The nitty-gritty of policy deployment
Mac management policies, like iOS policies, are stored as XML data in configuration profiles. These profiles can be applied to Macs in one of three ways: by manually creating and distributing them to individual Macs/users, via the free Apple Configurator 2 app; by implementing an MDM/EMM solution; or through use of traditional desktop management suites.
If you choose to manually distribute configuration profiles, you'll need to use OS X Server's Profile Manager to create them, then the resulting profiles will need to be installed manually on each Mac. When opened, the profile will prompt the user to install the included policies. Using this method, there is no fully automated way to distribute configuration profiles without using additional deployment tools. If you are relying on users rather than IT staff to install them, it can be difficult to ensure that they have been installed. Because of this, manually distributing profiles may be the simplest option, but it is likely less ideal, or even viable, for larger organizations.
(Note: Profile Manager itself is an Apple-specific MDM solution that can be used to push policies out in the manner of other MDM/EMM offerings, in addition to creating configuration profiles for manual distribution.)
The Apple Configurator 2 app can be used to install profiles/policies to tethered Macs as well as iOS devices. This provides a straightforward, no-cost solution for ensure profiles/policies are installed and functioning. However, it requires each managed Mac to be connected to a Mac running Apple Configurator 2 by USB for configuration. This makes Apple Configurator 2 an excellent tool for small businesses and educational organizations, which often have a simple set of policy needs, but it's an inefficient Mac management strategy if you need to configure a large number of Macs.
Here, MDM/EMM tools can help, as Mac policies can be applied using the same MDM framework used by iOS devices. As such, most vendors that support iOS management also support Mac management. Thus, they're an enterprise-friendly option, particularly because many organizations already use such solutions to manage iOS and Android devices.
Another option that scales well for enterprise use is the traditional desktop management suite, including both Apple-specific suites, such as JAMF's Casper Suite, and multiplatform suites, such as LanDesk Management Suite and Symantec Management Platform. These suites not only apply policies, but they often offer management and deployment tools. Given the suites' popularity, many organizations often already have such tools in use, or they may find their additional features compelling enough to invest in them (more on these tools in part three of this series).
If you have concerns about the XML-based nature of Mac policies, rest assured: Admins generally don't need to directly create or edit the XML data used in Mac management policies. Most Apple and third-party tools provide intuitive UIs for setting policy options, and they handle the necessary XML creation under the hood. One exception is the Custom Settings policy for specifying settings for installed apps and additional OS X features, discussed later in this article. Configuring Custom Settings will require getting into the guts of XML.
Sign up for Computerworld eNewsletters.