Apple MacBooks in the (Windows) Enterprise, do they mix and match?!

Just over three months ago I purchased my first Apple computer, a MacBook Air 13.3 Inch to be exact, and to go short, I love it! Sure, after working with Windows for over 14 years, I needed a few weeks to adjust, who wouldn’t. Although I now use it on a daily basis I haven’t really dug that deep into OS X, I mean, it all just works, so why would I? Lately I’ve been spending some more time on how Apple, and OS X in particular, actually works, what’s the magic behind it all? Closely related, enterprise readiness is another subject that drew my attention. During my visit at Citrix Summit in January I also attended a session named ‘Bring Your Own Mac’ a way to allow MacBook’s onto your private (Active Directory) domain, without compromising security, centralised management and.. the ability to use Windows applications!

Desktop Player for Mac

Although it’s still relatively new, it was released just over two months ago, I expected to come across a lot more reviews, thoughts and implementation than I have seen and or heard up till now. Except for some release notes and announcements back in January it has been very quiet around Desktop Player, I wonder why that is. I mean, Mac’s are popular, no doubt, but for some reason they haven’t been adopted as quickly and widely as we’ve seen happen with tablets and Smartphone’s (all brands, not just Apple) for example. At least that’s the way I feel. I guess it also has something to do with the way they’re, or can be, managed. Or maybe I’m  just rushing and their time is still to come.

The reason being?

Having said that, it did got me thinking, perhaps there aren’t as many Mac users as I thought there were, or they don’t (want to) use their privately owned Mac’s for business purposes, maybe they aren’t allowed to, perhaps Citrix Desktop Player lacks proper marketing, or it is ‘known’ but lacks certain features, are Mac’s being managed in some other way?! You tell me. Now don’t get me wrong, I didn’t expected them to suddenly take over or anything, but even if the above is only partly true you would expect to see and hear a lot more with regards to the Citrix / Mac mix, either positively or negatively, or am I missing something?

Just a few months ago

I’m mentioning this because not too long ago there was all this talk about Mac’s not being usable in modern Active Directory orientated IT architectures, mainly because of their inability to run Windows based applications. One of the other concerns was with regards to security and companies not being able to manage these Mac’s like they manage their Windows based PC’s and laptops, including secure offline access etc. Nothing new when it comes to BYOD type devices, and probably something that will always be a challenge for IT to manage. I’m not saying Desktop Player for Mac is perfect (there are drawbacks which I’ll address later on) but, once implemented, it can certainly take care of the above ‘issues’ without too much trouble.

Another FlexCast Delivery model

Before getting into any details, let’s first have a look at some of the basics. The basis for Desktop Player for Mac can be found in Citrix’s XenClient, perhaps better known as one the FlexCast Delivery models available with XenDesktop 7.x In fact, you’ll need to have a XenDesktop infrastructure up and running to make use of the XenClient functionality, including proper licenses, see below. And since they both share the same back-end infrastructure (the XenClient Synchronizer) this applies to Desktop Player for Mac as well. To break it down:

1. The XenClient infrastructure serves as the basis for Desktop Player for Mac. 2. XenClient is a FlexCast Delivery model part of XenDesktop 7.x 3. This is why a XenDesktop infrastructure needs to be in place. 4. You’ll need at least Enterprise or Platinum XenDesktop 7.x licenses. 5. XenClient is part of the same licensing model. 6. Desktop Player for Mac is based on, and uses, the XenClient infrastructure. 7. Because it’s part of the XenClient delivery model, it uses the same license model. 8. Both products leverage the XenClient Synchronizer for central management. 9. This makes Desktop Player for Mac the latest addition to the FlexCast delivery model.

A bit more on XenClient

For those of you unfamiliar with the XenClient FlexCast model, here a quote from Citrix I took from their products page “Citrix XenClient extends the benefits of client virtualization to corporate laptops and makes PCs more manageable, reliable, and secure. The solution is comprised of two technologies, XenClient and the XenClient Enterprise Synchronizer.

Citrix XenClient is a true Type-1 client hypervisor that runs on bare metal and provides high performance and security. XenClient lets users run multiple local virtual desktops simultaneously, side-by-side and in complete isolation. XenClient-powered virtual laptop users can access their various virtual desktops anywhere, anytime even while disconnected or experiencing a slow or intermittent network connection” The same principle can be applied to ‘normal’ desktop PC’s as well.

Desktop Player for Mac (continued)

and XenClient have a lot in common. The both rely on the Synchronizer (originally designed for XenClient) for central management, handling things like, VM image synchronisation, image updates, policy management, user assignment and more. Communication with the Synchronizer takes place through a locally installed agent / engine (securely over SSL), this is also where both products differ. The XenClient engine is based on a type 1 hypervisor which is  directly installed on bare metal as supported by most manufactures, not Apple though. The VM’s run directly on top and you can basically configure as many as your hardware configuration (vCPU’s, RAM etc) allows. Run multiple VM’s at the same time and switch between them, no reboots needed.

Type 2 hypervisor

Desktop Player for Mac is based on a type 2 hypervisor, meaning that it’s installed on top of the Mac OS just like any other application. VM’s (multiple at the same time if you want) are than hosted and run from within the hypervisor completely isolated from the rest of your Mac. Although there are multiple Mac based hypervisor vendors out there already, this one is designed with true enterprise management in mind.

Both products (Player and XenCient) are designed to run Windows based Virtual Machines, this is how Citrix takes on the inability to run Windows applications on Mac’s, combined with centralised management and secure offline access. Not bad right? And since it’s a type 2 hypervisor, which is basically just another application running on your Mac, you can use your MacBook just like you’re used to with the VM’s quietly running in the background. Switching between VM’s and your base MacBook is a breeze using Apple’s build-in swipe technology. Again, your only limitation, as far as the number of VM’s is concerned, will be your underlying hardware in terms RAM, available CPU cores etc.

Citrix Receiver for Mac

We already had the Citrix Receiver for Mac, enabling us to leverage XenApp and or XenDesktop to access published applications, Hosted Shared Desktops or individual, VDI based, desktops on our privately owned MacBook’s, which is, and works, great. The only drawback using this kind of technology is that you need to be online. Desktop Player for Mac offers offline access to our Windows based virtual desktops completely secure and isolated from the rest of our Mac. A big plus. Another advantage is that VM’s are hosted on a type 2  hypervisor local to our Mac, meaning that al our VM’s will have access to local computing resources optimizing performance. The same can be said for the XenClient type 1 hypervisor of course.

An overview

Here I’ll briefly go over the components and software needed to set up and manage a basic Desktop Player for Mac infrastructure. If you want some more details, there’s a free online course provided by Citrix, you’ll find it here, Your ‘My Citrix’ login is required. Let’s start with the licenses, I already mentioned that Desktop Player for Mac is part of XenClient and thus XenDesktop, I got this from the online course: When using XenClient with XenDesktop Enterprise or Platinum, the allocated licenses cannot be used on non-users of XenDesktop. If usage extends beyond active users of XenDesktop, this will consume any unused licenses or will require an additional purchase or more licenses. Perpetual user device licenses are available at 75$ per license.

No configuration details

I won’t go into any configuration details for now, besides, if you are familiar with the Citrix way of doing things, it’s all going to be pretty straightforward anyway. There are two main components that make up a Desktop Player for Mac infrastructure, the (XenClient) Synchronizer and the Desktop Player for Mac software, or agent, through which it communicates with the Synchroniser, it needs to be installed on the client device.

The Synchronizer

Although the Synchronizer is part of the XenDesktop FlexCast Delivery and license model, as mentioned earlier, it’s still a separate install and management console. I’ll use some quotes from the Desktop Player for Mac Getting Started Guide Version 1.0.1.pdf to briefly explain both components. Synchronizer builds the VMs, manages users and groups, and assigns Them to computers/users. When contacted by Desktop Player, Synchronizer sends down updated VMs, installed applications, or policies. Using Synchronizer, an Administrator can request information about the computer running a VM (disk use, hardware available, and diagnostics). Synchronizer additionally provides:

1. Single, unified management for multiple Desktop Player (Macs) and XenClient. 2. Single, unified Windows VM image that can be deployed on both Macs and PCs. 3. Common management policies and licensing across corporate endpoints.

The client side

I already described this part myself, but just to keep it in line with the above, here goes: Desktop Player is installed on individual Mac computers, and provides a virtualized platform to run each Windows VM image. An image contains a virtualized representation of an operating system plus any included applications. Desktop Player may have more than one virtual machine image running on top of a Mac computer, and is dependent on the available hardware resources (i.e., CPU,  storage, memory) to support multiple images. Desktop Player is comprised of a client endpoint, plus value-added functionalities wrapped around the endpoint, including:

1. A single installer for quick and simple installation. 2. In-guest tools for the virtual machine OS. 3. The management engine that facilitates communication with Synchronizer for VM / Engine provisioning, updates and policy management. 4. Establishes network connections for the VM via the Mac platform. 5. Communicates securely (SSL) with Synchronizer and checks for updates to VMs. 6. Downloads and prepares updates and new versions of VMs.

System requirements

To be able to install Desktop Player for Mac your machine must: be a MacBook Air or MacBook Pro, with or without a Retina display. You’ll need Mac OS X 10.9 (Mavericks) and or 10.8 (Mountain Lion), An Intel Core i5 or better, 8 GB or more RAM is desirable (more = better) 4 GB minimum. Storage requirements depend on the size of the VM image, including OS, applications and user data.

Downsides

Unfortunately there are some potential downsides as well, at least that’s the way I see them. It’s still Apple, and Apple and Windows don’t mix and match that well, at least not without introducing third party (MAC capable) software into your environment and or making any modifications to your existing (Active Directory) infrastructure. For starters, you’ll need to find some way to install Desktop Player, and without using any third party software or pimping your AD infrastructure, this will have to be done manually.

Now if you only need to manage a hand full of Mac’s, this probably isn’t to big of an issue. If it’s dozens, or hundreds even, this may turn out to be a daunting task, even with third party tools present and ready to go. Things (quickly) could turn out more complex than anticipated. Microsoft’s Windows Active Directory, by default, doesn’t supply any GPO’s (called Managed Preferences in Apple terms) to manage Mac’s or any other Apple branded platform for that matter. When it comes to mass software deployment (third party) tooling you have a few options, there are multiple vendors offering software supporting both Mac as well as Windows based PC’s, to name a few: LanDesk, Altiris, FileWave, Dell’s Kace etc.

Alternatives

There are multiple AD capable (schema extending) add-ins available specifically designed to handle these kinds of situations, like, AdmitMAC or DirectControl for Mac for example. They also add full client management capabilities which might be useful as well. Another option would be to incorporate a OS X server into your environment, they’re relatively cheap and pretty straight forward to set up, from what I’ve heard that is. Or…staying close to Windows, you could use Microsoft SCCM 2012 SP1 to manage your Mac’s and thus Desktop Player for Mac.

Now you probably won’t purchase SCCM just to manage a Dozen of Mac’s, so it’s something you’ll already need to have up and running. But, and there always is, since at this time there is no push install mechanism available for the SCCM Apple OS X client, all OS X SCCM agents will need be manually installed one at a time, unless you come up with an alternative, as discussed earlier.

So when Citrix sates “It’s easy to install and configure” I’d have to disagree, at least on the first half, although there probably referring to the Synchronizer, right?!

Yes, you have plenty of options when it comes to extending your AD or install and configure third party tooling to manage your Mac clients and remotely push / install software that way. But it’s far from ideal and probably somethting you won’t consider when you need to manage just a hand full of Mac’s, which is probably for the best.

But wait there’s more

As most Mac users will know, by default only applications downloaded from the app store and / or indentified developers are allowed. To install and run Desktop Player for Mac you’ll have to change this setting to: Allow applications downloaded from: Anywhere, as shown below. Otherwise it won’t work. Another thing you need to check is, does the logged in user have Administrative privileges, see the earlier mentioned Admin Guide on how to check / change this. This goes for the ‘Anywhere’ setting mentioned above as well by the way.

This is where the earlier mentioned client management capabilities of AdmitMAC or DirectControl could come in handy. Or you can do it manually of course. There are some other vendors as well like, Quest, Symantec and Absolute Manage to name a few, who also offer products that can manage both Mac as well as Windows clients.

Device registration

After installation completes, the machine, or the software on it, needs to register itself with the Synchronizer to start communication and download their VM’s etc. This is something that also needs to be done manually, either by the Admin that installed Desktop Player or by the user who owns the MacBook, this is something you can configure centrally on the Synchronizer. Due note that you’ll need to provide the user(s) with the Synchronizers address to complete registration.

Conclusion

Of course these are not all downsides per se, but it’s not ideal either. I guess it’s the best they can do for now. At least we have a way to securely incorporate our Mac’s into our enterprise environments, including central management capabilities and the ability to run Windows applications. And if we’re talking small numbers, a few dozen at max, I guess it’s all still manageable without to many issues, should we go beyond 25, 30 or so, wel…

If your interested in using, or trying, Desktop Player for Mac, you can go the Citrix website and download a 90 day trial version, it has a limitation of 10 MacBooks. If you already own proper, XenDesktop and or XenClient licenses you can add-in the Desktop Player license right away. Otherwise, when your trial end, you can buy perpetual user device licenses at 75$ per license. Desktop Player for Windows anyone?

Bas van Kaam ©

Reference materials used: Citrix.com, Cultofmac.com and the E-Docs website.

Bas van Kaam

Field CTO EMEA by day, author by night @ Nerdio

Father of three, EMEA Field CTO @ Nerdio, Author of the book Van de Basis tot aan Meester in de Cloud, Co-author of the book Project Byte-Sized and Yuthor of the book: Inside Citrix – The FlexCast Management Architecture, over 500 blog posts and multiple (ultimate) cheat sheets/e-books. Public speaker, sport enthusiast­­­­­­­­: above-average runner, 3 x burpee-mile finisher and a former semiprofessional snooker player. IT community participant and initiator of the AVD User group Community world wide.