Since I don’t deal with group policy management in Windows or OS X on a daily basis — and definitely never have to the extent of some of our resident IT professionals among the readership, I figured I’d open this question up to you guys. Patrekur writes:
In a corporate environment, group policies are really important. Microsoft’s group policies are very advanced, and with them, you can control almost everything in your network’s ecosystem. You can force the wallpaper your users will see on their desktops; you can decide which theme is being used; you can force users to use the old-fashioned Start menu; you can decide which items are visible in the Start menu and the Configuration Panel; you can define options for Internet Explorer; you can permit access to directories outside of a user’s own directory; you can permit access to external drives, USB keys, and connected mp3 players. Well, the list goes on and on and on. You can limit — or permit — almost everything.
I’m wondering if this is also possible with OS X. A few years ago I worked as an intern at a school. This school had just bought its first MacBooks. The principal of the school was a Mac user, so he decided the school had to switch to the Mac. The IT department was only trained for Windows and didn’t know anything of other operating systems. That’s just the way it is: IT education isn’t IT education, but IT education is just a synonym for Microsoft education. When you get your certificate, you should be able to implement IT products and solve problems with IT products, but this is only true if the company you work for uses Microsoft products. You learn absolutely nothing about other products and, when following IT education, it’s like other operating systems don’t exist.
When I started as an intern, I had already completed my IT education. The internship was the only thing left to get my certificate. So I started working as an intern at a school and this school just got its first MacBooks to implement. I took my place behind a MacBook and I thought: “WTF? How do I right-click on these things? There isn’t a right mouse button.” Followed by: “WTF? How do I even scroll on these things?” Apart from an internship of a few months, I completed my IT education and couldn’t even perform the most basic tasks on a MacBook. The other people in the IT department also never worked with Macs, so they had the same problems. We were only trained for Windows.
On the first MacBooks we implemented, we set up local user accounts that were limited with parental controls for the kids to use, but our options to modify these controls were very limited. For example, we were unable to disable the webcam. Yes, we could restrict access to Photo Booth, but the children just went to a website and the website could access the webcam, so the children were still constantly playing with the webcam. So we blocked this website and that website and another website and then started running IM apps from a USB key and using the webcam within these apps.
The only way we found to truly restrict access was to remove the read access from the driver for the webcam. I just changed the permissions on the driver using the Terminal so OS X didn’t have the right to read that file, so the driver couldn’t be loaded and finally the webcam didn’t work anymore. Well, until Apple released an update for OS X. When the update was installed, it also fixed the “problem” with the webcam driver. So every time Apple released an update, I had to run the command to disable the webcam on every MacBook!
During my time as an intern at this school, the IT department didn’t have an Apple Server and just started implementing the first Macs. I’ve heard it now uses Apple servers, the people in the department have had education for OS X and OS X Server, and Windows is almost completely gone.
I’ve heard about Apple’s Workgroup Manager. As far as I know, it should be possible to use Workgroup Manager to distribute policies, but I haven’t been able to find any information about how powerful these tools are. Are they as powerful as the group policies in Windows? Of course, my first question is: “Is it possible to disable the webcam?”
Is it possible to make groups like “students,” “teachers,” and “managers” and then restrict the use of webcams for students, restrict the use of all the apps in the Utilities folder for all three groups, force the wallpaper of the school to everyone, force what the Dock looks like, and restrict access to System Settings?
When a new teacher starts working at the school, you make an account and then he can log on at every Mac at the school and he gets the policies for teachers. People are very satisfied about this teacher, so he’s promoted to a manager function. In Workgroup Manager, can you just move his account from “teachers” to “managers” and from that moment he’s allowed to use apps like FaceTime, which others can’t use. Is this possible?
When working as an intern at the school, I fell in love with Mac and I immediately bought a MacBook myself when I finished my internship, but I’ve never worked with OS X Server and Workgroup Manager. Now that (in the opinion of many) Microsoft has completely botched Windows as a desktop operating system with Windows 8, I’ve started to wonder: “Will Apple gain market share in the corporate market?”
In my opinion, you just don’t want to put a PC with Windows 8 in a classroom or on the desk of a secretary or an account manager. How can someone be productive on an operating system like Windows 8? I think Apple could really increase its market share in these environments. These are places where people need to be productive, and in my opinion, that’s just not possible with Windows 8 — but it is possible with OS X.
As far as I know Windows has the big advantage of the very powerful group policies, but I’m not 100% sure. That’s why I’m wondering how powerful Apple’s group policies are. Can they compete with Microsoft’s? In a corporate environment and places like school, you really need good group policies to prevent your employees or students from using the webcam or playing games all day long or even destroying your systems by deleting important files or doing other things in the Terminal.
I don’t know how powerful Apple’s group policies are, but I think it’s certainly needed for companies to switch to the Mac. I think now that Microsoft has released its counterproductive Windows 8, this is the time for Apple to concentrate on the corporate market and schools. If the group policies aren’t that powerful yet, this is the time to get them on par with Microsoft’s group policies and invade the corporate market and have companies and schools switch to the Mac.
How do you feel about these assessments? Can an OS X system compare with Windows for setting up and maintaining group policies? Please leave a comment (or two) below!
Image: from Keeping Fit All the Way by Walter Camp (via Project Gutenberg)