Interacting with Windows from a Mac Environment
At a Glance:
- Connecting to Active Directory with Directory Utility
- Using Entourage with Exchange
- Communicating via Messenger and OCS
- Bridging the platforms with virtualization
Network Access Protection
OCS and Messenger
Connecting Back to Windows
Information Rights Management
A Platform in Common
Organizations today are likely to include both Macs and Windows PCs in their environments, and getting them to work together has become much easier. That wasn't always the case. In 1995, I started working at a small ISP and service bureau in Raleigh, North Carolina, where most employees used Macs though a few of us ran Windows. Only just before I left in 1996 did we actually achieve any nominal amount of interoperability.
For networking, Macs relied on AppleTalk while Windows used TCP/IP as its default protocol (Apple was just beginning to dabble with TCP/IP). Further, Macs had a proprietary file-sharing mechanism, while Windows was using what would come to be called the Server Message Block (SMB) protocol. The two were so incompatible that we had them isolated on separate networks, due primarily to the chattiness of AppleTalk.
Times have changed—today, not only can you bring Macs into your Windows network infrastructure, you can also integrate some of the operating system services. Don Jones's article in this issue covers networking Macs and Windows. I will focus on getting the two types of systems to actually interoperate.
Interoperability between Macs and Windows machines involves working with the software and operating system services that enable the functionality enterprises require. And it presumes a base level of hardware so that the interoperability can actually occur, with virtualization often serving as the bridge between the two platforms. The Mac's move from AppleTalk to TCP/IP was hugely important to interoperability with Windows. And as you'll see, the move to an Intel-based architecture was equally, if not more, important.
Yes—that's right. Look at Figure 1, and you'll see a test Active Directory domain that I have installed at my house—with my iMac as a member.
Figure 1 An Active Directory domain containing a Mac (Click the image for a larger view)
Since OS X first shipped, ISVs have built tools that will, to some degree, integrate Macs into Active Directory (or, conversely, even allow you to push out Group Policy to a Mac client). OS X 10.5 ("Leopard"), which shipped in 2007, integrates some support directly, allowing you to join a Mac to a Windows Active Directory domain easily.
Macs, in their own environment, use Apple's LDAP directory, Open Directory. Though Open Directory and Active Directory use different schemas, the fact that Macs can join a directory at all means you can begin centrally managing them. Odds are you've invested in an Active Directory infrastructure, and without much work, you can integrate Macs into your Active Directory.
To integrate a Mac into Active Directory without third-party tools, you must have an Intel- or PowerPC-based Mac running Mac OS X 10.5 or later. Once you have booted up the system and logged on, open the Applications folder and browse to the Utilities folder. There you will find a utility named, logically enough, Directory Utility; go ahead and start it up. If your Mac has an associated Open Directory relationship already, it will be visible here. Otherwise, you will see something similar to Figure 2.
Figure 2 The Mac’s Directory Utility (Click the image for a larger view)
Begin by unlocking the lock in the lowerleft corner and providing your administrative credentials. Then click the + sign to add a directory. When that dialog opens, select Active Directory and you will see the dialog in Figure 3.
Figure 3 Adding an Active Directory directory (Click the image for a larger view)
The experience isn't much different from joining a Windows system to Active Directory, except that it's all on one page and doesn't seem to accept legacy-style credentials (domain\user). Credentials must be provided in the newer email@example.com form. Once joined, you will see the directory listed in the Directory Utility (see Figure 4). Note that if you are just joining a few computers or want to use the GUI, Directory Utility is a fast way to do it. If you want to join several computers from a script or you're more comfortable with Terminal (the Mac command shell), you can also run dsconfigad, as follows (type it all on one line):
dsconfigad –f –a computername –domain yourforest .yourdomain.tld –u domainaccount –p domainpassword –lu localadminaccount –lp localadminpassword
Figure 4 Active Directory on the Mac (Click the image for a larger view)
Note that if you ever intend to join a Mac to both Active Directory and Open Directory, the recommendation is to always join it to Active Directory first, then Open Directory.
Now that you have joined the system to Active Directory, what can you do? The only Mac e-mail client that provides native mail and calendar access to Exchange, Microsoft Entourage, isn't quite as rich when it comes to enumerating directory attributes as Microsoft Outlook is. So in addition to providing management capabilities, the Directory Utility (also available in the /Applications/Utilities folder) allows you to see directory attributes of users, groups, and more (see Figure 5).
Figure 5 Directory Utility lets you view attributes of users and groups (Click the image for a larger view)
As I noted, there are several applications available that will help you manage Mac systems from Active Directory, and even from Group Policy itself—practically treating Macs as Windows systems when it comes to management. Take a look at applications such as ADmitMac or Centrify DirectControl, just to name a couple.
For years, connecting a Mac to Exchange meant requiring Mac users to use POP3/SMTP or Internet Message Access Protocol (IMAP) access to Exchange, or to simply use Outlook Web Access. All of these are, however, subpar compared to the full Exchange/Outlook experience.
Both the 2004 and 2008 versions of Microsoft Office for the Mac provide full Exchange support via Entourage (as does Mac OS X Mail, but it lacks native calendaring). Though you don't get the richness of a full Active Directory integration with the address book, what you do get is a much more robust push e-mail experience (as well as meeting requests, contacts, and calendar) than you would have using Internet-protocol access to Exchange. Entourage supports all recent versions of Microsoft Exchange.
An important note—Safari, Apple's default Web browser, only supports Outlook Web Access Light when connecting to Exchange via the Web. (Internet Explorer is the only browser that supports full Outlook Web Access functionality.)
Network Access Protection
If you are using Windows Server 2008 and are deploying network access protection (NAP), you may want to take note that Microsoft has licensed its NAP architecture to two vendors, UNet and Avenda, to build clients for the Mac (as well as for Linux).
OCS and Messenger
With its latest release (an update to the version that originally shipped with Microsoft Office 2008 for the Mac), the Messenger for Mac 7 application provides support to other MSN Messenger/Live Messenger users. Equally important in a Windows organization, it now supports access to corporate implementations of Office Communication Server (OCS). The screenshot in Figure 6 shows the Corporate area of the Messenger Accounts where you can specify the information for connecting to OCS.
Figure 6 You can specify the information for connecting Messenger to OCS (Click the image for a larger view)
Connecting Back to Windows
For some time, Microsoft has provided a version of the Remote Desktop client for the Macintosh. Last year, Microsoft released a great new version, Remote Desktop Connection Client 2 (which was updated this year), that allows Macs to connect back to Windows—even to Windows Vista or Windows Server 2008 systems. Figure 7 shows Remote Desktop for the Mac. This version supports drive, printer, and audio redirection, but lacks other device redirection. It also adds the ability to establish multiple simultaneous connections.
Figure 7 Connecting a Mac to Windows (Click the image for a larger view)
Information Rights Management
As I noted in my November 2008 The Desktop Files column, Microsoft doesn't support access to documents protected with Information Rights Management (IRM) from within Microsoft Office for Mac 2004 or 2008 today (see "You cannot open documents protected with IRM on Office for Macintosh"). These versions can open Office Open XML documents—the latter natively, the former natively with the latest updates and the format convertor installed. But neither is capable of opening IRM-protected documents directly, and Macs have no native way to interact with IRM-protected e-mail either.
If a Mac user needs to be able to access IRM-protected content, the most expedient way is to use one of the virtualization technologies for the Mac and to run a domain-joined instance of Windows, which allows for management and easier integration with IRM. The Windows system would be equipped with your enterprise-licensed copy of Office 2003 or Office 2007, configured to work with IRM.
The only complexity created by this solution is that you now have another Windows system to manage (in addition to the Mac). But that, of course, is one of the double-edged swords of virtualization—that Windows installations can propagate if not managed carefully. There is also the potential challenge of having to learn to work with Office on Windows, as well as on the Mac.
The only alternative besides virtualization also involves a second Windows installation and is harder on the end user. You could use a Boot Camp volume with Windows installed on it, configured as I've described above, but running in a Boot Camp volume on the Mac, directly (we'll discuss Boot Camp in more detail later). Let's briefly overview Boot Camp and virtualization on the Mac. The discussion of Boot Camp and virtualization is predicated on the use of an Intel-based Macintosh. Legacy PowerPC-based Macs can only provide emulation through software emulation products, such as Microsoft Virtual PC, rather than true virtualization.
A Platform in Common
Several years ago, Apple moved from a PowerPC-based architecture to Intel x86, allowing commodity hardware to bring the platform costs down while increasing performance. Just as important for some, Macs now had a platform in common with Windows, though Macs used the Extensible Firmware Interface (EFI) instead of BIOS. And they used the GUID Partitioning Table (GPT) partition type instead of the Master Boot Record (MBR) partition type used by 32- and 64-bit Windows.
The first systems sold by Apple were all single core and x86 only. All Mac systems sold today are x64-capable and have dual-core processors—allowing for a very satisfactory experience when using virtualization software, and even providing a great experience running Windows XP or Windows Vista with Aero, natively via Boot Camp.
By using EFI and GPT (incidentally, these were both designed largely by Intel and are used by the Intel Itanium 64-bit processor architecture), Apple avoided much of the legacy complexity of the BIOS architecture and allowed for much more flexible disk partitioning scenarios than Windows. MBR disks have numerous limitations on how many volumes can be created, what types, and size limits. GPT was designed specifically to overcome these limitations.
As a result of the move to an x86 architecture, a hacking community evolved around getting the Mac OS to run Windows XP. The complexities here are pretty significant, as 32-bit Windows supports neither EFI or GPT. Apple created a simple utility called Boot Camp that was originally available as a beta download and is now included exclusively in Mac OS X 10.5. By providing BIOS emulation and a rather creative "overlay" partition format where the disk is partitioned using matched MBR and GPT partition entries, Windows can boot from its own volume while the Mac continues on its volume.
Boot Camp is very easy to use; it repartitions the disk on the fly and helps install Windows. The only downside of Boot Camp is that in order to switch operating system environments, you must reboot the Mac into Windows, then reboot again to get back to the Mac. In short, it works—especially for technophiles like TechNet Magazine readers (but I have to say I don't like how inconvenient the actual process is).
If the user has an application that requires access to the actual hardware of the computer (such as a graphics-intensive application or a FireWire-attached peripheral), then Boot Camp may be just what is needed. But virtualization can provide much the same experience, though with some limitations. The largest problem with Boot Camp is probably the fact that in their native configurations, Windows can't access Mac HFS+ formatted volumes, and Macs can't write (though they can read) NTFS-formatted volumes.
I'd like to take a minute to describe two free utilities and one commercial product that make Boot Camp even easier to use. The free rEFIt utility allows you to take a Mac and create more flexible boot configurations than the BootCamp single-volume scenario allows for (only one instance of Windows can be installed via Boot Camp). Using rEFIt, I have a Macintosh that will triple boot between Mac OS X (installed first), Windows XP (installed using Boot Camp), and Windows Vista Ultimate (installed using rEFIt). You should use rEFIt carefully (read the documentation)—it is a very powerful tool that can potentially harm your system if not used properly.
Also free, the NTFS-3G utility allows Mac OS X not only to read but also write to NTFS-formatted volumes. Finally, MacDrive 7 ($49.95/system) is, to my knowledge, the only way to give a Boot Camp-booted Windows volume the ability to read and write to a Mac OS X HFS+ formatted volume.
Though Connectix, the company that sold its emulation and virtualization tools to Microsoft, made a Virtual PC product for the Mac, this product was really an emulation, not a virtualization, product. Essentially, it emulated an x86 instruction set on top of PowerPC-based computers. The result was functional, but not exactly speedy enough for everyday use. Today, Microsoft's Virtual PC product will work only on legacy PowerPC-based Macs. But since Apple's much-talked-about move to the x86 architecture, at least three distinct virtualization products have been made available for the Mac. Some even offer GPU emulation, allowing more graphically intensive applications (or better yet, games) to run on the Mac—and do so with performance at or near running on physical hardware.
The predominant Mac virtualization products are VMware Fusion and Parallels Desktop for Mac. Both products allow you to boot the same Boot Camp partitions virtually as well as via Boot Camp (giving you the best of both worlds) and enable a "transparent" mode where applications running in a Windows virtual machine actually look as if they are running on the Mac directly. They also support drag and drop to and from the Mac and Windows virtual machine.
Note that virtualizing an IRM client does potentially circumvent the IRM protection—it's relatively easy to perform a screen capture of a Windows VM running on a Mac. But, as I noted in my November 2008 The Desktop Files column, IRM works well only until you hit "the analog hole," which is easier for a nefarious user to do from a virtualized machine—something to be aware of.
Sure, it would be ideal if you could provide Mac (or any other platform) users the same experience as Windows users with the same ease of use. But some tools (such as IRM, SQL Server applications, or Microsoft .NET applications) cannot run natively and must be used from a Windows installation that is either running virtualized or under Boot Camp (or both). And any applications that require a high-end GPU or DirectX 10 must be run via a Windows installation running via Boot Camp. Virtualization provides a great bridge for applications that are Windows-only when you have users who need to use Macs.
With the move to an Intel x86-based architecture, numerous applications available natively, and strong virtualization/native-booting solutions available today, Mac/Windows platform interoperability is easier than it has ever been before. For the Mac users in your organization, the need to be isolated on a separate network, with no easy way to share files with Windows machines, is a thing of the past.
Wes Miller is a Senior Technical Product Manager at CoreTrace (www.CoreTrace.com) in Austin, Texas. Previously, he worked at Winternals Software and as a Program Manager at Microsoft. Wes can be reached at firstname.lastname@example.org.