Apple allows two classes of users to log into a Mac: standard user and administrator. "The latter is lot more difficult to control," says Levy. But the former is now easier to control.
"The move to the Mac App Store and online updates is a big shift," says Cobb. "You can, with admin control, still override those settings and download anything from anywhere. But if properly administered within the enterprise, you can prevent this. You can control what is deployed on each device. Which is how I think the enterprise should be able to do it, but not all employees would agree."
This particular model is similar to that used in iOS. "If you want a consumer device to make money, it cannot have a traditional [enterprise] helpdesk model," says Ojas Rege, vice president of strategy for MobileIron, a Mountain View, Calif., company that offers mobile device and mobility management software. "Instead, you have to have really strong architectural security, so apps cannot mess up the underlying OS. If [iOS] apps had admin rights, like the old Microsoft Windows, these modern operating systems could not succeed."
The enterprise is now the inheritor of all these consumer-focused benefits, he says.
"I'm sitting on my company computer, and I don't have root access," says Cobb. "And I have stipulated apps. It's hard to see how you can secure an enterprise computer without that kind of control. It's the default setting now for the consumer. Even with BYOD [bring your own device], you have more assurance that the BYOD device isn't getting apps from just anywhere."
At the same time, Apple's style focused on the end user as consumer, not as employee in effect forces IT groups to be more proactive. "There are changes in Mavericks that give control to users...and you can look at that as not good management,'" Solutions Consulting's Levy says. "But the key is that you [enterprise IT] need to implement updates -- you need to set them up and direct users to your internal software update server. If you don't manage the machine, and tell users in effect use my updates,' then they'll be using Apple's by default."
Apple doesn't offer the complex, server software infrastructures of Microsoft and other enterprise-focused independent software vendors. But it has been making it easier for Macs to fit into those infrastructures, says Corey Nachreiner, director of security strategy and research for WatchGuard, a Seattle company that offers what it calls a "next generation" firewall. He uses a Macbook Pro and an iPad.
"Their latest changes improve Macs working with Microsoft Exchange ActiveSync and Active Directory," he says. "They're trying to make the products that they know enterprises will use, and let Microsoft do the heavy lifting around things like authentication." OS X Server now has what Nachreiner calls "MDM light," to make it easier for users to register their Macs and there are more programmable interfaces that third-party security and management software vendors can use for tasks such as advanced management controls or file encryption.
Sign up for CIO Asia eNewsletters.