Skip to main content

Hey everyone, I am pretty new to Casper and the community and thought why not break the ice by asking a general question. What is the advantage of using Casper Suite over SCCM? Our company currently uses SCCM to manage our Windows users and they are stating that it can do everything Casper can do for Mac as well.



I did some research and came across http://blogs.technet.com/b/pauljones/archive/2013/06/02/managing-mac-os-x-with-system-center-2012-configuration-manager.aspx . I know there are differences I am just wondering if someone could point out some of the major advantages to Casper over SCCM.

Does SCCM escrow FileVault 2 Recovery keys now? At one point it did not when our internal SCCM team came knocking and saying they could replace Casper here. One mention of the FV2 Recovery keys (we use FV2 here) was all it took to shoot down that argument.



Other than that, I can't say I know too much about SCCM's Mac management capabilities. I believe it treats Macs as if they were iOS devices, meaning, it can deploy Config profiles, but can't manage items like MCX if you had a need for that, and also doesn't do as well with things like script running.
And then there's Casper's Self Service. app. I don't know that there's an equivalent for the Mac offered by SCCM. I know they have a Windows product that is like that. That I have seen, and its nowhere near as user friendly as Casper Suite's Self Service.

Currently we do not utilize FileVault 2 on our Mac's but I am trying to push this because of stolen devices in the past with sensitive information on them. I know SCCM can do some basic stuff like inventory, package distribution, remote control, etc.



Our SCCM guys are essentially saying why pay for something else when we already have a license for SCCM that can do this.

Yeah, that's the standard boilerplate argument of all IT groups that only think of money and not the actual experience and reliability of managing a platform. I'm not trying to say anything bad about your SCCM team. The ones I work with are very nice people, and yours may be as well, and they mean well I'm sure, but the problem here is that unless they have actual experience managing Macs, all they're doing is looking at a bullet point list of capabilities published by Microsoft. Once you actually put it into practice, its a whole 'nother ball of wax.



I believe JAMF has a paper out there on their site labeled something like "Best of Breed vs Single Console" that you may want to look for. Essentially, the 'single pane' for management is the elusive holy grail of IT. Its a fallacy. It doesn't exist in the real world, at least not if you expect to be able to effectively manage your diverse array of systems. No matter what Microsoft wants to claim about their Mac support in SCCM, Macs are still pretty much an after thought for them. As I say, I think they only started adding in support after Apple introduced MDM into the platform with 10.7 Lion.



Compare this to JAMF, who, as an organization, have dedicated their entire existence to managing Macs. I would say that probably every member of their staff, save possibly some folks in finance and HR, know Macs better than the back of their hands. And I'd even bet the finance and HR people can probably manage a large number of Macs better than your average IT goon out there just because they work for JAMF! :)



Also consider day one support. OS X 10.10 Yosemite is going to be released "any day now". Will SCCM support it on day one? Perhaps, but perhaps not. Will JAMF support it day one? You betcha. That might not seem so important, but tell that to the C level exec who buys a new Mac and expects you to be able to support it out of the box. You don't want to have to tell them support for the new OS is coming and not to use it until such time.



Anyway, hopefully the above gives you some talking points. Also, do a search here on JAMF Nation. I know there's another thread that talks about SCCM vs Casper Suite already and may have additional good information.
(Edit: Did a quick search - here's the other thread: https://jamfnation.jamfsoftware.com/discussion.html?id=6338)
I wish I knew more about how SCCM actually works on Macs, but as I say, its never seen the light of day here on our OS X systems so I can't really speak directly to that.

Ok biggest drawbacks are:




  1. it can't do OS deployment, so if you need to take a machine and put an image on it, you'll need to do this with something else ie netboot/netrestore or deploystudio or something similar


  2. It can't install packages in unattended mode. So basically if you have a bunch of machines sitting at the login window that you wish to deploy software to it can't do it.
    When a user logs in they will get a prompt to install each item you have targeted to the machine, the user must accept and wait for the install to happen. Or the user can ignore the prompt and the software will not be installed.


  3. It will not force install packages on deadline even though you specify it.
    This again goes back to not being able to install software unattended.
    A user is prompted to install, but can simply dismiss this and the software does not install.


  4. Support is terrible, over 4 months from the public release of 10.8 before they added support for 10.8 by releasing a new SCCM Agent. Without this update 10.8 clients could not connect to SCCM at all.


  5. Currently still broken with 10.9.3+ clients. There is a dylib called MACVideoController.dylib, this gets installed by the SCCM client package. On a 10.9.3+ machine this crashes the SCCM agent and prevents it from communicating with the SCCM server. You must delete this MACVideoController.dylb to fix the issue, however this also prevents SCCM from being able to get inventory about the video controller for the machine though.


  6. Your application packages must be wrapped in a special .cmmac format which is kind of a zip format. There is a restriction on the size of these files of 4GB so if your trying to package a large installer ie Adobe CS and the package is larger than 4GB - no dice you can't wrap it in .cmmac and so you can't deploy it with SCCM


  7. MS official support for OS X releases is "within 180 days" so you could be waiting months for them to provide support for a new OS. Going on past history 10.8 took 4 months. Don't hold your breath for quick updates to support Yosemite - especially considering that the 10.9.3 bug was reported to MS in May 2014


  8. No FV2 encryption key escrow


  9. It can not do remote control - you will need to enable remote management via a script and then use a Mac to connect to a remote Mac. Or set a VNC password and access the Mac via a PC using VNC


  10. The inventory information is very basic and I don't believe you can do custom inventory items - I would have to double check that but from memory you can't - so in casper its trivial to add an extension attribute to say get information on a client about for example if the bash shell is vulnerable. this would not be possible in this way using sccm inventory


  11. It doesnt do MCX


  12. It doesn't do config profiles


  13. No VPP for applications on the App Store


  14. Its not a MDM - so no APN for config profiles etc


  15. For iOS you need to use InTune ie Public Cloud


  16. =For every setting you make via compliance in SCCM, you need to test for a setting first ie check gatekeeper status via a script, then write a conditional i.e.: if result of gatekeeper status script is off then run the remediation script which enables it. Tedious to say the least. So you will need to maintain a massive amount of scripts and your scripts will need to take into account all versions of OS X that you manage and have logic to run the correct commands for each OS Version if there is a difference as SCCM can not target the OS correctly for 10.9+ clients you need to target to ALL OS versions.


  17. Enrolling the client in to SCCM will require the end user to enter their AD account credentials. So if you have a freshly imaged machine or a machine out of the box, how do you enroll the machine without an account on there? You can create a package of the SCCM client package and run a post flight script that does the work but you will need to use the expect shell as the SCCM client binary does not support putting the username and password into a command line argument instead it requests an interactive prompt for the user password. You will then need to install this package as a first boot install package via deploystudio or similar tool.




I guess it could be useful if you have like 10 Macs that are owned by say senior executives and they need some basic apps and basic config like wireless network settings and the users can be trusted to install the



If you have a decent amount of Macs and you need to go from out of the box to desired state in an automated fashion then its not really possible with sccm.



Theres a bunch of stuff I've missed for sure but that just of the top of my head.

That's an awesome run down of issues @calumhunter! 🙂 I'm going to bookmark your response in case I ever need to revisit this topic where I am. It's pretty hard to argue against all that!

I've just finished writing a 20 odd page proof of concept about it for the org im working with. 😉
this is all with 2012 R2 by the way.
I'd make the entire document public but its way to environment specific. I think if the above issues don't sway the company away from using it, then you should probably start looking for a different company to work for haha.



Oh one more i just remembered!



When it caches a package it caches the .cmmac file into /Library/Caches. then it unpacks that into your original .pkg file then it installs it (if the user chooses to of course)



But It never removes the .pkg file or the .cmmac files!

My biggest argument is doing anything in SCCM seems to require about 14 million clicks and endless wizards and you have to know the damn thing backwards otherwise you always find yourself in the wrong place.
Casper by comparison is ridiculously easy once it's up and running and it's really obvious what's happening.

what do you mean? what could be simpler than using WQL to query the database? Smart groups? why bother!
external image link

I'm doing both independently - SCCM 2012 R2 on the PC side and Casper on the MAC side and never the twain shall me.



I'm thinking of adding the SCCM Client to those MAC's that we installed BC/Parallels on, just to see how often its used.

Oh if you enroll a mac into sccm, and then wipe the machine, re-image it and enroll it again. it creates a duplicate computer record in SCCM. this duplicate record does not get marked as obsolete either it just hangs around chillin'
would be nice if sccm actually worked out via the MAC address or serial number that hey hold on a minute this is the same machine maybe i should over write the existing record or mark it as obsolete and create a new one.

That was indeed an amazing response and exactly what I was looking to @calumhunter thank you! I am also going to be writing up a document that shows the benefits of Casper Suite for our growing population of Mac users.

Bottom line is, a generic tool that offers limited support for a platform is far less useful/productive than a platform-specific tool that has a history of 12 years of development behind it.

One common response I've seen from higher-ups at two large ad agencies now is that they want all patching/security logs in one place. That's short-sighted, to me, to insist on a less-functional product, but I understand the desire.



Make sure that you have a good understanding of what kinds of patching logs are required to satisfy any applicable regulatory or contractual obligations (SOX, HIPAA, MSAs, whatever) and then show what kinds of output Casper can create for those tasks (ie upgrading the OS, installing security updates, etc).

@calumhunter, great post. Have tweeted it & emailed to my boss. :)

@calumhunter - nailed it.

Thanks guys, I'm glad it was helpful!

I knew I was right to run them both exclusively.



@calumhunter - nailed it for me too.

@calumhunter have you done any testing with the Microsoft System Center Endpoint Protection (SCEP) client? We are considering switching to SCEP from McAfee EPM in hopes that it will eliminate our frequent 10.9.x lockup issues caused by On-Access Scanning, but our SCCM expert hasn't had a chance to install it for us to perform testing.

@dwandro92 - you may want to read through this thread:
https://jamfnation.jamfsoftware.com/discussion.html?id=12006
Short story is, there's a HotFix now (HF983119) from McAfee to address the OAS lock up issue. We went through that hell and finally got McAfee to work on a fix. You may want to talk to your McAfee rep about getting that patch from them. To my knowledge they have not rolled it into their full product. Its a HF that needs to be set up within EPO and pushed to clients for the moment.



OTOH... its not a bad idea to look at another AV product. We're not thrilled with McAfee here either as you can imagine. So maybe check out SCEP first?

@dwandro92
Yeah i've used SCEP a little bit, its basically a rebranded version of ESET. It doesn't integrate with SCCM at all like on windows so you don't get any reports from it or the ability to make any policy settings to it.
It seems to work ok on the machines that i have it installed on ie no lockups or noticeable performance hits - but every environment is different.



I've heard good things about Sophos though if your looking around for other AV products

I'm not opposed to using SCCM for single pane reporting, as that is liekly what management is ultimately interested in. With that in mind, why not got with JAMF's SCCM plug-in so that reporting can be done through SCCM while the management remains on the better system?



It doesn't have to be either-or most times. And offering up that solution might help bridge the divide between groups which can be seen as traditionally competing.

(slightly OT) +1 for Sophos AV on 10.9+. I even started installing their free home version on my personal gear. I'd run screaming from McAfee.

Just an update to an old thread but I have had a further look at SCEP 2012 with a bit more detail and have found that it does in fact cause a fair performance hit on the machine.
Here are my notes:



SCEP 2012 Version:
4.5.18.0
Mac OS X Versions:
10.9.5 and 10.10.1
Real time protection:
Enabled (default)
Notes:
First noticed the performance degradation when copying large files around the file system and pulling down large files from remote servers.
Further investigation revealed that during these large file copy actions or creation/modification of large files ie. Photoshop/iMovie/Final Cut
The scep daemon process would use a large % of the cpu reducing the performance of the machine.



Here is an example where I am copying about 5Gb of files to a disk image.



The scep_daemon is pegged at around 40% CPU usage for the duration of the file copy as shown in this image:



external image link



Investigating the disk IO speeds, a monumental slow down was also observed.
Again copying a collection of about 5Gb of files to a disk image the following average disk IO speeds were noted as per this image:



external image link



Disabling real time protection and performing the same 5Gb copy resulted in the scep_daemon occupying only about 1% CPU usage
Disk IO performance was hugely increased with average speeds as shown in this image:



external image link



These speeds are what I would expect to see as the machine is configured with a SSD.

Thanks for this! Used to create a document for management who are getting hassled ..

Hi @calumhunter would you be willing to share the PoC document you created? I know you mentioned it being too environment specific, but we're engaging with a government agency on managing Macs with SCCM and would like to provide as much insight on the limitations. Let me know and thanks...

Reply


Terms & ConditionsCookie settings