May 03, 2017

Techno Bits vol. 100: On Complexity


It's an epithet, it's an honorific, it's even a noun for a bunch of things that are an entire ecosystem.

The Mac Admins World is quite complex right now. There are few universal solutions, and even those are only 90% solutions. Everything works together in a chain, and there are so many links of different manufacture and quality, you'd think we were a bunch of Maesters of the Citadel running around here. Every piece of that chain holds the whole together. MDM. Management Agents. Patch Management. Monitoring. Security. There's nobody who's doing everything, but I feel like we're a lot closer to a full solution.

In the last two weeks, I finally got Technolutionary's DEP account handled and setup, and our first hardware ordered. What was the impetus? Well, the idea that we could build a set workflow for unboxing a new machine, replacing our adoption workflows as part of Imagr/DeployStudio, and still leverage Munki's software environment seemed like the best of both worlds.

In this situation, machines are part of an MDM, and can have their configuration managed through a central source (notably Simple MDM, who I am very pleased with so far, and very happy to pay for) and get hooked into a software management tool that we're using across our portfolio. 

This is a complex solution. It requires a DEP account, an active MDM, purchase through Apple, setup of a Munki Server, and then the configuration of the installer packages necessary to make this work. It took 8-12 hours to get a proof of concept working -- more if you include the time spent with Apple on DEP logistics -- and then hours more of refinement testing. I wrote a post for my blog on how it all comes together.

I really think this could be streamlined, and I'm sure that where we are now is going to substantially change in the next six months. A lot of the process that is currently frustrating is the setup of the DEP account itself. I think Apple could make that process substantially better. In addition, Apple should provide a testing serial number as part of the creation of the DEP account, so that you can test your setups without having to purchase hardware. Right now, if you're part of the ACN, you can't put machines purchased with ACN Coupons into DEP, which doubly stupid. It means we had to pay list price for a MacBook Air just to get a serial number for testing.

The existing complexity of DEP, though, gives us choices. There's no reason we couldn't setup multiple MDMs for multiple departments within an organization, allowing central management of assets, and separate management of devices at the department levels, allowing for good competition between MDM vendors in the mid-level of the environment. Having multiple options is good, because it gives us choice, and it avoids obvious anti-trust complaints.

We are where we are because there need to be a number of breakpoints for the systems administration folks to decide how everything's going to come together. A healthy ecosystem requires multiple competing vendors acting in a given marketplace, and the number of healthy MDMs, healthy management tools, and provisioning choices is clear sign we're in healthy territory, and no one's stacking the deck for any one vendor.

What I'm afraid of is having fewer options.

What I'm afraid of is a system where choices are made permanently and sometimes arbitrarily by a framework we can't ever control. That exists, too, in the Apple ecosystem, same as it does in the ChromeOS ecosystem, but it's hardly the largest part of the whole platform.

Don't be afraid of complexity, be afraid of opacity.

Links to Read:
A Word of Thanks

This is volume 100 of Techno Bits, something I started on a lark and has grown substantially. There are 211 of you readers out there, which is many more than I ever expected. Thanks for reading along.