Posted on 10-01-2014 02:48 PM
Hey everyone, I am pretty new to Casper and the community and thought why not break the ice by asking a general question. What is the advantage of using Casper Suite over SCCM? Our company currently uses SCCM to manage our Windows users and they are stating that it can do everything Casper can do for Mac as well.
I did some research and came across http://blogs.technet.com/b/pauljones/archive/2013/06/02/managing-mac-os-x-with-system-center-2012-configuration-manager.aspx . I know there are differences I am just wondering if someone could point out some of the major advantages to Casper over SCCM.
Solved! Go to Solution.
Posted on 10-01-2014 03:54 PM
Ok biggest drawbacks are:
it can't do OS deployment, so if you need to take a machine and put an image on it, you'll need to do this with something else ie netboot/netrestore or deploystudio or something similar
It can't install packages in unattended mode. So basically if you have a bunch of machines sitting at the login window that you wish to deploy software to it can't do it. When a user logs in they will get a prompt to install each item you have targeted to the machine, the user must accept and wait for the install to happen. Or the user can ignore the prompt and the software will not be installed.
It will not force install packages on deadline even though you specify it. This again goes back to not being able to install software unattended. A user is prompted to install, but can simply dismiss this and the software does not install.
Support is terrible, over 4 months from the public release of 10.8 before they added support for 10.8 by releasing a new SCCM Agent. Without this update 10.8 clients could not connect to SCCM at all.
Currently still broken with 10.9.3+ clients. There is a dylib called MACVideoController.dylib, this gets installed by the SCCM client package. On a 10.9.3+ machine this crashes the SCCM agent and prevents it from communicating with the SCCM server. You must delete this MACVideoController.dylb to fix the issue, however this also prevents SCCM from being able to get inventory about the video controller for the machine though.
Your application packages must be wrapped in a special .cmmac format which is kind of a zip format. There is a restriction on the size of these files of 4GB so if your trying to package a large installer ie Adobe CS and the package is larger than 4GB - no dice you can't wrap it in .cmmac and so you can't deploy it with SCCM
MS official support for OS X releases is "within 180 days" so you could be waiting months for them to provide support for a new OS. Going on past history 10.8 took 4 months. Don't hold your breath for quick updates to support Yosemite - especially considering that the 10.9.3 bug was reported to MS in May 2014
No FV2 encryption key escrow
It can not do remote control - you will need to enable remote management via a script and then use a Mac to connect to a remote Mac. Or set a VNC password and access the Mac via a PC using VNC
The inventory information is very basic and I don't believe you can do custom inventory items - I would have to double check that but from memory you can't - so in casper its trivial to add an extension attribute to say get information on a client about for example if the bash shell is vulnerable. this would not be possible in this way using sccm inventory
It doesnt do MCX
It doesn't do config profiles
No VPP for applications on the App Store
Its not a MDM - so no APN for config profiles etc
For iOS you need to use InTune ie Public Cloud
=For every setting you make via compliance in SCCM, you need to test for a setting first ie check gatekeeper status via a script, then write a conditional i.e.: if result of gatekeeper status script is off then run the remediation script which enables it. Tedious to say the least. So you will need to maintain a massive amount of scripts and your scripts will need to take into account all versions of OS X that you manage and have logic to run the correct commands for each OS Version if there is a difference as SCCM can not target the OS correctly for 10.9+ clients you need to target to ALL OS versions.
Enrolling the client in to SCCM will require the end user to enter their AD account credentials. So if you have a freshly imaged machine or a machine out of the box, how do you enroll the machine without an account on there? You can create a package of the SCCM client package and run a post flight script that does the work but you will need to use the expect shell as the SCCM client binary does not support putting the username and password into a command line argument instead it requests an interactive prompt for the user password. You will then need to install this package as a first boot install package via deploystudio or similar tool.
I guess it could be useful if you have like 10 Macs that are owned by say senior executives and they need some basic apps and basic config like wireless network settings and the users can be trusted to install the
If you have a decent amount of Macs and you need to go from out of the box to desired state in an automated fashion then its not really possible with sccm.
Theres a bunch of stuff I've missed for sure but that just of the top of my head.
Posted on 10-01-2014 02:56 PM
Does SCCM escrow FileVault 2 Recovery keys now? At one point it did not when our internal SCCM team came knocking and saying they could replace Casper here. One mention of the FV2 Recovery keys (we use FV2 here) was all it took to shoot down that argument.
Other than that, I can't say I know too much about SCCM's Mac management capabilities. I believe it treats Macs as if they were iOS devices, meaning, it can deploy Config profiles, but can't manage items like MCX if you had a need for that, and also doesn't do as well with things like script running.
And then there's Casper's Self Service. app. I don't know that there's an equivalent for the Mac offered by SCCM. I know they have a Windows product that is like that. That I have seen, and its nowhere near as user friendly as Casper Suite's Self Service.
Posted on 10-01-2014 03:09 PM
Currently we do not utilize FileVault 2 on our Mac's but I am trying to push this because of stolen devices in the past with sensitive information on them. I know SCCM can do some basic stuff like inventory, package distribution, remote control, etc.
Our SCCM guys are essentially saying why pay for something else when we already have a license for SCCM that can do this.
Posted on 10-01-2014 03:33 PM
Yeah, that's the standard boilerplate argument of all IT groups that only think of money and not the actual experience and reliability of managing a platform. I'm not trying to say anything bad about your SCCM team. The ones I work with are very nice people, and yours may be as well, and they mean well I'm sure, but the problem here is that unless they have actual experience managing Macs, all they're doing is looking at a bullet point list of capabilities published by Microsoft. Once you actually put it into practice, its a whole 'nother ball of wax.
I believe JAMF has a paper out there on their site labeled something like "Best of Breed vs Single Console" that you may want to look for. Essentially, the 'single pane' for management is the elusive holy grail of IT. Its a fallacy. It doesn't exist in the real world, at least not if you expect to be able to effectively manage your diverse array of systems. No matter what Microsoft wants to claim about their Mac support in SCCM, Macs are still pretty much an after thought for them. As I say, I think they only started adding in support after Apple introduced MDM into the platform with 10.7 Lion.
Compare this to JAMF, who, as an organization, have dedicated their entire existence to managing Macs. I would say that probably every member of their staff, save possibly some folks in finance and HR, know Macs better than the back of their hands. And I'd even bet the finance and HR people can probably manage a large number of Macs better than your average IT goon out there just because they work for JAMF! :)
Also consider day one support. OS X 10.10 Yosemite is going to be released "any day now". Will SCCM support it on day one? Perhaps, but perhaps not. Will JAMF support it day one? You betcha. That might not seem so important, but tell that to the C level exec who buys a new Mac and expects you to be able to support it out of the box. You don't want to have to tell them support for the new OS is coming and not to use it until such time.
Anyway, hopefully the above gives you some talking points. Also, do a search here on JAMF Nation. I know there's another thread that talks about SCCM vs Casper Suite already and may have additional good information.
(Edit: Did a quick search - here's the other thread: https://jamfnation.jamfsoftware.com/discussion.html?id=6338)
I wish I knew more about how SCCM actually works on Macs, but as I say, its never seen the light of day here on our OS X systems so I can't really speak directly to that.
Posted on 10-01-2014 03:54 PM
Ok biggest drawbacks are:
it can't do OS deployment, so if you need to take a machine and put an image on it, you'll need to do this with something else ie netboot/netrestore or deploystudio or something similar
It can't install packages in unattended mode. So basically if you have a bunch of machines sitting at the login window that you wish to deploy software to it can't do it. When a user logs in they will get a prompt to install each item you have targeted to the machine, the user must accept and wait for the install to happen. Or the user can ignore the prompt and the software will not be installed.
It will not force install packages on deadline even though you specify it. This again goes back to not being able to install software unattended. A user is prompted to install, but can simply dismiss this and the software does not install.
Support is terrible, over 4 months from the public release of 10.8 before they added support for 10.8 by releasing a new SCCM Agent. Without this update 10.8 clients could not connect to SCCM at all.
Currently still broken with 10.9.3+ clients. There is a dylib called MACVideoController.dylib, this gets installed by the SCCM client package. On a 10.9.3+ machine this crashes the SCCM agent and prevents it from communicating with the SCCM server. You must delete this MACVideoController.dylb to fix the issue, however this also prevents SCCM from being able to get inventory about the video controller for the machine though.
Your application packages must be wrapped in a special .cmmac format which is kind of a zip format. There is a restriction on the size of these files of 4GB so if your trying to package a large installer ie Adobe CS and the package is larger than 4GB - no dice you can't wrap it in .cmmac and so you can't deploy it with SCCM
MS official support for OS X releases is "within 180 days" so you could be waiting months for them to provide support for a new OS. Going on past history 10.8 took 4 months. Don't hold your breath for quick updates to support Yosemite - especially considering that the 10.9.3 bug was reported to MS in May 2014
No FV2 encryption key escrow
It can not do remote control - you will need to enable remote management via a script and then use a Mac to connect to a remote Mac. Or set a VNC password and access the Mac via a PC using VNC
The inventory information is very basic and I don't believe you can do custom inventory items - I would have to double check that but from memory you can't - so in casper its trivial to add an extension attribute to say get information on a client about for example if the bash shell is vulnerable. this would not be possible in this way using sccm inventory
It doesnt do MCX
It doesn't do config profiles
No VPP for applications on the App Store
Its not a MDM - so no APN for config profiles etc
For iOS you need to use InTune ie Public Cloud
=For every setting you make via compliance in SCCM, you need to test for a setting first ie check gatekeeper status via a script, then write a conditional i.e.: if result of gatekeeper status script is off then run the remediation script which enables it. Tedious to say the least. So you will need to maintain a massive amount of scripts and your scripts will need to take into account all versions of OS X that you manage and have logic to run the correct commands for each OS Version if there is a difference as SCCM can not target the OS correctly for 10.9+ clients you need to target to ALL OS versions.
Enrolling the client in to SCCM will require the end user to enter their AD account credentials. So if you have a freshly imaged machine or a machine out of the box, how do you enroll the machine without an account on there? You can create a package of the SCCM client package and run a post flight script that does the work but you will need to use the expect shell as the SCCM client binary does not support putting the username and password into a command line argument instead it requests an interactive prompt for the user password. You will then need to install this package as a first boot install package via deploystudio or similar tool.
I guess it could be useful if you have like 10 Macs that are owned by say senior executives and they need some basic apps and basic config like wireless network settings and the users can be trusted to install the
If you have a decent amount of Macs and you need to go from out of the box to desired state in an automated fashion then its not really possible with sccm.
Theres a bunch of stuff I've missed for sure but that just of the top of my head.
Posted on 10-01-2014 04:23 PM
That's an awesome run down of issues @calumhunter! :) I'm going to bookmark your response in case I ever need to revisit this topic where I am. It's pretty hard to argue against all that!
Posted on 10-01-2014 04:54 PM
I've just finished writing a 20 odd page proof of concept about it for the org im working with. ;)
this is all with 2012 R2 by the way.
I'd make the entire document public but its way to environment specific. I think if the above issues don't sway the company away from using it, then you should probably start looking for a different company to work for haha.
Oh one more i just remembered!
When it caches a package it caches the .cmmac file into /Library/Caches. then it unpacks that into your original .pkg file then it installs it (if the user chooses to of course)
But It never removes the .pkg file or the .cmmac files!
Posted on 10-01-2014 05:00 PM
My biggest argument is doing anything in SCCM seems to require about 14 million clicks and endless wizards and you have to know the damn thing backwards otherwise you always find yourself in the wrong place. Casper by comparison is ridiculously easy once it's up and running and it's really obvious what's happening.
Posted on 10-01-2014 05:03 PM
what do you mean? what could be simpler than using WQL to query the database? Smart groups? why bother!
external image link
Posted on 10-01-2014 05:05 PM
I'm doing both independently - SCCM 2012 R2 on the PC side and Casper on the MAC side and never the twain shall me.
I'm thinking of adding the SCCM Client to those MAC's that we installed BC/Parallels on, just to see how often its used.
Posted on 10-01-2014 05:14 PM
Oh if you enroll a mac into sccm, and then wipe the machine, re-image it and enroll it again. it creates a duplicate computer record in SCCM. this duplicate record does not get marked as obsolete either it just hangs around chillin' would be nice if sccm actually worked out via the MAC address or serial number that hey hold on a minute this is the same machine maybe i should over write the existing record or mark it as obsolete and create a new one.
Posted on 10-02-2014 07:16 AM
That was indeed an amazing response and exactly what I was looking to @calumhunter thank you! I am also going to be writing up a document that shows the benefits of Casper Suite for our growing population of Mac users.
Posted on 10-02-2014 08:57 AM
Bottom line is, a generic tool that offers limited support for a platform is far less useful/productive than a platform-specific tool that has a history of 12 years of development behind it.
Posted on 10-02-2014 11:14 AM
One common response I've seen from higher-ups at two large ad agencies now is that they want all patching/security logs in one place. That's short-sighted, to me, to insist on a less-functional product, but I understand the desire.
Make sure that you have a good understanding of what kinds of patching logs are required to satisfy any applicable regulatory or contractual obligations (SOX, HIPAA, MSAs, whatever) and then show what kinds of output Casper can create for those tasks (ie upgrading the OS, installing security updates, etc).
Posted on 10-02-2014 12:34 PM
@calumhunter, great post. Have tweeted it & emailed to my boss. :)
Posted on 10-02-2014 04:02 PM
@calumhunter - nailed it.
Posted on 10-02-2014 04:15 PM
Thanks guys, I'm glad it was helpful!
Posted on 10-02-2014 04:51 PM
I knew I was right to run them both exclusively.
@calumhunter - nailed it for me too.
Posted on 10-03-2014 09:16 AM
@calumhunter have you done any testing with the Microsoft System Center Endpoint Protection (SCEP) client? We are considering switching to SCEP from McAfee EPM in hopes that it will eliminate our frequent 10.9.x lockup issues caused by On-Access Scanning, but our SCCM expert hasn't had a chance to install it for us to perform testing.
Posted on 10-03-2014 09:22 AM
@dwandro92 - you may want to read through this thread:
https://jamfnation.jamfsoftware.com/discussion.html?id=12006
Short story is, there's a HotFix now (HF983119) from McAfee to address the OAS lock up issue. We went through that hell and finally got McAfee to work on a fix. You may want to talk to your McAfee rep about getting that patch from them. To my knowledge they have not rolled it into their full product. Its a HF that needs to be set up within EPO and pushed to clients for the moment.
OTOH... its not a bad idea to look at another AV product. We're not thrilled with McAfee here either as you can imagine. So maybe check out SCEP first?
Posted on 10-03-2014 09:28 PM
@dwandro92
Yeah i've used SCEP a little bit, its basically a rebranded version of ESET. It doesn't integrate with SCCM at all like on windows so you don't get any reports from it or the ability to make any policy settings to it.
It seems to work ok on the machines that i have it installed on ie no lockups or noticeable performance hits - but every environment is different.
I've heard good things about Sophos though if your looking around for other AV products
Posted on 10-16-2014 06:53 AM
I'm not opposed to using SCCM for single pane reporting, as that is liekly what management is ultimately interested in. With that in mind, why not got with JAMF's SCCM plug-in so that reporting can be done through SCCM while the management remains on the better system?
It doesn't have to be either-or most times. And offering up that solution might help bridge the divide between groups which can be seen as traditionally competing.
Posted on 10-16-2014 08:33 AM
(slightly OT) +1 for Sophos AV on 10.9+. I even started installing their free home version on my personal gear. I'd run screaming from McAfee.
Posted on 12-02-2014 04:38 PM
Just an update to an old thread but I have had a further look at SCEP 2012 with a bit more detail and have found that it does in fact cause a fair performance hit on the machine.
Here are my notes:
SCEP 2012 Version:
4.5.18.0
Mac OS X Versions:
10.9.5 and 10.10.1
Real time protection:
Enabled (default)
Notes:
First noticed the performance degradation when copying large files around the file system and pulling down large files from remote servers.
Further investigation revealed that during these large file copy actions or creation/modification of large files ie. Photoshop/iMovie/Final Cut
The scep daemon process would use a large % of the cpu reducing the performance of the machine.
Here is an example where I am copying about 5Gb of files to a disk image.
The scep_daemon is pegged at around 40% CPU usage for the duration of the file copy as shown in this image:
Investigating the disk IO speeds, a monumental slow down was also observed.
Again copying a collection of about 5Gb of files to a disk image the following average disk IO speeds were noted as per this image:
Disabling real time protection and performing the same 5Gb copy resulted in the scep_daemon occupying only about 1% CPU usage
Disk IO performance was hugely increased with average speeds as shown in this image:
These speeds are what I would expect to see as the machine is configured with a SSD.
Posted on 04-14-2015 03:31 AM
Thanks for this! Used to create a document for management who are getting hassled ..
Posted on 07-30-2015 08:44 AM
Hi @calumhunter would you be willing to share the PoC document you created? I know you mentioned it being too environment specific, but we're engaging with a government agency on managing Macs with SCCM and would like to provide as much insight on the limitations. Let me know and thanks...
Posted on 07-30-2015 04:57 PM
@Huber Might have something for you, shoot me an email. My contact details are in my profile
Posted on 07-31-2015 05:18 AM
@kevinfriel and @seansb spoke about SCCM vs Casper at the last NYC JAMF User Group. They have not had a chance to post their slide deck, But i'll send them this way. They are also on the Slack channel often.
Posted on 07-31-2015 08:15 AM
@calumhunter sounds great...no email in your profile, but I sent you an invite on LinkedIn. @mmdowjones thanks for the connect to @kevinfriel and @seansb This is a great opportunity to get JAMF deployed in a very large government agency, so looking to equip them with all relevant and necessary comparison info up front.
Posted on 05-23-2016 01:44 PM
Bringing it back up...I know this has been talked about forever in various ways, but...
So we are finally deploying the new SCCM 2016 client to our Windows systems and one of our Windows Desktop Engineers said, "Now we can work on pushing apps to the Macs in the future." Needless to say, after being on that team back in the day and as stretched as they are, I cannot imagine managing Macs with SCCM 2016. I am a firm believer in best tool for the job.
Has anyone worked with SCCM 2016 and checked it out in terms of Macintosh support? I am curious if the deficiencies are still there. What will SCCM 2016 NOT do in terms of supporting the Macs in a Casper like way?
Thoughts?
Posted on 06-21-2017 10:23 AM
Hey guys-
So sitting in the same boat now as a lot of you. I've been able to successfully shoot down using SCCM on our macs in the past, but we have new management now who is pushing it pretty hard. Most of the information here is about 2-3 years old, so I was wondering if everything is pretty much the same? Or has Microsoft made some strides in Management for Macs? I know JAMF will always be the better Mac management tool, but I need some more firepower to convince the big wigs.
Thanks!
Posted on 06-21-2017 12:50 PM
Our environment is very hybrid 25000/Ipads 15000+ PC`s/Laptops with lab setups and 3000 macbooks and only 1.5 people to manage them we use SCCM along with Parallels for Macbook management for Macbooks and JAMF for Ipads, it has worked extremely well and the Parallels streamline integration into SCCM was straightforward. Cost differential is minimal and re imaging of Macbooks is less than 15 minutes. Our focus was on getting the devices into the hands of the users in the least amount of time. Just some food for thought is all.
Posted on 06-22-2017 07:44 AM
@pdye I'm not sure if anything has changed with MS and how they handle Macs. When I had to defend our use of Casper, we worked with some MS engineers and what SCCM could do was eclipsed by what it couldn't do. It's not feature for feature the same as with Windows clients. And what it could do was basically accomplished by using scripts to fill the holes of what is could not do natively. I'm pretty sure I know that Mac management is not a priority for them. I'm not familiar with the Parallels addition...but that to me basically means that SSCM can't do it on its own. (my opinion, yours may vary)
Again, the most important thing to do is to define what Mac Management means in your organization. What are your requirements?
Is FV2 key escrow important? Can SCCM handle MDM yet? On it's own?
And if cost or a single pane of glass is the reasoning for Mgmt, you'll need additional tools to do the work and @bake33 proves the point with the addition of Parallels they use.
Posted on 06-22-2017 10:38 AM
From personal Experience, we are a 'Microsoft Shop' and wanted a single pane of glass to manage all our devices. After reviewing a few options, we chose JAMF over Parallels Mac Management for SCCM. Our product team sat through sales pitches from all vendors and we settled with JAMF. I couldn't even imagine trying managing those Macs on SCCM without Parallels.
SCCM is powerful, but seems archaic as it's been in development for so many years. JSS is clean, and simple to use yet extremely robust.
Posted on 06-30-2017 09:26 AM
Being an SCCM Admin for 10 years and a Casper Admin for 6 years now. I can honestly say..... Let SCCM manage windows, and JAMF manage Macs.
It's becomes very clear who the Windows people are on Mac's and Mac people who are on windows writing scripts, packaging, and in general just managing. They generally follow or lean towards one or the other. (trying not to sound too cocky) I, myself that are the rare breed that don't mind learning either and are a breed that is few and far between.
In contrast to the whole "letting SCCM manage Mac" question. You wouldn't ask JAMF to manage Windows. The instant response going through you now is "hell no". Why?... Because they don't specialise in that platform. They "dabble" but really have no interest.
To my fellow SCCM guys out there, layoff trying to sell SCCM to manage Mac's. It's Microsoft's play thing that they "dabble" with and don't put much resources into. Yes it can do (very lite if that) mac management, but its a drop in the ocean when compared to JAMF and other products.
JAMF is the most popular tool for managing the Mac platform
SCCM is the most popular tool for managing the Windows platform
The question you should be asking is. "Do I want to seriously manage x platform properly" if yes. The choice is made....