education white paper

Mac Integration in Education - Whitepaper Index Introduction 3 Active Directory Integration 4 The Amsys Solution ...

0 downloads 80 Views 2MB Size
Mac Integration in Education - Whitepaper

Index Introduction

3

Active Directory Integration

4

The Amsys Solution

8

Further Information

10

3

Mac Integration in Education Introduction This case study covers the integration of Mac clients into an education Active Directory environment. Some may consider this topic “covering old ground” and of course it is not as exciting a buzzword as “iPad” or “enterprise iOS deployment”. Unfortunately, the topic of Active Directory integration is still considered a black art to many people and the end result is often unstable and unreliable installations that infuriate teachers, students and I.T. staff. I attended a recent discussion between education consultants and a pool of school students. They were asked, “What would you like to see from the Apple technology in the school?” Assuming this was an open chequebook we were expecting the kids to chip in with “iPads for all!” and other related statements. Instead, they simply requested that the iMacs and MacBooks be configured to work more reliably. In short, they just want a system that allows them to work, rather than being faced with constant technical issues.

Disclaimer: While the author has taken care to provide you with accurate information, please use your discretion before acting upon information based in this Whitepaper. Amsys accepts no liability and will not compensate you in any way if you happen to suffer a loss / inconvenience / damage because of/while making use of information in this whitepaper.

Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

4

Mac Integration in Education Active Directory Integration Over recent years, joining Mac OS X clients to Active Directory for login window authentication and subsequent network service authorization has grown in popularity. Organizations and education establishments traveling down this road have hit a number of hurdles, specifically around the reliability of login window authentication and where the user’s data should reside. Making the wrong choice can cause widespread stability issues, leading to a generally poor experience for the teachers and students. So how should you design the solution to maximize stability and usability, while keeping costs under control? We start by talking about the most appealing configuration choice (particularly from an I.T. manager’s perspective), which is to use network based user home directories. This style has a number of tempting management benefits; it is easy to backup; users can “hot desk” from one computer to another and duplication of data is greatly reduced (keeping storage costs to a to a minimum). It is easy to see why this would be tempting prospect.

Unfortunately, in practice, this type of configuration does not work well at all. At sites where we have seen this system used, the symptoms have been (to name just a few): Intermittent login reliability – Some users get blocked at the first step and Mac OS X refuses to grant them access to the computer, advising that the users home directory cannot be located Poor application performance – Were not just talking about video editing and graphic design programs. Most applications are affected by this issue which typically leads to classes failing to start, crashing applications and lost students work Operating system instability – In addition to application performance, the Finder, responsible for the file system navigation, is greatly hindered. Simple tasks such as opening a “save as…” dialog can cause the system to freeze, resulting in more lost time At this point, we need to make it clear that full network home folders are troublesome. It is not a matter of network bandwidth or server capacity (although these always help improve the situation). Instead, the problem lies with the workstation applications and operating system not “expecting” to work live from a network volume. Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

5

Mac Integration in Education An application such as Word for Mac expects for the file you are editing to be stored on the local hard drive, usually on a “Mac OS Extended” file system. When the file is edited on an SMB or AFP network volume, with completely different rules and regulations, the application starts to behave erratically. This problem is compounded by the users personal Library folder also residing on a network volume. As with the document files, the Mac OS and applications needs to be able to read and write to their associated preference (plist or property list) files. When these settings files are moved to a network volume, the stability of the applications and the operating system are put in jeopardy. The solution to this problem… So if the users network home residing on the server is causing the issue, the natural solution is to switch to local home folders, right? Adopting this configuration will quickly solve a number of the above issues people are faced with but unfortunately introduce a number of new problems. Users data is spread across multiple machines – Making it hard to backup and keep safe Limited “hot-desking” – Although the user can log in to any computer using their Active Directory credentials, as the users data is only stored on the local machines hard drives, the files they have been working on will not follow them to the new computer Why not just mount the users personal drive on the desktop? Surely that way the users can simply drag their work to the file server to ensure it is protected? I have heard this before and there is a fundamental flaw in the plan. Any techie that has taken the time to sit and observe a school or college classroom must have noticed that these instructions are not successfully communicated to the students. The students (and busy teachers as well) simply want to click “save” and walk away. Instructing them to navigate to a network share leaves a bewildered look on their faces. This issue is compounded by the fact that the users personal network drive is not directly available on the desktop. In a typical school environment, the mounted share would contain all students’ home directories, commonly split up by year groups or course types.

Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

6

Mac Integration in Education Sure the network home is also mounted in the Dock most of the time (this feature is a little unreliable), but have you ever seen a student attempt to drag and drop a piece of work onto a Mac OS X Dock stack? It typically leads to confusion and disaster. Another common problem is the method Mac OS X uses to make a connection to the users personal network drive. The Active Directory connector uses the UNC path name taken from the SMB Home attribute stored in the Active Directory users record to derive the network home location. Hard Drive Capacity A final point regarding local home folders; as the machines are being used, file data starts to build up on the internal hard drive. Mac OS X has no mechanism to notify the I.T. team when it is running out of space. The first warning indicator will be presented to the users (which is typically ignored), the second warning will be by way of a system crash where the boot drive has run out of space and is unable to load the operating system. Unfortunately there are a number of key issues with this technique: The connector can only derive the network home location from the SMBHome attribute – What if it is stored somewhere else? This will mean that you can’t provide users with access to their network drives! The login process is linked directory to the mounting of the network drive – Despite configuring the Mac to use a local home folder, having this option enabled still intermittently causes login failures What About Login / Logout Synchronization? We would agree that the best mix of stability and functionality involves periodically syncing data, but, and it’s a big but, it is worth looking into exactly how Mac OS X achieves this functionality. The first thing to mention is that the user file syncing is reliant on the AD connector mounting the users network home, which, as we have mentioned above, is problematic at best. Secondly, we would like to make a point that the Active Directory connector uses the built-in SyncServices to move the data around. This is the same service that provides the file synchronization service for Apple’s iDisk offering. For anyone that is unfamiliar, it does not work as well as we would want. Third, in the event of sync failures or issues (which were very common), apart from on-screen notifications, there are no more alerts flagged up to advise there has been an issue. In an ideal world, if there was a sync error, an email should be sent to the I.T. team to investigate and resolve. And finally, what about all of those sub-folders? Mac OS X clients have quite a different folder structure from Windows clients and so users logging into multiple systems (which most will do), will be faced with a large number of folders populating their home directories. It will also be quite unclear how where they should store their files.

Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

7

Mac Integration in Education

For example, how will a student know whether they should store their latest piece of work in “My Documents” or just “Documents”? Sure, an I.T. professional will know immediately that one is created by Windows and the other by Mac OS X, but really, how is a student supposed to know that? The end result will probably be chaos. Half the students will put their files in “Documents”, and the other half will store them in “My Documents”. So when the teacher starts the class with “Open the project file in your Documents folder…”, this could lead to some confusion. So all in all, yes Mac OS X can sync with the AD network home out of the box, but there are some serious limitations. So what is the Ultimate Solution? It is true that there is no “one size fits all” solution design for education environments but we would suggest that the following characteristics should be present: • Network logins need to be consistent, fast and reliable. • The users network home needs to be available on the desktop (not just the share that contains the home folder). • Network home needs to be derived from any specified data stored in AD, not just the SMBHome attribute • Users files need to sync at login, during use and at logout (reliably). • Sync failures need to be reported to the I.T. team. • When the workstations hard drives start to fill up, the I.T. team need to be notified as early as possible so they can take action. The Mac OS X sub-folders need to be synced either to the Windows alternative folders or to a separate sub-folder

Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

8

Mac Integration in Education

The Amsys Solution Taking each of the desired characteristics into account, we have developed a bespoke solution that solves the headaches detailed in this document. Network logins need to be consistent, fast and reliable The first step is to disable the option in AD to derive the users network home from the SMBHome attribute. This has known issues and often prevents the user from being able to login. The second step involves adjusting the advanced AD connector settings to fit with the environment. Features such as preferred DC and mDNS responder timeout settings are all critical to the reliability of the network logins. The users network home needs to be available on the desktop (not just the share that contains the home folder) To achieve this we have developed a UNIX shell script that runs at login and mounts the users network home. The design of the script included the following features: Use Kerberos (if available) to authenticate access to the network share.
In the case of SMB, mount the users personal drive directly (not just the top level share point).
 Critically, separate the mounting of the network drive from the login process, so if the users network drive is unavailable for any reason, the user can still login to the computer and get on with their work. Network home needs to be able to be derived from any attribute in AD, not just SMBHome When devising the script, we started using the SMBHome attribute to locate the users home, but in many recent installations, we have customized this step to create the path for the network home from other AD attributes. In one of our most recent projects, the users network home path was dependent on the course group the user was a member of. The final server path looked something like this: \\serveraddress\Users\CourseGroupLetter\username   This string of text was not stored in any one AD attribute and so for this solution, we configured the script to check the users group membership at login and build the correct path from the result. For the user, “magic” occurs and when they login and their personal network drive seamlessly mounts on the desktop. Users files need to sync at login, during use and at logout (reliably) Considering the known reliability issues with the Mac OS X default sync service, we opted for the UNIX rsync service. Combining this with a web based (editable) exclusion list, the I.T. Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

9

Mac Integration in Education administrator has full control over what is synced at login and logout. After the user has authenticated at the login window and the network drive is mounted and a selective download sync is performed. By default this is kept at a minimum, concentrating mostly on user preferences and application settings. At logout, the users desktop disappears as normal, then a custom splash screen appears with a progress bar while the logout sync is performed. Feedback is provided on-screen, showing how much time has lapsed and what is being synced. If a sync error occurs, the incident is logged and emailed to the I.T. team advising them the machine name, the time and what folders experienced the sync issue. When the workstations hard drives start to fill up, the I.T. team need to be notified as early as possible so they can take action This common issue is usually tackled by I.T. staff checking the remaining available capacity on each machine, which is a very time consuming, laborious process. Our alternative system involves the machine checking its own hard drive capacity and reporting to the I.T. team only if it is over a pre-defined limit. 
The Mac OS X sub-folders need to be synced either to the Windows alternative folders or to a separate sub-folder The final piece of the puzzle involves cleaning up the Sub-folder structure of the users network drive. The options we have offered to our clients are: Option 1 - Create a sub-directory in the root of the users home called “AppleHome” (or something similar) and syncing the Mac sub folders and files beneath it. This leaves the Windows generated and edited files cleanly separate from the Mac files, making it easier for users to locate their work. Option 2 – Link the individual Mac sub-folders with the associated Windows sub-folders:

Option 3 – Sync to an entirely separate network drive Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

10

Mac Integration in Education As we add the ability to use any AD attribute (or combination of attributes), the option is available to provide users with entirely different Mac network drives. This enables the I.T. administrator to configure separate storage quota limits and permissions on the folders are they are completely separated from the Windows network drives. To ensure that users can still access their data from the other drives, we install a Windows and Mac OS X link to the alternative drive, so when they are logged in to a Mac, they will still be able to gain access to their Windows network drive.

Further Information Culminating our collective experiences of Mac installations in education, as well as the combined expert knowledge of our training and consultancy team, we have produced this whitepaper to assist education establishments in designing a robust and reliable system for their teachers and students. If you or your internal teams require assistance or help with an of the topics raised in this whitepaper, please get in touch with our Pro Services Department who will be able to advise you on best practice. Tel: 020 8660 9999 Email: [email protected]

About Amsys: Amsys makes Apple products work better for business. Amsys is the UK’s leading Apple support, training, repair and services partner and has over 25 years’ expertise and experience in Apple technology.

Support Amsys has delivered specialist Apple technical support to businesses for over 25 years. Amsys supports over 3500 systems from its dedicated service desk staffed by fully Apple certified technicians. With more certified Mac technicians than any company other than Apple, Amsys clients have access to an unmatched depth of resource who resolve technical issues as quickly as possible. Amsys is recognised as the technical leader in Apple technology and has developed bespoke technical products and solutions to deliver class-leading support to its business clients. Clients can choose to include the Amsys Remote Monitoring service, which provides proactive issue avoidance as well as fast notification of issues. This service allows Amsys ServiceDesk to resolve issues often before our clients are aware of them.

Maintenance and Repair Amsys is the UK’s largest Apple Authorised Service Provider (AASP) and has repaired more than 200,000 Macs. With a large team of Amsys trained and Apple certified technicians, Amsys delivers the

Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

11

Mac Integration in Education fastest possible repair time. Amsys offers a nationwide collection and delivery service, providing packaging for safe transport where required. Amsys maintenance programs provide service for manufacturer’s standard warranty, extended warranty (AppleCare) and out of warranty devices. Clients can also choose onsite maintenance programs particularly where compliance with data security procedures is critical.

Training Amsys Training is Europe’s no1 Apple Authorised Training Centre (AATC) and the only company authorised to deliver Apple certified hardware training for UK and Ireland. As the Apple training experts for over 10 years, Amsys employs a large team of full time Apple Certified Trainers who have trained over 11,000 delegates from businesses, public sector, Apple service providers and resellers as well as Apple’s own staff. Amsys delivers courses at dedicated training centres in South London, Central London and Manchester and on customers’ own premises. Amsys develops and delivers instructor-led technical training as scheduled open courses, clientspecific onsite courses and bespoke training for business users and individuals. As well as Authorised Apple Certification training, Amsys has developed a range of technical training courses to meet the needs of businesses that use Apple technologies.

Recruitment Division Amsys is a specialist recruitment company born from our client’s increasing need for Apple technology skills. With over 25 years of unrivalled industry experience, Amsys provides class-leading search and selection services to businesses. Amsys secures the best technical staff to meet temporary and permanent needs. Clients can choose from a tiered service that meets their own specific recruitment process and budget. Amsys has developed its unique recruitment service to ensure all our clients and candidates derive the best result from our engagement. Amsys achieves long term success for clients, delivering a perfect cultural and technical fit, by ensuring that any skills gap is addressed by a training course from Amsys’ Training Division.

Pro Services Division The Amsys Consultancy team is made up of fully certified and experienced consultants. The team helps clients plan and execute Apple installation, integration and implementation projects. Amsys technical architects support clients with analysis and design of systems and the project managers ensure planning for successful execution. Successfully integrating Apple equipment into a multi-vendor environment requires very specific technical knowledge and expertise. Amsys technical consultants have spent many years developing sophisticated solutions for the technical challenges that face businesses and are well placed to assist with Apple integration projects.

Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk

12

Mac Integration in Education App Development Division Amsys App Development Team employ the most appropriate technology to rapidly and effectively deliver business solutions. To ensure that the expected benefits and objectives are met, The App Development Team has developed an approach and structured process that provides absolute clarity at every step of the development cycle. The App Development Team works within agile, scrum or waterfall process dependant upon our clients preference and/or objectives The App Development Team encompasses project managers, developers, graphics designers, quality assurance and business analysis, and is specifically focused on creating high quality solutions that deliver rapid business benefits.

Contact Details: Phone: 0208 660 9999 Email: [email protected] Website: www.amsys.co.uk Twitter: @amsysuk

Amsys Ltd

Apple Authorised Service Provider

www.amsys.co.uk