Apple has traditionally focused on the education, visual design, and production
marketplaces. Its attention to the enterprise world that is largely dominated by
WINTEL has always been lackluster at best. However, over the past two years, with
the release of OS X, and especially the release of the Xserve in 2002, Apple is showing
a renewed focus on enterprise computing.
Although the initial release of OS X lacked support for networking to Windows, Apple
is making slow but steady progress towards interoperability. Starting with OS X v10.1,
it included SMB (Server Message Block), a protocol for sharing files, printers, serial
ports, and communications abstractions such as named pipes and mail slots between
computers. Better known as Samba, it is the open-source equivalent of Windows networking.
Theoretically speaking, connecting to a Windows machine required typing the Windows
server name or IP address in the Connect to Server option of the Finder pull-down
menu. The Mac would then gain access to the shared Windows resources. Practically,
however, it did not really work - not enough to make it really usable by the average
end-user, anyway. There was no real support for server name to IP address translation,
browsing the Windows space beyond the local subnet was not supported, and the whole
experience really required the level of enterprise-level system configuration knowledge
that is generally not available to the non gear-heads.
This gaping hole in Apple's internetworking capability presented an opportunity for
third party network integration vendors such as Thursby Software. Its premiere product DAVE
addressed both file and print capability. While Jaguar (OS X v10.2) and Panther (OS
X v10.3) made further progress toward simplified OS X to Windows internetworking,
the gap is still not closed. Thursby's latest addition, ADmitMac, allows Macintosh
users running Mac OS X (Jaguar and Panther) to participate in Microsoft networks
by taking advantage of the directory services provided by both Active Directory and
NT Directory Services.
ADmitMac is a commercial product with a single license priced at $119.00. Multi-pack
licenses are available with a 25 pack priced at $2,299.00 ($92.00 per seat.) A special
Volume License Agreement (VLA) is also available allowing one to install the product
without having to enter separate keys for each machine. The price per seat comes
down to as low as $38.00 for a 2,000 license installation. An annual upgrade agreement
is required for volume licenses, though.
ADmitMac requires Mac OS X 10.2 or later to execute, and requires Domain Services
provided by at least one of the following:
- Microsoft Server 2003
with Active Directory
- Microsoft Windows 2000
with Active Directory or operating an NT domain
- Microsoft NT service
pack 6 or later operating an NT domain
It comes in English localization
(no other localizations are mentioned as available at the time of this review). ADmitMac
conforms to the following RFCs:
- 1001, 1002 - Protocol
standard for a NetBIOS service on a TCP/UDP transport
- 1510 - The Kerberos Network
Authentication Service (V5)
- 1777 - Lightweight Directory
Access Protocol (LDAP)
- 2743 - Generic Security
Service Application Program Interface Version 2
- 1964 - The Kerberos Version
5 GSS-API Mechanism
- 2222 - Simple Authentication
and Security Layer
- 3244 - Microsoft Windows
2000 Kerberos Change Password and Set Password Protocols
It also claims conformance
with Microsoft SMB/CIFS standards, including use of TCP port 445, NetBIOSless communication.
ADmitMac is at version 1.1.1 at the time of the review.
The evaluation license was downloaded from the vendor's web site and the supplied
license keys were applied to unlock the product. The review was performed on a 400Mhz
Blue and White G3 (Model 82.2) with 256 MB running OS X 10.2.8 connected to the Lockheed
Martin corporate intranet (thank you Craig Wright). Installation was straightforward,
and configuration instructions are included. The installer created an ADmitMac folder
in the Library/Application Support path containing the following tools: Setup Assistant,
Training, and Uninstall.
The installer runs the
Setup Assistant immediately following installation. It queries the network by searching
for WINS servers and asks you to configure either the Active Directory or NT Domain
controller information (depending on what the enterprise is controlled by - my company
is NT Domain Services based). The only information one needed to provide was the
name of the domain (in my case ACCT04) as well as the NT Domain user name and password.
The installer also installed an ADmitMac Network Utility in the Applications/Utilities
path, and My Network Account control panel in Systems Preferences.
My Network Account preferences panel
The "My Network Account"
preference panel allows one to change the NT Domain password and the local Address
Book Card. One does not need to be a network guru to configure the product, although
some basic awareness of the enterprise system configuration was required. For instance,
I had to know that our enterprise is NT Domain based and my account belongs to the
ACCT04 domain (the WINS IP addresses were resolved automatically).
How It Works
ADmitMac allows Macintosh users running Mac OS X v10.2x Jaguar and up to participate
in Microsoft networks by taking advantage of the directory services provided by both
Active Directory and NT Directory Services. It allows administrators to manage their
domain users in a consistent way without regard to what kind of computer they use
(presumably it does not include Unix/Linux derivatives, though.) ADmitMac lets users
log into a Macintosh with their domain credentials and then have access to files
in their home directory.
To accomplish this, ADmitMac uses industry standard protocols to access Active Directory
servers. Kerberos is used to provide secure directory access that reduces the risk
of disclosure, spoofing and man-in-the-middle attacks. ADmitMac automatically configures
the Macintosh to use Kerberos, and obtains the necessary security keys from the domain.
ADmitMac works with older NT directory services as well. All communication with NT
domain controllers is performed using SMB/CIFS protocols.
ADmitMac will cache successful user login information for later use. This allows
notebook or mobile users to continue using their domain account to log in when their
Macintosh is not connected to the domain.
Key Features include:
- Computer labs or corporate
networks where security is a major concern
- Caches user credentials
for mobile user access when not connected to the network
- Administrators can manage
Macs in the Microsoft Windows domain - no special training needed
- Installs on the Mac with
no Active Directory schema changes required
- Preserves user's custom
desktop and documents no matter which computer they log into
- Users can mount any shared
folder they are allowed to access via Connect to Server.
- Allows for user login
with home directories located on the Macintosh client's local hard disk
- Supports browsing for
- Provides secure access
- Automatically configures
Macintosh for use with Kerberos
- Fully signed and sealed
(encrypted) LDAP connections prevent disclosure of user's personal information and
prevent man-in-the-middle attacks
- Supports both DES and
- Supports Windows login
- Allows users to easily
- Expired and reset passwords
are handled correctly when users log in to the Macintosh desktop
- Support for DFS - home
directories can be mounted using DFS
- Print Client can access
shared printers - printers may be configured by browsing the list of printers published
in a domain or manually
- Provides print client
for connecting to Windows printers
- Supports NTFS file format
- does not create double files
- Works with older NT directory
- Offers complete interoperability
with Services for Macintosh
- Home directories may
be located at a path where the user does not have access to the parent folders
ADmitMac is tailored for
multi-user, multi-computer scenarios where the administrator defines the network
configuration and security.
ADmitMac works in conjunction with OS X, thereby complimenting OS X's built-in
networking features. ADmitMac uses the Network Browser, as there is no separate ADmitMac
- Login into the Domain
with NT Domain credentials
- ADmitMac allows the user
to type in the Domain user name and password in the OS X login window. ADmitMac authenticates
the credentials with the NT Domain controller and the user is logged into the network.
Depending on the way the use account is setup, it will then mount the user home directory
(your NT Domain H: drive) from the domain server or logs you into the local Macintosh
with the home directory administered locally. The home directory is accessible via
the Finder Go->Home pull-down. ADmitMac allows users to change their passwords
if the password has expired or the administrator forces a change. The interaction
between the client machine and the NT Domain controller is completely transparent
to the user. The outward appearance is that of a usual login. At the conclusion of
the login, a normal looking desktop appears on the display.
One the user is logged into the Domain for the first time, a folder Domain/Users/
is created at the root level of the local drive. It contains an alias to the user's
home folder on the server. However, one needs to be aware that since you are logged
into the Domain, all your desktop machine local resources, such as the Desktop, Documents,
Movies, Music, and Pictures folders, are not accessible since they are actually owned
by a different user. Depending on how your specific application permissions are setup,
you may need to authorize the Domain account to use the local applications. It is
also interesting to note that ADmitMac will create the standard OS X directory tree
in the server Home Directory.
- Home Directory
- Upon user login, ADmitMac
will automatically mount your home directory (your H: drive). It allows one to specify
that the SMB
Home Directory is also to function as Mac's home directory allowing one to log in
to from any Mac or PC on the network and have complete access to all of your files.
This is a subtle but very important distinction between ADmitMac and OS X in this
regard. Although Apple supports "SMB Home Directories," OS X merely mounts
the Home Directory as any other network folder on the desktop at log on. The difference
between mounting your H: drive on the desktop (this is what Apple does) and treating
it as Mac's home directory is that changes in the desktop settings (views, defaults,
etc.) are saved in the home directory. The home directory has a defined folder structure
which ADmitMac will create on the first login and allow access to it from the Go
-> Home pull-down. OS X simply treats it as any other server mounted share.
- Most fundamentally, ADmitMac
enables network browsing outside the local subnet. The Apple browser only works within
a subnet and fails to browse larger networks. ADmitMac enhances OS X to allow browsing
throughout the corporate network while supporting the latest security implementations.
Browsing can be done either by launching the ADmitMac Network Utility (in the Utilities
folder) or from the Finder Go->Connect to Server (Cmd-K) pull-down menu.
After hitting Cmd-K, the left hand panel is rather rapidly filled with a list of
available servers. The performance was surprisingly good considering it ran on a
rather pokey 400Mhz G3.
ADmitMac works largely
behind the scene offering a number of significant value added services. However,
in order to take advantage of all these services, the enterprise needs to migrate
to Windows Server 2003 Active Directory. Since our corporate network is still based
on NT Domain Services, I was not able to verify some of the ADmitMac claims or to
test them in action. Nevertheless, the following features are offered:
- Distributed File System
- DFS is a method for transparently
distributing the storage of files across several servers while making it appear to
the user that they are all on the same server. This method is used to provide redundancy
of data and to allow for load balancing. ADmitMac supports this advanced feature
of Windows Server 2003 in a way that is completely transparent to the end user.
- File Storage
- ADmitMac takes full advantage
of Microsoft's NTFS file system and stores both forks of a traditional Mac file under
a single file name. This is identical to how Microsoft's Services for Mac (SFM) stores
these files and ensures compatibility between products. OS X, based on its Unix roots,
does not understand this file storage technique and creates two files on the Windows
machine for each Mac file transferred. This OS X technique is proprietary to Apple
and is not supported by any other third party.
- ADmitMac supports NTLMv2
and SMB signing. This allows ADmitMac to safely work with Windows Server 2003 "out
of the box". Since OS X does not implement this higher level of security, the
Windows Server 2003 administrator would be required to lower the server's security
level and thus not take advantage of greater security offered by Windows Server 2003.
ADmitMac is a great networking product that allows Macintosh users running Mac
OS 10.2 and later to participate in Microsoft networks seamlessly and transparently.
ADmitMac narrows the interoperability gap still present in OS X with Windows-based
enterprise system, it is relatively easy to install and configure, and it works as
advertised. However, some of the advanced value added services offered by ADmitMac
are subtle and tend to be germane only in larger networks. These features also work
to the full extent only when paired with advanced features offered by Windows Server
2003 and Active Directory.
The most significant value added feature of ADmitMac is the ability to login into
the Domain with your network credentials, mount server-located Home Directory, and
browse the network. However, in normal day-to-day operations, the ability to browse
the servers in an ad-hoc fashion may not be that important to everyone. Also, since
you are logging into the network and not your local user account, access to the client
local resources and Applications may need to be modified using Thursby's provided
instructions. The bottom line is that ADmitMac delivers on providing a much better
integration between your Mac and a Windows network, and I strongly recommend it for
every Mac user that wants to coexist with their WINTEL-based brethrens in harmony.
- Ease of configuration
- Ability to do network
login and access user's custom desktop and documents no matter which computer they
- Access to shared printers
- printers may be configured by browsing the list of printers published in a domain
- Network browser
- Good vendor support
- Cost of a single ADmitMac
license is high (comparable to the cost of OS X)
- Some features do not
work with NT Domain servers
- Some features may be
more than the average user needs
4 1/2 out of 5 Mice