The main reason why you need to limit end-users on Windows and Mac computers is the same – much longer periods of stable, guaranteed work with less maintenance overheads.
Recently i see more and more companies which ignores that principle. Mindlessly MacOS is considered as more stable and protected by default without any needs in extra efforts. But if you don’t deprive end-user rights for full system configuration as you do for Windows computers you can get really bad problems. The most unpleasant one is when you got a blocked computer with unknown EFI firmware password. On modern models of imac, macbook it’s hard to reset forgotten password for firmware. This password is easy to setup, but to reset you maybe need to send your computer to Apple service center, if only you don’t like to open your macbook and re-program EFI chip yourself (this password appears before boot menu, blocking booting from network/internet, dvd/usbflash disk/internal hard drive, so you cannot just re-format, re-image your hard disk to get rid off it). Usually a such situation happens when MacOS computer changes owner (who maybe was fired with conflict, but more often it’s just neglect of previous owner who changed and forgot password). Anybody who wants deliberately to spoil your life can do it easily, so your computer far from any Apple center becomes just a expensive piece of brick, almost irrepairable. And Time Machine provides no help.
That’s why you integrate your Mac computers with Windows infrastructure leaving administrator access only for your company System Administrators (btw for free, using builtin MacOS features). What’s the benefit? Now you can create AD user in ADUC and login using it into your MacOS, so you can access your Windows environment resources (for example file, print servers). When you change your password in MacOS you also change it in AD and opposite is true. The same as with windows PC, there is new MacOS computer accounts in AD, Domain Admins becomes automatically MacOS local administrators (but i recommend for this to create in AD special dedicated security group MacosAdmins, not Domain Admins) Without AD integration you need to create MacOS accounts with Administrator role and with own password for each MacOS computer; now you can centrally change password only once – not for each MacOS local admin; to delegate management of all MacOS computers for new user – you need only add this AD user account into MacosAdmins AD security group (instead of creation of other admin user for each MacOS computer)
With company approved official “backdoor” 🙂 thru AD administrators you never lose ownership of your MacOS computer even temporarily. Crooks cannot use excessive end-user permissions to install trojan programs, end-users cannot accidentally damage the system installing suspicious games, nobody can setup EFI password without permission, registration/documentation of this action. The above integration returns back your MacOS assets for better management, security control, monitoring, optimized usage, compliance with company IT policies.
Even if you don’t use tools like Group Policy for MacOS (usually not free), above mentioned free integration will considerably harden, make more manageable your mixed Windows and MacOS environment. Just add builtin MacOS screen sharing/vnc, remote access/ssh and other small features (if you need to be able to install on demand remotely software for your MacOS users, to share end-user desktop for tutoring and so on pls consider Teamviewer/free or Apple Remote Desktop, Dameware products).