Cisco shows how to manage 35,000 Macs

About six years ago, Cisco Systems’ IT department was looking for ways to block Macs from the corporate network because the company had standardized on certain Windows PCs and didn’t want “alien” devices in the mix. But a year later, Cisco began making a U-turn and allowed employees to use Macs as long as users supported themselves. Today, Cisco has fully embraced Macs and has 35,000 in use. The company lets employees choose whether to use OS X or Windows, and IT actively manages and supports Macs as an equal citizen to Windows. (Gartner says most companies will make this mental shift in 2015.)

Cisco’s story offers lessons for other companies trying to respond to user demand for Macs while maintaining the security and manageability they had put in place for Windows. I often hear questions from IT admins at conferences about how to do so. It turns out that many things have changed for the better in OS X itself, as well as in the broader context of computing. I interviewed Brett Belding, Cisco’s senior manager for IT mobility services, to see exactly what Cisco has learned that you should know, too.

[ Learn from other post-PC adoption leaders: Intel shows a better way for BYOD. • Lessons from managing 12,500 iPads at SAP. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

When Cisco began exploring how to block Macs from its network, it also explored why users were so insistent on using Macs instead of the standard PC — and what harm allowing them would actually cause. “It turned out those people were the least expensive users for IT because they supported themselves. That led us to figure out how to say yes. We started self-support and early adopters,” said Belding. Basically, if a Mac didn’t cause problems or work for IT, it was accepted for certain users.

But this was no embrace, just a tolerance. The embrace began a year or so with iOS, then transferred to the Mac. “The iPhone catalyzed it. Apple became important with the iPhone and iPad.” Today, the attitiude is “I shouldn’t care what devices users select.”

Macs have become more IT-friendly On the technology side, several factors have made it straightforward, if not always easy, to manage Macs in a large business. The biggest change involves the adoption of policy-based management APIs in OS X Lion, which have further been enhanced in each OS X version. Apple essentially adopted the mobile device management APIs from iOS in OS X Lion, so IT could manage permissions and access as well as verify that key requirements have been met, such as encryption being enabled.

At first, the policies in OS X were a subset of what iOS offered. IT basically had to manage Macs separately from iPhones and iPads, even if from the same console, but Apple has been converging the two policy sets, with OS X Mountain Lion adding encryption management and, according to Apple, with the forthcoming OS X Mavericks achieving near-parity with the forthcoming iOS 7’s management APIs. Because Apple users quickly update to current OS versions, the bulk of Macs in place can be managed using the current APIs. In addition, MDM (mobile device management) vendors have been extending their tools to explicitly manage Macs, not just devices, giving IT a common console.

Although there aren’t as many management tools for such activities as backup on OS X as there are for Windows, Belding says Cisco found a tool that did the backup job Cisco’s legal team required, even though it’s not as easy to use as the Windows backup tools in place. But meeting legal needs “was all that mattered.”

The truth is that backup matters much less than in the past because most corporate data now resides on servers and is fed to PCs, Macs, mobile devices, and so on as needed — the recent shift to mobile devices essentially made all user devices backups of the master server data, a big change from when individual PCs contained much of the master documents in a company. (Computers still have some master data, which is why Cisco continues to provide backup for them.)

Equally important to Cisco was its reliance on Web apps. Although major products like Microsoft Office have Mac versions, much specialized software is Windows-only, requiring a PC or a Windows virtualization environment to be installed on the Mac — a move that lessens the user experience that Mac users seek when choosing OS X. Fortunately for Cisco, it uses a lot of Web apps, which means it wasn’t as tied to a single platform for apps as many companies are. “Legacy apps do tend to be the big issues, and those are getting upgraded over time.”

However, Cisco still had Windows ties even in its Web apps, as many were written explicitly for Microsoft Internet Explorer 6 and its ActiveX language for client-server app interaction. Microsoft never brought ActiveX to the Mac, and it had dropped IE for the Mac previously. That was one reason for IT’s aversion to the Mac years ago, and why later it told Mac users to run IE in a virtual desktop, forcing the use of a hybrid OS X-Windows environment. That didn’t please Mac users. “A common UI imposed over a chosen device breaks the whole reason people get what they wanted in the first place.”

But then came the iPad, which didn’t support ActiveX and couldn’t run native virtualization apps as OS X could. Cisco saw strong value in tablets, so it made the significant effort to rework its Web apps to be platform-independent, meaning dropping ties to ActiveX and IE6. As a byproduct of that iPad enablement, Cisco’s Web apps could run on Macs and many other platforms (such as Linux, which is now a supported PC choice for employees, in addition to Windows PCs and Macs).

Changes in computing have removed or reduced many admin needs Apple deserves credit for making OS X friendlier to IT management needs, but it was clear from my conversation with Belding that external factors were even more important to Cisco’s ability to embrace the Mac.

The iPad and iPhone were the key change agents, forcing IT to first accept and then embrace heterogeneity as well as move beyond proprietary ties to Windows technology. It was iOS that got IT to accept having a second management platform in addition to its Windows tools; Apple was simply smart enough to hitch OS X to the same MDM wagon.

The same phenomenon has been playing out in the world of application providers: SaaS apps aren’t typically tied to a specific operating system, so the platform used to access them matters even less. As a result, the percentage of applications that don’t run on OS X has declined. That has removed a key technical obstacle to allowing Macs and other non-Windows platforms into Cisco as equal citizens.

A different aspect of the cloud figures into the backup equation. As noted, Cisco found that more and more data was being stored on cloud services and corporate servers because doing so let employees access it at the office, at home, or on the go with whatever devices were in hand. Cisco quickly realized that server-based data was more easily tracked, managed, and secured than those scattered across local hard drives, personal cloud services, and thumb drives. So rather than block the use of cloud storage as many companies today do, it encouraged the use of such services — provided by Cisco in an enterprise-managed version, of course.

“We want IT to be the path of least effort. You get security and experience that way. … People usually want to do the right things, so you really need to show them how.”

As for the fear of iCloud that I often hear from IT admins, Cisco monitored where users stored their business documents, and it wasn’t in iCloud. One reason is that most employees use Microsoft Word, which has Windows and OS X versions, but no iCloud-compatible version. Likewise, the tools for working with PDF documents aren’t typically iCloud-enabled, and OS X’s iCloud-enabled Preview has no iOS version. In both cases, users tend to use a Cisco-sanctioned cloud storage service that has no such dependencies or availability mismatches. iCloud is mostly used for personal information, such as photos and music. “So iCloud not really an issue.”

Another technology-related change is Apple’s decision to provide months-long developer previews for new OS X (and iOS) versions. That gives IT three to six months to test applications for compatibility, as well as get comfortable with new OS-level capabilities. Microsoft has long provided preview releases so IT customers can be prepared. Now Apple does, too. (Google, on the other hand, does not, but the uneven rollout of Android versions across device makers and carriers helps build in comparable testing time.)

Cisco’s IT group stopped thinking about computers as separate from mobile devices. “They’re all devices, and we accept them if they meet our policies,” Belding said. That mental shift helped create a unified framework for managing whatever users might have today and tomorrow. The solutions may need tailoring to specific devices, but the principles and requirements could be made consistent, as could the supporting services. That reframed the issue from one of endless stovepipes to one of a common framework for computing and information management.

And Cisco’s IT group realized that everything “moves at the speed of mobile, and we need to move with it.” Providing an app catalog for all platforms of both provided and recommended apps, offering managed cloud storage, using policy-oriented management tools to validate compliance on the fly of user devices, testing devices in beta phases, proactively communicating with users (such as saying, “We know many of your will buy the X device being released next week; please give us a week to make sure it works fine before you do”), and looking for ways to say yes quickly are all methods Cisco’s IT has used to do that.

It’s not easy, but it has let Cisco satisfy employees’ personal work styles, take advantage of more technology adoption, and make IT a positive force in the company.

This article, “Cisco shows how to manage 35,000 Macs,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.