This is an overview of what tools there are for managing a bunch of Macintosh computers on a network. It is intended as a starting point for someone wondering what on earth to do with all those pretty-looking computers the hippie designers like so much.
You must remove admin access for users, otherwise you cannot be certain where the user data is, and if you cannot isolate the user’s data then you cannot trust that updating the system won’t delete their stuff.
You really need to have the Macs bound to a directory and have account info stored in the directory. This means you don’t need to create and maintain local accounts on each Mac. It is also makes life much simpler when you need to migrate data from one Mac to another because the account uid/gid will be persistent.
Mac OS X Server
The server version of Mac OS X includes a software update server. By hosting your own local copy of the Apple software update server you conserve network bandwidth and you get to withhold what updates are presented to the Mac clients should you want to.
You also get to use Apple’s directory service and to control policy with MCX.
You don’t necessarily need OS X Server, but it is very useful.
Reporting and management suites
From there you have a bunch of approaches. Big environments (educational) use things like Radmind and Puppet to enforce software load-sets across hundreds, thousands of Macs.
For small network sizes people use Apple Remote Desktop (ARD) and/or Casper. ARD is extremely useful whatever you decide to use because the administration software includes remote desktop stuff so the help desk monkey can take over the user’s screen, fix the problem and put the telephone back down.
Although these tools handle reporting, remote installations, running scripts, batch configuration, etc. you still need to spend a lot of time building installation packages. You need a base system image that can be quickly deployed to a Mac, and you need additional images or installation packages containing the various software that goes on top.
Deploying system software and applications
To build system restore images use InstaDMG. Much better than everything else.
What you want for deploying software is some form of un-attended network push. This means the software installation has to work with access via SSH, whether the user is logged in or not and needs to succeed when installed as root.
With luck your software vendor already uses well-behaved package format installers (i.e. Microsoft most of the time). Or the software is a self-contained app so it can be installed and updated by copying it to /Applications (maybe you go to the trouble of making a pkg for it first).
But flipping heck Adobe hates Mac administrators. The Adobe Creative Suite installers (including those on volume license media) are absolutely useless. The updaters are even worse. Adobe provides a volume deployment kit which is bafflingly obtuse and which doesn’t actually work for the admin’s most important installation scenario.
Casper and LANRev include tools for building pkg installers from the Adobe media. Adobe’s enterprise kit supposedly does the same thing. The other thing you do is build your own pkg from what gets installed. That isn’t too painful, but having to build your own update pkgs for the numerous Adobe updates is painful.
(The Apple Installer-Dev list is full of developers trying to work around bugs in PackageMaker that crop up as soon as you want to do anything other than copy files to disk. Many admins prefer Iceberg or Packages and other software for building installer packages.)
System configuration and user preferences
To some degree you configure the system as part of building the base image. Things like have the Mac automatically configure the network, bind to a domain, set power-saving mode, disable auto-login, etc. should all be part of a first-run script that happens when a new Mac is switched on.
In general you should avoid changing the default settings for everything else, either per-Mac or per-user. Saves you much hassle.
Most software these days uses plist format and reads the settings from the correct places (even recent versions of Office are good at this). Adobe of course doesn’t, but I have infinite patience. Assuming all the prefs you need to manage are in plist format, you either just run scripts to set things on an ad-hoc basis or you enforce policy with login hooks. If you use Open Directory to manage Macs you can use the Mac OS X Server tools to push settings to all users. Since 10.5 you can use each Mac’s local directory in much the same way as Open Directory to manage settings too (although you need to then handle updating each Mac yourself).
You can use login/logout hooks which run for each user. You usually find if you run a system-wide script to adjust per-user settings that at some point you mess up the permissions, no matter how careful your script is. The other approach is to use per-user launchd scripts, although they were effectively broken in 10.4 and not much better in 10.5. The launchd man pages are required reading even so.