Re: Mobile management is easy to achieve
"And if senior exec X installs a non approved bit of software and tells all his reports to do the same, which turns out to be malware, what then?"
If you don't give him an admin password, he _can't_ install a damn thing, not on a Mac. (Apple takes security semi-seriously. Well, more seriously than Microsoft, anyway...) He _has_ to come to IT to do it. You can then tell him, "No, you can't install that, it's malware." If he demands to do it anyway, make him put it in writing. I have done this. One particular senior VP swore he'd see me fired before the end of the day. Strangely enough, he was outtathere by the end of the week and I am still there.
I have also done this with Windows systems. Just don't give them an admin password and remove any privs that they don't need. Make it _impossible_ for them to do this... or, if they're willing to commit themselves to taking responsibility for the machine, in writing, give 'em admin privs and let 'em screw themselves. Make sure that the written document states that they're responsible for any problems on the network caused by their idiocy, so that all overtime required to fix the problem gets billed to _their_ cost center number. 'Round here we get time and half for regular OT, double time on weekends, and triple time on holidays. (It's good to be able to force concessions out of HR.) After we drop the OT bill on their desk, they suddenly don't need admin access anymore. Funny, that.