The 2005 Apple Sysadmin's Wishlist
Volume Number: 21 (2005)
Issue Number: 1
Column Tag: Programming
The 2005 Apple Sysadmin's Wishlist
by John Welch
What I would like to see from Apple in 2005
Welcome
With 2005 rapidly approaching, (Indeed, it will already be here as you read this), I think it's time to
list out the ten eleven things that I, as a sysadmin, would like to see from Apple. One thing that won't be on
the list: Tiger/Mac OS X 10.4. We know it's coming, and by now, any features are locked down. Besides, much of
what I want isn't tied to any OS version, so Tiger really has no bearing on this list.
11) A group calendaring system. The lack of integrated calendaring in Mac OS X Server is problematic. There
may be other products out there, from Kerio, MeetingMaker, Now, etc., But now you have a "groupware" tax on
top of what you're already paying to get what is, to many organizations, basic functionality.
By shipping an integrated groupware solution, Apple could provide the workflow hooks that make Exchange and
Domino such a value - add above and beyond email and calendaring. Heck, get Domino running on Mac OS X, and
ship a client that doesn't suck. (The Domino client, is, without a doubt the most difficult groupware client
to use. People use Domino in spite of the client, not because of it.) Outside of Outlook and Entourage, most
integrated groupware clients, on the Mac or otherwise are just nasty to deal with.
If Apple shipped a full groupware solution, with a good, easy to use, functional, scriptable, secure, cross
- platform client, they could, just like with the Xserve RAID, get their product in places that might not ever
consider. There were a lot of people asking for this at the 2004 WWDC, and it stands to reason that the
complete set of sysadmins who want good groupware was not at the WWDC.
It's a hole in the feature set, and a market that is still, in spite of Exchange and Domino, a lot more
open than people think.
10) A better IT Pro section on the Apple web site. Apple still seems unsure as to how they should go about
supporting Enterprise IT. Right now, they mostly divvy it up between education and developers, and as a
result, most technical IT needs are left to be served by others. While Apple tends to say that this kind of
thing is a "third party opportunity", it ends up looking like Apple isn't really able to support the needs of
Enterprise IT. While Apple's support for Enterprise IT has gotten better, going from actively hostile to just
on the better side of inconsistent. (Note: This is what the company as a whole projects. Almost everyone I've
talked to in the trenches at Apple, including a small number of marketing people, 'get' what IT wants. But as
a company, Apple still seems to think of IT in terms of K-12 and Higher Ed. This is probably not the case, but
as with anything, impressions are important, and Apple needs to do a better job of managing theirs.) The K-12
Educational resources page, http://www.apple.com/education/technicalresources/ billed as, "The single site for
all your Mac OS X technical questions" is not even close. There's some articles that don't really help much,
(While the article on porting VB code to RealBASIC is cool, a light perusal of the various IT - oriented Apple
mailing lists shows that this is not even close to a major concern for Enterprise IT customers.) There's an
article on a Directory Services plugin for Novell eDirectory, (good) and there's ads for Tiger, and Apple
Certification, (standard for any company). As a marketing page, it's okay. As a technical resource, it's not
as good as it could be, except for the link to http://www.macenterprise.org/, which is the new identity of
macosxlabs.org. A good site, but foisting all of your IT info on volunteers is not how Enterprise IT views
vendor support. Apple's similar link for Higher Ed, http://www.apple.com/education/hed/admin/, is more of a
marketing piece than a technical resource, and doesn't really answer any questions. Oddly, there are more
links to information on financing Macs on this page than supporting them. Apple has an Enterprise IT section
on their developer site, http://developer.apple.com/enterpriseit/, but it is, not surprisingly, concerned with
corporate developers rather than sysadmins.
There is an IT Pro section on Apple's site though. It's found via one small link on the Mac OS X Server
site, and is at http://www.apple.com/itpro/. It's...a good start, but it's more of an
"IT Marketing" site as opposed to an "IT Help" site. There's no real meat here, just links to other people's
work, and lots of customer testimonials, good reviews, links to Apple products, etc. It says "IT Pro" but as
an IT Pro, there's not a lot of actual content that I could use on any given day.
If you're a sysadmin, dealing with support and integration issues, Apple's site has, outside of discussion
forums, and mailing lists, a paucity of resources.
While the IT Pro section is a start, it needs to grow. It needs to encompass every piece of hardware and
software Apple makes, because that's what a Mac OS X sysadmin has to deal with. When a new version of Final
Cut Pro comes out, there needs to be an article up that day on remote installing it. When there's a new update
to the OS, there should be a complete list of bug fixes and changes, complete with RadarWeb numbers up the
same day. IT Pros need details, technical details, because without them, we can't do our jobs well, and Apple
is not helping us out as much as they should.
9) Quality IT Documentation. This is another area where Apple is really hurting itself. Documentation is
tedious, unglamorous, thankless and absolutely critical. There's no excuse for the entire Open Directory
section of the command line docs for Mac OS X Server being six pages long, and consisting of not a lot more
than variations on "see the man page". The man page is great if you need pointers. It's not so great if you
need real examples to get you started. It's not so great if you need some tips on integrating things like dscl
into other tools.
Apple prides itself on Mac OS X Server being good for new administrators, but the documentation has, by and
large, little in the way of examples, and that can be a killer. Yes, you can eventually find the third party
sites and mailing lists and user forums that make up for this, but those should be a value-add for Apple's
information, not the only good source of technical IT information for Mac OS X (Server). I can find books on
Final Cut Pro written for Apple by Peachpit, but the sysadmin side of the house is kind of neglected here.
This may seem like a small issue to some, but when you're used to the IT - targeted documentation available
from other platforms, Apple's offerings are too lean.
8) Professional Quality Server Tools. Apple's developer tools are top-notch. They can hold their own
against almost any environment, especially when price is considered, and they're going to get better in Tiger.
Apple's Server tools? Not so good. For example, the only client management software that ships with Server by
default are some poorly - documented command line tools, and Workgroup Manager, (WGM).
That's not enough. If I'm setting up a copy of Mac OS X Server, I need to have real client management
tools. Not just the MCX (Managed Client for OS X) stuff in WGM, but tools that let me get information from
clients in a meaningful way without paying the ARD, (Apple Remote Desktop) tax. There's no way to actually
view the structure of your Open Directory, (OD) setup. You can sort of view the raw data in WGM, but it's a
disjointed view.
Server Admin is a great tool, but there's no easy way to extend it. Apple still hasn't published the API
for this, and that's a mistake. One of the smartest things Microsoft ever did was the MMC concept, where you
can write and distribute custom snap-in additions to the Microsoft Management Console. You can find all kinds
of really neat snap-ins out there, and you can modify the default ones if you like. There's no way Apple can
create the One True Tool. It's not realistic to even think you can. But, by allowing others to simply and
easily extend Server Admin, sysadmins can take the basic tool and make it work for them, and then share it
with their peers, so that Mac OS X Server gets a little better with every user.
Workgroup Manager needs to be integrated into Server Admin, the justification for them being separate tools
is long gone, and has been for some time, since Panther really. Client and user management is part of server
management, period. This would help with a lot of things that are just too tedious on a Mac. For example, when
I join a machine to an Active Directory domain, there's a lot of basic setup done on the spot. I don't have to
manually enter in a ton of information at the server, manually set up DNS, etc. Apple needs to get Mac OS X
Server and Open Directory to that level of use.
7) Straighten out support definitions. Apple has a real issue with this, especially the Xserve support. The
term "Up and Running" is too vague. If you buy an Xserve to help you link MCX clients to Active Directory,
that Xserve "Up and Running", as you'll find out, won't do you any good. That's considered networking
integration, and for that, you need a different support contract.
That's part of the Mac OS X Server Software Support, which covers OS X server issues, and it costs six
thousand dollars at the low end. For that you get unlimited Help Desk and 10 Enterprise - Level support
incidents. What's the difference? Help Desk covers Hardware diagnostics, installation, and support for system
configuration, server administration, and network administration from the GUI. However, that does not include
"advanced services" (A somewhat nebulous term from Apple), or Workgroup Manager integration with third party
directories. It also doesn't include any command line help, cross-platform home directory integration, cross
platform file and print, Application server support, or WebObjects deployment support. Not programming,
deployment. It does however include Video applications. So, six grand gets you better support for Final Cut
Pro than an Open Directory Master problem, at least according to Apple's chart.
That's a real problem for sysadmins trying to justify this contract. I have no problem with great support
for Apple's video applications, but to give you unlimited support for Final Cut Pro, yet make you spend
incidents for even basic command line support is a real problem for sysadmins. It's almost impossible to set
up an Open Directory domain without needing the command line, and Apple's paucity of good command line
documentation, or any documentation beyond "Use the GUI tools" is a guarantee that you're going to need to eat
up incidents.
Apple has to redefine basic server setup to be more than a computer lab with an iBook cart. K-12 and Higher
Ed are not the only uses for Apple hardware and software anymore, but the way this support system is
structured; you can still see that assumption. This has to become more equitable for people doing the grunt
work so that artists can use Final Cut Pro. Making a sysadmin use incidents for what is considered by most to
be "basic" setup is a bad decision, and to essentially charge $600 per incident is even worse. No one expects
quality vendor support to be cheap, but it has to provide real value.
6) Fully support AppleScript Automation. This could also be called "Fish or cut bait". AppleScript is a
great technology, on top of a great architecture, and it's been hobbled for years by indifferent support from
the top. The core AppleScript team does a fantastic job, along with the AppleScript Studio team, but they're a
very small group, and they can only deal with the core OS and Xcode.
Application support is up to the application teams, and if they don't want AppleScript, then we as users
and administrators don't get it. The big glaring example are the "Pro" apps. "Pro" seems to mean "Professional
Artist" not "Production Environment". Yes, some of the pro app components are scriptable, but Final Cut Pro,
DVD Studio Pro are not. Keynote is not automatable, although PowerPoint is. (Yes, on a non - OS level,
Microsoft supports Applescript more consistently than Apple.) Keynote 2 has an AppleScript dictionary, but the
entire Keynote section is almost entirely read - only, so it's of little use to scripters, and Pages is not
scriptable at all. As well, XML doesn't count in this case. What I am talking about is procedural automation.
In other words the script replicates and extends the manual actions. XML is great for data collection,
aggregation, integration, and presentation, but it's not going to duplicate folder actions. That's not a knock
on XML by the way. It's just acknowledging that there are things XML is not designed to do.
This is not limited to Pro applications. Even sysadmin apps, which are used by automation fiends as a rule,
get a short shrift here. Apple Remote Desktop 2.1? Not automatable. Out of all the Server tools, Server Admin
is the only one that is directly scriptable, but just barely. Yes, you can get a lot of the server tools stuff
done with shell, but without proper documentation, that's really difficult, and if done right, AppleScript
allows you to record actions, which I have yet to see happen with shell, at least in Mac OS X.
Even in the OS, support is spotty. Setting up a network config is still far easier in Mac OS 9 than Mac OS
X with AppleScript, or shell for that matter. It's painful to do in shell if you don't have ARD 2.1 clients
installed on the system. If you do, then you can use shell with
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/networksetup and it's a little
easier. That client also gives you access to systemsetup in the same directory. Very handy, albeit hidden
away.
If you want to create a printer, something you could do in Mac OS 9 with AppleScript, actually in Mac OS
8.6 through 9.2.2, you have to use lpadmin, which isn't hard, but not real straightforward. (Here's a tip...the
Printer Name you see in Mac OS X is actually the lpadmin printer description).
But there's a greater point here. Steve loves to talk about "eating our own dog food". "Apple eats its own
dog food". If AppleScript is indeed a critical technology, then show it. Mandate it in everything Apple makes,
not just the free stuff, or the geeky stuff. Adobe resisted automation for years until Cal Simone and
Photoscripter showed them how wrong they were. Now even After Effects is scriptable. So is Media 100. Even in
the creative industry, even in film, there are a lot of people doing repetitive work who would benefit from
automation. There are a lot of really cool things that you cannot predict you will do with AppleScript, yet
when you make it available, cool things happen. (Carbon Copy Cloner being a great example of what AppleScript
Studio gave the Mac community). AppleScript, like Cocoa and all the rest is an enabling technology, a "force
multiplier" if you will, and to only "kinda sorta" support it is hampering a really excellent tool.
5) A Sysadmin Version of The Developer Connection. Right now, the only program of worth to a sysadmin is
the Apple's developer program, and it's not a perfect situation, it's better than nothing. The Apple
Consultant Network (ACN) program, while great for consultants, is not really set up for IT administrators. (As
an example, the ACN referral program, where you can register for client referrals from a local Apple Store is
a little useless to someone who is an IT administrator, not a consultant.)
We need a program designed for us. Where, instead of a DVD full of APIs, we also get sample scripts for
remote LDAP configuration, and examples of problem resolution. Basically, for internal IT shops, we need a
direct line to all the documentation and experience that Apple's SE's rack up every day. (No, this wouldn't
hurt the SE's ability to earn a living. In fact, it would enhance it by turning them from yet another
consultant to a valued, and trustable resource. They'd probably, in the long run, MAKE more money for Apple
because they'd be seen as being useful outside of a contractual obligation.)
We need a program that understands that in the Enterprise IT world, there is no such thing as a homogenous
network, so we need reliable, reproducible information that lets us integrate our Mac OS X networks with
everything else. We need seed programs that are designed for our needs outside of what developers want. We
need support lines ala Developer Tech Support, (DTS), that allows us to get the same kind of support as with
DTS, but for sysadmins. Without a six thousand dollar contract.
We need for Apple to create something akin to IBM's Redbook concept, where you can tap into Apple's
internal support library. Having one or two people from Apple's internal IT organization give a session at the
WWDC once a year isn't enough.
4) An Apple World Wide Sysadmin Conference. Anyone who was at the 2004 WWDC can back me up here...there
wasn't enough room for all the sessions. The Enterprise IT track was consistently packed full. Yes, there is
overlap, but not that much. It's a disservice to IT people to have to watch tapes of an earlier session
because the Enterprise IT track couldn't get the big room. It's a disservice to developers when the same thing
happens to them.
The Sysadmin complement of the WWDC is growing rapidly every year, and there's' no reason to think it will
slow down. If anything, the new features in Tiger will accelerate this trend. It's time to split the
Enterprise IT track into its own conference. Yes, it will mean a drop in the attendance of the WWDC, but
that's not a bad thing. For one, the WWDC has always been small. 5,000 attendees is an astounding number.
Secondly, it would allow for more in-depth sessions at each conference on the issues that matter the most to
the attendees. It would allow for greater offline conversations with attendees and Apple/ISV engineers. These
conversations are at least half the value of a WWDC for me, and many of my compatriots, so increasing the
number of these is a good thing.
Finally, it would make it easier for sysadmins to go to the conference at all. It can be, sometimes very
hard, to convince the powers that be of the fact that yes, it's called the Worldwide Developer's Conference,
but a good fifth to a quarter of it is all IT. If the Enterprise IT component increases, the conference is
going to get overloaded, and become gradually less useful to the attendees.
3) More partnerships with existing IT ISV's. Apple doesn't' need to be the sole provider of every tool that
a sysadmin needs. In fact, it shouldn't try. But it does need to create more partnerships with various
companies in the IT space so that sysadmins have more tools to work with. For example, DB2, (or whatever it's
become) should have a Mac OS X version. While surveys and customer demand can help, Apple needs to be taking
the initiative here to work with IBM to get its enterprise DB running on Mac OS X.
There are dozens of existing SAN products, yet the only one with explicit Mac OS X support, (via XSAN) is
ADIC's Stornext. That's because XSAN is Stornext. Yes, XSAN will be a great product, but sometimes, people
already have an existing SAN implementation, and Apple needs to do what it can to make sure that the Xserve
can plug into those implementations with a minimum of fuss. There's no reason that people should be forced to
exclude Apple's enterprise products because they didn't buy the one SAN that Apple can play with. There's no
reason why integrating with Active Directory should still be as painful as it is, even with the Panther AD
plugin.
Partnerships are the name of the game in this space, and if Apple can do it with the iPod, they can do it
with the Xserve and Mac OS X Server.
2) More sysadmin - targeted feature integration. This may seem to be a part of item 8), but it deserves its
own bullet. There are a lot of really useful open source network utilities, such as Nagios, Snort, MRTG, etc.
that don't have binary installers for Mac OS X, or take a lot more configuration to work with Mac OS X, etc.
Mac OS X may be a Unix derivative, but despite POSIX dreams, Unix is not Linux is not BSD. Apple needs to,
for Mac OS X Server at the very least, start making things like MRTG, RRDTool, etc., a standard part of the
Server tools, and integrate them with Server Admin. Running a network is more than just application/ther
services, and user/computer management. A huge part of it is the management of the network as a thing unto
itself, and Apple needs to make Mac OS X Server, out of the box, be able to not just be a human network
management system, but also able to take over and monitor a network outside of Open Directory.
Note: It doesn't just have to be Open Source tools either. Apple already includes limited versions of third
party tools such as Intermapper, or LanSurveyor, etc. But they're not a part of Mac OS X. Bundling isn't
enough. Work with Neon, Dartware, etc. to create Server Admin plugins so that these tools can be run from the
same console, ala Microsoft's MMC concept.
Within this concept, create a DVD/CD installer version of Mac OS X server that can run these tools ala
Knoppix. There are cases where you need an always - clean version of various network utilities, and the
Knoppix concept is a great one. Boot from a DVD, and you have a complete network toolkit in your hand with a
great UI to boot. If nothing else, consultants would throw flowers at Steve Job's feet for the capabilities
this would give them. Apple really needs to expand its definition of network management. It isn't just file,
print, web, and MCX anymore.
1) Citrix capabilities in Mac OS X Server. This was one of the most consistent requests at the WWDC, and I
was only one of many people making it. A low - bandwidth GUI remote login is a major feature for any server
OS. I don't ever use Virtual PC for my Windows administration tasks, and I haven't used the keyboard on my
Windows box in a year. I just use Microsoft's RDP client, and run my network from there. I can RDP into any of
my Windows servers to administrate them from any Mac in my company, and have all my tools at my fingertips
with a lot more speed, and a lot less sacrifice of disk and CPU to the VPC gods. I would love to be able to do
the same with my Xserve, without the network overhead of ARD, or the limitations of SSH.
This would be a huge boon to anyone wanting to more centrally manage their networks. It makes application
maintenance a breeze. The only physical copy resides on the server, everyone else remotes in to use it. It's
great for remote work over slow lines. I can get better than VPC performance over a modem with a B&W G3 via
RDP, and have fewer installation headaches.
While NetBoot is a way of providing this, it's far more limited. You need fast networks for NetBoot a LOT
of storage on the server end, and it's never going to work on anything but a Mac.
Terminal Services for Mac OS X server, especially with non-Mac clients would make Mac OS X attractive to
places that wouldn't consider it, the same way that the Xserve RAID's ability to function outside of Mac OS X
made it more attractive and gets Apple into shops they'd never be in otherwise. It would be huge for lab
administrators who can't yet afford a massive hardware upgrade.
It would end up being a profit generator for Apple, since they could make money on the licensing, (I don't
care what Apple's margins on hardware are, selling a terminal server license makes them a lot more profit,
percentage-wise, per sale), and it would be a profit generator for Mac OS X ISVs, for the same reasons. It's a
win-win for Apple all the way, and it should have been a part of Panther Server.
Conclusion
There you have it. My big wish list for Apple and Mac OS X. I don't expect to see all eleven points handled
by the end of 2005. If three go away, I'll be ecstatic. But you have to start somewhere. Next year at this
time, we'll take a look at what happened throughout the year, and what we need to add, or subtract from the
list. Hopefully, the list will be noticeably smaller.
John Welch, jwelch@provar.com, is an IT Staff Member for Kansas City Life Insurance, a Technical
Strategist for Provar, (http://www.provar.com/) and the Chief Know-It-All for TackyShirt,
(http://www.tackyshirt.com/). He has over fifteen years of experience at making Macs work with other computer
systems. John specializes in figuring out ways in which to make the Mac do what nobody thinks it can, showing
that the Mac is a superior administrative platform, and teaching others how to use it in interesting, if
sometimes frightening ways. He also does things that don't involve computertry on occasion, or at least that's
the rumor.