words, there are no add-on services needed that would bog down the system.

I'm pretty sure Macs still need to be backed up and managed.

And probably need securing from various perspectives.

I'm also pretty sure that once MacOS starts becoming prevalent in the enterprise, they'll eventually need antivirus, back up agents, and some sort of management agent as well.

How would an IT organization manage the settings on the OS without some sort of management agent?

At what point are we going to get over the concept that Macs don't have virus issues because there's not popular enough yet? I feel like I've been hearing that chestnut for a decade now.

There are already IT management tools for Macs. I've worked at two large companies in a row (25k+ employees) where a large percentage of the company was using Macs (~30% or more) and they both had established management solutions that didn't bork the user experience on Macs. I'm typing this on a managed Macbook Air right now.

As for backups, those agents exist but they're rapidly growing less relevant as the majority of documents and work are either web-based or on servers anyway. If I somehow lost this computer, I'd be bummed to have to do some preferences setup again, but I wouldn't lose any work.

At what point are we going to get over the concept that Macs don't have virus issues because there's not popular enough yet? I feel like I've been hearing that chestnut for a decade now.

Excuse me son, but would you mind standing in line behind those Linux guys over there? They've been putting up with this longer than you have.

Why are Banks known for getting robbed more often than Bakeries? That's where the money is.

The reason you've been hearing about Mac popularity with regards to viruses is because it's true, despite the fact that you'd like to think otherwise.

The fact is that Mac market share is still only around ~15% in the US and much less than that worldwide. That is about triple the market share that they had ten years ago.

Also - Ever heard of Pwn2Own? The Mac has fallen first every year.

"Why are Banks known for getting robbed more often than Bakeries?"

Because of Hollywood movies? It isn't actually true.

Of all robberies in the US, only 2.1% targets a bank. Shops (including bakeries) are targeted far more often, 14.3% of the time. Gas stations are robbed more often than banks, and convenience stores are even 2.5 times more likely to get robbed. [1]

The number of bank robberies is on the rise, but that's not because "that's where the money is". It's because the number of bank branches has grown rapidly, banks have standardized floor plans, and banks have procedures to deal with robbers (= just give them the money). [2]

To further break down some bank robbery myths: nearly 80 percent of bank robberies are committed by one person. 70 percent of bank robbers are unarmed offenders who do not use or even threaten violence. About 60 percent of bank robbers do not bother with disguises; only 7 percent of robbers in Florida did. And finally, more than 80 percent of arrested bank robbers have no prior convictions for bank crime.

[1] http://www2.fbi.gov/ucr/05cius/offenses/violent_crime/robber...

[2] http://www.popcenter.org/problems/robbery_banks/2

It may not be true anymore, but that doesn't mean that Hollywood made everything up about that! Ever heard of Jesse James? The point is...thieves go where the money is.

Okay, so fine you don't like my analogy. Let's fix it for you then: If you found a large oasis in the middle of a desert, would you pass it by in order to find a smaller one?

"thieves go where the money is."

I'm sure robbers do risk assessment. If a bakery has half the cash a bank has but no security and a better escape route, they will much rather rob a bakery.

"If you found a large oasis in the middle of a desert, would you pass it by in order to find a smaller one?"

Alright, let's use that analogy. Which is the large oasis, Mac or Windows?

Windows has a larger installed base. However, most Windows computers have virus protection and Microsoft puts a lot of effort into improving security.

Mac OS X has a smaller installed base, but practically no one bothers with virus protection and security doesn't seem to be Apple's number one priority.

That's why I think Mac OS X is a lot more interesting to cyber criminals, it's an enormous oasis. And yet, there haven't been any attacks of scale -- if there had been, it would be front page news. Perhaps OS X is safer than you want to admit?

No, it's not safer than I'd like to admit just because you don't agree with my analogy. I am relying on empirical evidence, thank you very much.

Are you one of those people who thinks that the Mac has fallen first at Pwn2Own because it's a "nicer" computer that all the hackers want? Because that's not the case at all. It's been shown a number of times that OS X can be rooted more easily than Windows.

So, no I don't think it's "safer" because of anything technical either. Even if it were though, that wouldn't matter. Windows is safe, yet it can be hacked much like any OS.

The only remaining possibility must be true: Hackers don't pay little attention to OS X because too few targets are using them to make it worth the effort.

Windows is the larger oasis (quite obviously to the non-obstinate reader). This is because even with virus protection, you can't protect users from themselves and more users means more chances to try. If a malprogrammer can get you to run a binary, you're done. If OS X were the more popular OS and it were being run by almost every business in the world that utilize computers, then I have zero doubt that it would have the same problem as Windows in that regard.

I don't think that it will ever be a problem though for Apple since I doubt OS X could ever reach the same market penetration within the highly hacker-targeted business and enterprise market. So, people can go on believing what they want I guess.

Wow, so much to respond to...

I'll limit it to what I think is the core of your message:

Why would cyber criminals be more interested in breaking into some empty business desktop, if they can break into a personal desktop filled with personal information like credit card numbers and iTunes/Paypal/Bank logins?

Why don't you just tell me why you think the Mac is safer despite empirical evidence the says otherwise?

That'd probably be quicker than me trying to explain to you why the Mac is worthless target. (Actually a no explanation is typically needed for that since the market share numbers don't lie. I just think you're being extremely obstinate at this point, so there's no way you'll see that. You might as well attempt to prove _your_ point to me since there's obviously no way you'll accept _my_ point.)

"Why don't you just tell me why you think the Mac is safer"

I'll let Pwn2Own winner Charlie Miller answer that for me:

"I'd say that Macs are less secure [...] but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them."

http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254-6....

Thanks for proving my point. It's not _technically_ safer. It's security by obscurity.
A 58 million Mac installed base, more than 250 million iOS devices sold, and you're still arguing obscurity? That's commitment.

http://techcrunch.com/2011/10/04/250-million-ios-devices-sol...

Oh please. Compared to over a billion PCs worldwide? If you are going to build a bot-net, would you really target the Mac? Gimme a break dude.

Considering the vast difference between Windows and OS X APIs; it's quite clear why mal-programmers don't waste their time with OS X. You would have to spend MORE than half your time attacking the Mac for less than 10% of your total attack surface.

The only other argument that has been made in the face of this fact is from Gruber who said: If Macs have 10% of the market, why don't they have 10% of the viruses? That's like saying because I am Nth the size of the sun, I should have Nth the power of the sun. Reality does not work that way. Everything does not have to be proportional and in this case it's crystal clear why it is not proportional.

Would you please kindly concede this point now?

So by that logic, as long as the Mac market share isn't as high as Windows market share, the Mac platform will always be safer.
Yes. Superficial, non-technical safety via obscurity which lasts forever since OS X will never break 10% worldwide usage market share.

iOS might be another story, but smartphone and tablet usage in general is still dwarfed by Windows usage. Despite that, within the realm of smartphones there have been more iOS threats than there have been threats for Windows Phone 7. Shocker? Nope. It's based on popularity.

Interestingly enough, this year's Pwn2Own left the Android and Windows Phone 7 devices undefeated while the iPhone was one of the first to fall. - http://www.wired.com/gadgetlab/2011/03/hacking-android-windo...

Take from that what you will. Ciao.

Macs in the enterprise don't need management, backup or security software? You're fucking around, right?

Even in my personal limited deployment of macs, they're managed by joining the domain and ssh access. They're backed up with a combination of rsync and a home-rolled login hook/git solution. Given the recent malware hitting the internet for macs, our aggressive firewalling already doesn't cut it for security.

Once they're no longer flying under the radar, they're going to become saddled with aggressive business requirements or not be adopted (without AD support, they wouldn't have the limited corporate adoption they already do). As much as you might like to tell yourself macs are free-wheeling will never get that burden, they're already in my directory. Every time a problem comes up, they're going to continue to lose their purity, one GPO at a time.

edit: after re-reading your post and some of the others in the thread you seem to be saying they don't need 3rd party tools. Nether does a windows domain. Sometimes we find we want more functionality though. Apple first parties different areas for the mac, and thats good, but you're still eventually going to need to leave the garden. Frankly their 1st-party security sucks, I'm glad to see they're putting a lot of effort into building up that area of their company, but as far as I'm concerned their current offering is about as good as no security.

> "Given the recent malware hitting the internet for macs, our aggressive firewalling already doesn't cut it for security".

Three odd trojans that need to be explicitly user-installed, rarely if ever met in the wild, and blocked by the daily-updated system are a threat to your über-firewall? I'm not downplaying the recent evolution in the area, but up until now you have to admit it's a dud.

> "They're backed up with a combination of rsync and a home-rolled login hook/git solution"

You do know that Time Machine works perfectly fine on spare bundles over AFP network shares, right? Besides, I wonder if your homebrew rsync solution handles hardlinks correctly in addition to alternate file streams and HFS+ extended attributes. I also wonder what your typical recovery scenarios look like.

> "Nether does a windows domain"

Any Windows computer needs at least an antivirus to combat the daily flow of trojans, and viruses, and worms. (And yes MSE is third-aprty in the sense that it's not there right from the start, enabled by default).

Given the current state of OS X malware, I'd venture to say that the current state of security in OS X is way more than adequate, out to the box.

As for general maintenance, manageability and user assistance, my experience has been such as it is one or two orders of magnitude down from Windows.

>up until now you have to admit it's a dud

The genie is out of the bottle, so that doesn't matter anymore.

>You do know that Time Machine works perfectly fine [...]

Yes, do go on. Lecture me about my environment and my needs.

>And yes MSE is third-aprty in the sense that it's not there right from the start

Not only do you not know what first-party means, if it was bundled in by default Microsoft would be right back in antitrust court.

>As for general maintenance, manageability and user assistance, my experience has been such as it is one or two orders of magnitude down from Windows.

Thats awesome, but I'm really not interested in your pissing contest.

> The genie is out of the bottle

It has been for a long time, ever since around Mac OS 8 where the peak production of Mac malware happened. As Miller said, Mac OS X is not necessarily more secure but it's currently comfortably safer. That does not mean the area should not be watched for any evolution.

> Lecture me about my environment and my needs.

I did not wish to make it sound like a lecture, and am genuinely interested in what your environment looks like and what led you to using rsync instead of Time Machine, and how you overcame the cases I mentioned (if ever you were concerned by them in your use case).

> Thats awesome, but I'm really not interested in your pissing contest.

I'm not pissing anywhere, but you do seem pissed. If anything, your environment and needs, just like mine, are anecdotal.

In point of fact, I run no regular antivirus on my windows machine and have had no viruses ever. I verify this with a boot scan. It's not about macs vs PC's it's about user savvy and market penetration.
> - You don't need to run third party antivirus or antispyware software on the client, only on your mail server (to protect Windows users if you forward Windows executables). OS X has built-in malware protection.

I hope you realize Apple itself runs antivirus for their corporate MBPs... likely because like any monoculture, any viral malware could cause disastrous results.

I hadn't heard this. Can you describe what they do in more detail?
Pretty sure he can't

  Apple itself runs antivirus for their corporate MBPs
Not AFAIK. Certainly not within engineering.
> OS X has built-in malware protection.

That's not really true. OS X doesn't generally suffer from malware purely because there isn't much Mac malware out there. It's only difficult to get infected with malware because it's difficult to find the stuff. But it's actually pretty easy to write the stuff, if one were so inclined.

Just a nit: OS X does have very basic built-in malware protection in the form of File Quarantine.
> The voice of Windows in the enterprise discovers that Mac users are more productive

Because the standard-issue corporate Windows laptops are locked down, running Windows XP with IE6.

I find myself agreeing with their recommendation, even though I disagree with their rationale.

Agreeing to let "HEROES" use Macs in an enterprise (and dear god what a terrible term, as if us Mac users weren't smug enough) seems to be basically capitulating to entitlement.

At my last company, when Mac OS X first shipped, I wanted to try it out, so I bought an iBook (the cheapest entry to the world of Macs, in case I ended up not liking it). People in my office were horrified, and I was forbidden from attaching it to our network (lest its cooties infect our other systems).

Over the course of about 6 months, I was eventually allowed to connect it. I had a coworker who continuously ran a vulnerability scanner against it, telling me that if it ever found anything, I'd have to remove it from the network forever (the handful of unpatched Windows boxes on the network weren't a concern, apparently).

Within a year, there were four or five other Macs in my group. Within two years, every single person had one.

At my current job, after complaining for two years about how awful my P.O.S. Dell laptop was I got an email from my boss about a month ago. It said "We're getting you a new laptop. Do you want a Thinkpad T520 or a Macbook Pro?".

I thought he was messing with me at first, but no, it turns out Macs were now OK for us to use as testing laptops.

I will say that in 11 years of going on-site to clients to do security assessments, I have only once encountered a company that had a non-trivial amount of Macs on their network. Over the years, I'd run into a graphic arts department here or there that had a few Macs, but in general, they were a rounding error for the large enterprise clients I deal with.

...seems to be basically capitulating to entitlement

Entitlement to use choose your own tools? Gasp.

I think the underlying point the article's taking glancing blows at has plenty of merit, they just failed to do it bluntly enough. I think there's likely a high correlation between highly productive employees, and people who could care less about IT bureaucracy. I don't think it has anything to do with Mac users.. it's just that Windows users in this position are less affected, and through this lens.. less visible.

Entitlement that the rules put in place don't apply to you, because you are some sort of prima-donna superstar. I find that worrisome. It can bloom into pretty ugly (and moderately damaging) behavior.

I've worked for clients who have certain divisions which are the super-stars. I think the better approach is to evaluate why you have all these policies, and if they are actually doing what you think they're doing.

edit: Rereading this makes it sound like I'm calling the parent a prima-donna, which isn't what I mean (I'm referring to the people within an enterprise who decide that because they feel more productive on a Mac, they can just bring one in from home to do their work and circumvent all of the policies of IT.)

At the risk of forcing a square metaphor into a round analogy, it's really important in the Army that people follow orders. Even if a small group of them think they can be totally more productive by doing things their own way.

Enterprises aren't really set up to optimize for increased employee productivity, they're more likely to be set up to limit decreased productivity. I think this is one reason that people seem to like working at a startup, because you get to not have all that dogmatic bureaucracy.

If these HEROES in four or five years now suddenly decide that they'd be even more productive if they lugged in SGI O2 workstations from home to do their work, an enterprise has to be able to say "yeah, sorry, you can't do that."

But as to more Macs being deployed in enterprises, I'm all for it. It'd give me new things to break into.

No worries about it sounding like the prima-donna comment was aimed at me. I've certainly fallen into the category of people you've applied it to.

At this point I'm sure I'm not remotely fit for The Enterprise, though I've worked in plenty of them. It's not that I've ever thought that the rules put in place don't apply to me.. it's that I've placed a higher priority on other objectives of the company (like getting work done).

IT policy at most corporations I've worked at is completely inarguable. In my experience it's very difficult to get a reasonable accounting of cost/benefit when it comes to making almost any change in policy... in part because productivity benefits like the ones I feel I get from my choice of tools are hard to measure, and in part because I don't think I've had the experience of working anyplace where the IT department charged themselves with making other people's jobs easier/better.

I think job function matters too. Programming is a craft. Good craftspeople are ridiculously passionate about their tools. If you walk into a nice auto-mechanic shop, the racks of tools against the wall are owned and paid for by the mechanics. I imagine that's not the case at the Jiffy-Lube, but you're we're probably talking about people at a different skill level. Good craftspeople in any industry end up in a relationship that's closer to independent contractor, or even peer with the organization they work for. That's happening in our industry, and I think it makes sense to look at functions that provide friction for those people, because it will become much harder to hire them.

For what it's worth, I totally agree with you. I'm presently trying to extricate myself from a large enterprise.

I'm not necessarily a gung-ho "startup good/big company bad" kind of person, but purely from an "asymmetric effectiveness" standpoint, it's easy to see why people think large enterprises are a relic of last century. In many ways, it seems like they're designed to just continue treading water until the lake evaporates, rather than trying to swim to the other side.

Totally. I'm not on one side or the other from an idealogical standpoint.. it seems like there are some large organizations that do enough good with their size to make up for the downfalls that come along with it.. I just haven't been at one of those.

With respect to functions like IT, I'd imagine the department needs to do what other functions in a large organization do in order to remain effective and useful... decompose.

It seems like distributing things like risk management, and the security of assets among parts of the organization effectively gets the organization closer to looking like a bunch of smaller, more effective organizations who collaborate... and mitigates risk. The idea of a monolithic IT function in a giant organization providing more safety than a distributed version of the same idea seems on it's face a misplaced comfort.

Then again, I'm really not someone who knows enough about what it takes to run an IT department to be suggesting such a thing.

Even if a small group of them think they can be totally more productive by doing things their own way.

Hence the proliferation of units under the "special forces" banner. How many do they have in the US now, regular SEALs, SEAL team 6, Rangers, Green Berets, Delta Force, Marine Recon, those guys in the boats (SWIK or something), the USAF has like 10 special forces units too.

Productivity trumps protocol, every day.

As someone currently doing a "pilot" of a Mac in a highly corporate environment, I can say it's not exactly just IT. There's realms and realms of support groups that get to sign off on "authorized" network equipment, and when you bypass them it's the equivalent to a histamine reaction. I never met anyone in IT who disliked Macs completely and totally, just management.

We had one specific storage group that "only supported Windows," despite the storage pool being a Samba process on Linux and all of the core devs using Macs (they had shell account access, so never encountered this). The dev who supported the share outright refused to add the "unix extensions = no" to the smb.conf file (that fun bug). Right now I actually run a little CentOS VM to mount the share with the "nounix" option, then SCP in.

So, even once you get the platform, it can be a major struggle to have other groups support it.

Wow, with attitudes like that to deal with, it's a wonder anyone can get any real work done there... I can't imagine having to jump through all those hoops just to mount a drive.
I work at a large tech company, and we've embraced macs for the last 2 years or so.

The macs are still more expensive than the standard company issue, but they are able to offset the cost by offering 0 IT mac support. If you're wanting to go off the beaten path, fix your own issues. There are internal wiki's where the mac enthusiasts pour time into other people's issues, and a general word-of-mouth troubleshooting culture.

From the context of the conversations I've heard, I think the major hurdles are around security, support, and hardware costs. Before I'm jumped for implying less security with macs, it's still centered around the ability for the enterprise to control virus scanners, DLP, workgroup rights, generic company control, etc. Whether the operating system is more/less secure is still a religious argument - my guess is more IT staffs consider it less secure however.

Which leads to an interesting question - since the user experience has lead to a large enterprise install base, when does Apple start prioritizing business needs? Admittedly I'm not an apple user, but I haven't seen any indication that's it's even on a list. I imagine I'm incorrect.

I work in a small enterprise and Macs have slowly taken over and especially now that Macbook Air is out the mobile users are almost exclusively Macs. Some of the things we found were Virus scanners didn't really work on Macs. They predominantly scanned Word documents for virus macros so we dropped that requirement and pushed scanning onto the network. I guess workgroup rights work for us. We aren't very large so having lots of hierarchical rights doesn't make sense. One of our founders still hates OSX but found the Macbook Pro to be well designed, so he's gotten that far.

Security is a bit of a strange one. We have some clients where we can only access their network using a cardkey or thumb scanner. I still haven't figured out how to do this on a Mac. Apple used to go after the Enterprise market in the early aughts but I think Jobs just didn't care about it. Preferring the consumer and education markets instead. I don't blame them, if you look at Microsoft they were keeping a dead browser going because enterprise clients kept throwing money at them to support. To me, some enterprise software is just badly written and since the company has a lot of money tied up in using and supporting it they want their vendors to also support it. This is something, I doubt, Apple is willing to do.

Damning.

Upon seeing this, I thought pg had editorialized the "Hell freezes over" bit of the headline, but no ... that's the actual CNN headline.

I'm not sure what their 6 recommendations were for preparing for the transition, and I'm unwilling to pay $499 to find out, but I hope one of them deals with the horrible pain in the ass that is Windows File Sharing.

Macs really do not like Windows shares, whether in an AD context or a workgroup context. While some seem to work without any trouble, others have frequent issues with logging in, with browsing, with refreshing, with permissions. It's very frustrating for the users, and frustrating for those in IT support positions who are faced with annoyed users on one side and inscrutable black box magic on the other.

My experience has been that Windows doesn't really like Windows shares either. Ever tried to create a network with a few Windows 2000, Windows XP and Windows 7 computers? I couldn't get it to work. Instead, now those Windows machines simply access my WebDAV running on Mac Lion Server.
You're kidding right? Windows file sharing is trivial to set up.
Between different versions of Windows? No, it isn't.
Well, certainly between anything that owes its heritage to NT it is. I have win2000, 2003, XP, and 7 all playing very nicely together, and I cannot recall any issues with setup or maintenance. Compare that with getting a Mac to print to any printer that wasn't specifically designed with macs in mind... torture.
Which printer manufacturers don't make drivers for Macs? I don't know of any. Even really old printers from the pre-OS X era work fine, because of CUPS and Gutenprint. It's plug and play, the drivers are downloaded automagically.

http://support.apple.com/kb/ht3669#Gutenprint

The ones that I have had the most "See Note 7"* moments with have been large multifunction workgroup printers that you would find in any office - of varying manufacturers. these printers all claim to have mac drivers, and generally these claims are terrible, terrible lies.

*Note 7: This will not work.

Completely agree. One color laser MFC we recently replaced had a scanner that could only be used over the USB port for Macs but over ethernet for Windows. The workaround we found was scan to email which tended to be more reliable for Mac and Windows.

Now we have a new hotrod HP MFC that does everything and supports iOS and Android. It was also 1/3 the price.

Em, parent was talking about printing, not scanning...

I have yet to use a printer that OS X Lion can't find a driver for.

The parent was talking about the MF part of a MFC printer being nonexistant for the Mac. Hell any printer with a USB port will work on a Mac. Any $50 printer can do that. But when you spend $200+ on a network MFC most come up short on the Mac side.
I was referring to the following:

"Compare that with getting a Mac to print to any printer that wasn't specifically designed with macs in mind... torture."

Like you said, printing is not a problem in OS X. As for the other functions of a MFC, I agree: it's hit-and-miss. But that wasn't what OP was complaining about.

Printing is no picnic either, as any cursory browse through discussions.apple.com, support.apple.com, or any of the many mac-centered tech forums will attest. Here's a few examples, by no means exhaustive:

https://discussions.apple.com/thread/2776655?start=0&tst... http://ask.metafilter.com/79984/Need-help-printing-to-work-p... https://discussions.apple.com/thread/3137602?start=15&ts... https://discussions.apple.com/thread/3193803?start=0&tst...

And any search for "<<printer manufacturer>> mac not working" will produce scads of results, often taking you to discussions that are dozens of pages long with people who can't print from their macs to any number of printers. This is a real problem, not a figment.

That's proof that there's a lively online Mac community, nothing more.

Guess what? Any search for "<<printer manufacturer>> windows not working" will also produce scads of results, often taking you to discussions that are dozens of pages long with people who can't print from their Windows PCs to any number of printers. The same can be said about most GNU/Linux distributions.

The only support forums where no one complains are those of products that no one uses.

I was responding to this:

> It's plug and play, the drivers are downloaded automagically.

and this:

>Like you said, printing is not a problem in OS X.

This is obviously and clearly not true, but you seemed to need evidence which I provided. In addition, in my experience the compatibility of macs and printers is far worse than windows and printers.

I'll have some of what you're smoking, while choosing CIFS in reality every time given this choice. WebDAV is a wretched, bulky protocol, and the world has been letting it die out for at least six years now.
I've heard in the past one theory for IT departments favoring PCs (besides all of the pro-PC marketing aimed at them) might be that the Macs are very cheap to administer and thus don't require much IT support.

I thought this was an interesting response to this news, over at the AppleInsider forums:

"I work for one of the largest corporations in the world. Surprisingly, they don't do anything to block access to network services, but they don't necessarily encourage other platforms either.

I work on a team of 23 people. The company provides Dell or HP laptops running XP or Vista (Windows 7 is still being 'evaluated'). These laptops would cost a normal human about $600, but for some reason my company leases them instead. We pay about $150/month (if memory serves) over the course of a two-year lease term. You do the math...

Four years ago I paid about $700 for a Mac Mini. I run Office 2011 (and previously ran 2008 and 2004) for Exchange Server connectivity. I occasionally use Word and Excel, but generally prefer Pages and Numbers. For presentations I exclusively use Keynote (PowerPoint is a festering pile of poop). I am a systems admin who supports applications running on both Unix and Windows 2008 Server machines. For Unix I use iTerm and X11, and for Windows 2008 remote server administration I use the RDP client that comes with Office.

My computer currently has a monthly ownership cost of (700/48) about $15. One-tenth that of my laptop. In the past four years I've had exactly zero minutes of unplanned downtime, while every single one of my 22 peers have had their machines out for days at a time for reimaging due to OS corruption, most of them more than once.

The downside is that the $150/month in lease charges covers hardware service. Still, since over four years the cost of ownership is $7200 vs $700, the company could replace my Mini six times over four years and still save money, not taking into account the money saved from productivity.

Executives who don't consider using Macs are simply bad at math."

http://forums.appleinsider.com/showpost.php?p=1975818&po...

With a solid/easy backup system like Time Machine, don't even need a proper service plan:

* Buy an external HD, set up Time Machine.

* Keep an identical spare Mac.

* If you're paranoid, buy a second external HD; rotate it and the first drive for TM backup every week-ish (keep the inactive one next to your spare Mac)

* When the Mac dies; toss it, get out the spare, plug in the TM drive and restore. Totally back in business in an hour or three. Buy another spare.

So, uh, your backup strategy is "buy two computers for every employee?" INteresting, but hardly cost-effective.
Just as effective as leasing $600 machines for $150/mo
In other words, not effective at all? Yes.
Over the course of the 2-year lease, they pay $3600 for a $600 machine (according to the OP).

Let's assume his math is way off. It's a $1000 machine, and it's only $100/mo for 2 years. That is still $2400, 2.4 times the value of the hardware.

I fail to see how the proposed solution could be any LESS cost-effective.

This also is only discussing raw costs of equipment, and not employee downtime. You could likely recover an employees productivity in HOURS instead of DAYS.

Seems like a great solution overall, which is most likely why it would never be implemented.

For an enterprise you can do time machine to a lion server connected to your big storage. Then just keep a few spare machines like you would for your PCs.
You only need two computers for every employee if you expect an event where all employees will need to swap out their computers at once. On a personal level, you would need two, but on a company-wide level you don't need that absolute redundancy.
Nowhere did he claim "two computers for every employee". Like any company with centrally managed IT, it'd be wise to have hot spares of any and all hardware. That doesn't imply "buy 2x of everything!", it means to prepare for failure and minimize downtime (of any hardware) by having spares that can be quickly swapped.
Well, I certainly looks to me that that is what he was saying, and given the opportunity he did not back away from that position, he doubled down on it in his response. So, downvote away I guess. But the whole thrust of this argument seems ridiculous to me. There is nothing special about macs that enables this strategy, and it's a stupid and expensive strategy that gains no benefits over a standard backup routine.
> These laptops would cost a normal human about $600, but for some reason my company leases them instead.

For some reason the corporate world considers money spent in big blocks to be a different kind of money to that spent over an extended period of time. Unless they have a really good interest rate on their bank accounts I have no idea why, but spending more money in smaller amounts over an extended period is the holy grail.

It's always about accounting and/or externalizing risk.
If you buy a computer, it becomes a company asset and, from an accounting PoV, the money was not "spent". If you lease it (and give it back at the end of the lease) you only had expenses (and, from accounting's PoV, money spent).

Various factors may make one option preferable to the other. Taxes, executive bonuses etc.

If part of the yearly bonus is tied to investing less in infrastructure, an exec may opt for leasing hardware. OTOH, if the bonus is tied to lowering expenses, the exec may consider buying it.

I work in an almost exclusively Mac shop (an agency) and to say that they don't require much IT support is laughable. The worst part is that when they do require support, it is much more involved than with PCs.
So which is it?

IT bans Macs because they want their job to be easier and intentionally cripple users to that end.

IT bans Macs because they are so easy that less IT work would be required.

I've seen both views presented, but they seem mutually exclusive.

I don't think those are mutually exclusive.

A lot of IT shops are accustomed to crippling the computers they manage, as a way to reduce need for servicing individual machines. Macs might not fit into that existing workflow, which make them appear harder to support. Just the prospect of having to loosen their policies incites all sorts of doom scenarios. Macs may be easier to manage, but it takes a brave IT manager to actually try it.

Also, many IT managers have dozens of Microsoft certificates, but little knowledge of Mac management. Noone wants to aide in their own replacement. It would be like John Henry suggesting the use of steam powered hammers.

I've heard in the past one theory for IT departments favoring PCs ... might be that the Macs are very cheap to administer and thus don't require much IT support.

If true, that's a mighty dysfunctional IT department.

Perhaps it's the company I work for: if there was a desktop machine that was cheap and required little support, we'd be all over it.

  It's quite a turnaround for the voice of Windows in the 
  enterprise. If you're not a Forrester subscriber, you can 
  buy the report for $499 here.
Four hundred and ninety nine US dollars?
Their business model is a different one. Instead of giving it away for free, and going for a million views and thus ad revenue, they're going for a hundred purchases by Fortune 500 companies. It's the reason there are books out there that cost $4000.
No, they're going for corporate subscriptions (in which case everyone in the company gets access to everything they write), but if you really, really want to read it, you're welcome to pay a punitive fine for not subscribing.
51% allow access to web-based email? 37% allow internet access? 19% native email?

I've been in IT for 12 years, I've never seen anyone endorse blocking Macs from any of these. 49% block Macs from webmail? Difficult to imagine a situation where these would be a problem. Maybe super paranoid eavesdropping management?

I think the key phrase here is "employee owned Macs". They don't say what the equivalent results are for "employee owned Windows PCs", but I'd bet they're in the same ballpark. And when they say "owned" they really mean "administrated", meaning the PC isn't part of the corporate domain and subject to corporate Group Policy.
Ah so that falls under the umbrella of expectations of IT.

E.G. someone brought a machine from home one day and proceeded to work on it, then had a failure and lost "business critical" data. Then management chewed out IT with questions like "How could you allow someone put our data in that situation!!!", "What could you have done to prevent this!"... Hence IT Policy: no personal machines in the building.

To anyone else in IT; here's how you avoid that situation, and the resultant policies. Audit your connections, or have an inventory tool which will let you know when new MACs (the NIC addresses) are seen. Then follow up with a polite email to $PersonalDeviceUsers's Boss detailing what you can/can't offer service wise. So long as everyone understands the situation ahead of time (in writing), you'll avoid having to write such policies later.

How do you propose to identify the user associated with an unidentified new MAC? Is there some way that isn't tremendously labor-intensive?
If they are on ethernet smartswitches can do it for you (you only need to know where it terminates). If they are on the wifi then some devices will display their nmb name (for example "Joe's Awesome iPhone(FE-2A-FE-FE-FE-FF).
If they are connected to a share already... done. Just let the list of open sessions tell you what username is associated.

Alternatively dump the FDB on the switch. Really easy if you use voip phones with downstream connections to the computer. Then you can lookup which phone MAC is associated and call it.

Depends on your environment but once you find a method. Write a script and tie it to the new MAC alert. So the report would look like. "New device on switch x port 6 given IP y.y.y.y and logged into shares under z."

And this is why employees hate their IT department. Instead of helping them do their job better they dictate and put up roadblocks so IT guy has an easier job.

1. If business critical data is lost this is your fault because those backups should have been performed regularly, throughout the day. 2. Unknown devices on the network should have automatically been switched to a DMZed network. If they want it on the corporate network they'll email you and ask how to do it and probably tell you why as well. People bring in all types of devices not related to work; cellular hotspots are one example. 3. Going to the user's boss is just an asshole move. If they are causing trouble, yes by all accounts go ahead. But from an outsider it looks petulant.

>Instead of helping them do their job better they dictate and put up roadblocks so IT guy has an easier job.

Oh yes, I forgot. IT budgets are infinite and supporting all existing business computing requirements on any foreign device that show up takes zero time.

There is a world of difference between not supported and not allowed. If you don't support it then don't support but there are some places that are actively hostile to anything but windows.
>There is a world of difference between not supported and not allowed.

Allowing any foreign device, even if unsupported, is a serious cost. Not supported but still on the privileged network (or on the guest net and hooking into any privileged resources) is a HUGE security threat. Especially in areas like ours where make or break comes down to our ability to protect our trade secrets. Malware running on a non-privileged account on a personal computer is still a serious data exfiltration vector. Frankly on our network, not supported is the same as not allowed.

>If you don't support it then don't support but there are some places that are actively hostile to anything but windows.

Actively hostile to anything but windows, or actively hostile to anything they haven't prepared for, which just happens to be windows because that's what business needs demand? I've known admins who only support windows because its all they know, and admins who only support windows only because that's pragmatic for their deployment. Theres a big difference, and if its the former and it bothers you, vote with your feet and fucking quit dude.

I think we have a tone mismatch here. For instance if a user brought in a Mac the email would be something like "Hey, just saw $newdevice connected to corpLAN. Remember that all company data needs to be saved to a share in order to be properly backed up. Also here's what you'll need to connect to email etc..."

1. Backups are performed regularly on devices I have control over. If someone stores their info on a personal usb flash drive and loses it what should I do?

2. So you're advocating an automatic kill of any unknown devices and then calling me a obstacle? "If they want it to work then they will call me". Does that sound helpful?

3. It's not a complaint, just information. The boss is responsible for that employee and would expect me to know when devices change. If the manager doesn't approve of personal devices that's between you and him. Most bosses don't have a problem.

I'm trying to be helpful towards other IT people with methods I've learned to allow the users to BYOD while still managing expectations. Your response is "this is why everyone hates you! Because you won't do things the way I think you should have!"

Sorry I might have been mistaken then. I've been both user and admin of the IT department and the amount of bullshit handwaving that comes from some of them is infuriating. I honestly believe that 25% get their jobs through nepotism because there is no way that IE6 should still be a requirement for any PC.

1. I share the same view. Once it leaves the network you're on your own. I encourage our users to backup to our servers because storage is cheap and if they are going to be using it for work might as well.

2. DMZ doesn't mean killing it just means your unknown device has a connection to the internet and that is all. Some users just want to bring in an iPad and aren't looking to get 802.11x certificates, 26-character WPA passswords, etc.

3. Unless someone is being a nuissance on the network I try not to get involved and even then I fire off an email directly to shut them up.

I work for a software company so most users are really computer competent so I haven't encountered the "problem" user that most IT workers love to make fun of.

Mac Bauer. Power hour. Could'nt help the JB joke. Microsoft has bit of a Fort Knox within enterprises.
Uh, hey Forrester, the real "HEROs" are the ones that take a couple of hours on their own time to streamline a bloated Windows install rather than wasting company resources to get a Mac working in a primarily Microsoft based infrastructure.
In The Enterprise, there's often no way of streamlining your own install. Users often a) don't have the administrative access necessary to remove the bloatware, and b) wouldn't dare uninstall "critical security applications" installed by IT. Sometimes the only way to escape the protocols is to put yourself in a situation where they can no longer be applied to you.
My recommendation: Never trust a recommendation from Forrester.
Do they do actual research? I thought they were purely a PR instrument based on their past recommendations.
I wonder how much of the advantage of startups vs. BDCs is using Macs as desktop/laptops, vs. windows. Probably not as much as using Linux vs. Windows for servers, but still a big advantage.

I'd have a hard time working anywhere which required a windows desktop and blackberry. I could tolerate it as a consultant if I had a consultancy-provided iphone/android and mac, with client-provided onsite windows stuff, but that's about the limit.

I would support OSX more if I could get better support from Apple. I have two identical MBP's in my office -- and following the same steps, one joins the AD Domain, and the other one refuses to join the domain. Apple's support? Clueless, and refers me to the community support -- which doesn't have a definitive answer or any real help.
Most enterprises have a very strong culture of maintaining status quo as extensively as possible. Especially in IT departments. Even big software enterprises rely on 5-10 year old infrastructure software (such as Exchange 2003) which was released during the era of Windows domination. It doesn't help that some of the software is web based because even that is often made for Internet Explorer only.

Nevertheless Mac's are actually spreading in enterprises. Not from top but from bottom. Officially unsupported, but with a help of VM software such as VMWare Fusion there are no problems using legacy stuff.

I work for one of the biggest corporations in the world, and I can see the acceptance of Macs creeping in. There is at least active support for using Macs as terminals for Windows virtual desktops. That said, it's still a long way to go so it would be nice to see these things speeding up.

The quote "For the same reason they wouldn't wear cheap shoes and a bolo tie to meet with Lloyd's of London to insure their cargo ships and cranes" gave me a giggle. Hell is certainly freezing over, because it's now more of a case of Lloyds of London having to rely on the tax payer in jeans to keep them afloat.

I also worked for a big corp recently where IT would not issue a Mac to anyone unless they worked in a "creative area". Some of the Intranet tools were strictly IE-only too, as in changing your user agent to IE didn't help you at all.

The silly part of the Windows-only IT policy is that it's intended to simplify IT support when in fact every week IT would broadcast alerts "EMERGENCY: Everybody must stop what you are doing and run this urgent security update!!!" That was a weekly ritual. Not to mention "New version of Office! Please install it!" ... two weeks later "Office update! Please install it" ... and so on.

So glad to be back in a Mac world.

You worked at a company with a dysfunctional IT department. In non-dysfunctional IT departments, security updates application patches are installed automatically without user intervention.
I work at a large government IT organization. We were way ahead of the curve on this trend -- we did a POC deployment in late 2008.

There are real issues with Mac vs. Windows in an enterprise for many categories of user. We found that some Executives and some knowledge workers LOVED them. All Unix admins and most web-dev types loved them. Why? They weren't using line of business applications, and either didn't have many meetings, or had an admin who handled scheduling on their behalf.

We did not end up deploying Macs more widely, but the POC boxes are still in service. I love my Mac.

Real issues:

1. Apple is unpredictable with respect to patching. Known, material security issues may lay dormant for months with no patching. Apple prefers to rollout lots of fixes at once (ie. instead of a security patch, they roll up to 10.x.y) which often break things. This is a problem if you have to rely on ANY non-Apple software.

2. Apple is unpredictable with respect to product lifecycle. Want to roll out 500 iMacs? You had better pray that they don't arbitrarily cancel or (worse) change your order because they are announcing a new product. When Apple releases a new product, the old product ceases to exist.

3. Identity integration is poor. Integration with LDAP/Kerberos or AD is unreliable and undocumented. Unless you can use tools with a different model for authentication (ie. Dropbox), simple things like filesharing are unreliable. 3rd party tools help, but that creates a new problem. (See point 1)

4. This situation improved when the new MS Office, but Exchange support sucks. Even with Outlook for Mac, calendar functions suck.

5. I don't think that Apple takes security seriously. "Viruses" are becoming increasingly rare, even in the PC world. The types of threats that are out there are different in many ways. People in the Mac community have a really bizarre outlook on security.

6. Apple doesn't give a flying leap about enterprise IT. They know that Microsoft jumps through hoops to keep Bank CIOs happy, and that keeping those folks happy comes with a cost (10 year product cycles, IE6, etc). Apple's ability to tell enterprises to screw off is both an advantage and a disadvantage. If you're a proponent of large-scale adoption of Macs in an IT org, you are taking a big professional risk.

Overall, I think that it's great that people are looking at alternate platforms. But don't pretend that Apple is a silver bullet -- Apple doesn't love you back, and will make you cry.

Very well said. You outlined everything that I've noticed and discussed with our IT team (who support a large number of Macs). Needless to say, they have come to despise supporting Macs.

And, yes, Microsoft Outlook for Mac is a horrid POS.

That said, I love Macs but I'm not in IT support and I completely understand their pain.

I'd kill to have Mission Control, Spotlight and Quicksilver at work. I haven't found great Windows equivalents.
The reality isn't as bad as it sounds here. According to the same source (Forrester) 32% of personally owned PCs aren't allowed on the networks either (vs 41% for Macs).

So an only 9% difference seems pretty reasonable. It may not be what we want, but given limited company IT resources, it's almost surprising the delta is that low.

The biggest barrier to entry for the Mac in the corporate world is SAP. SAP GUI and the additional products it runs like the reporting tools (Bex) just cannot be run on Mac. The SAP GUI only works on Windows and in theory is supposed to be supported on Mac through Java and HTML equivalents, but in practice they don't work.

SAP is so ingrained into corporate IT that unless SAP themselves decide to rewrite everything (unlikely) I can't see PCs being replaced any time soon.