Re: [Fed-Talk] Mobileme - how are others managing this in your environment?
Re: [Fed-Talk] Mobileme - how are others managing this in your environment?
- Subject: Re: [Fed-Talk] Mobileme - how are others managing this in your environment?
- From: Taylor Armstrong <email@hidden>
- Date: Thu, 17 Jul 2008 13:03:27 -0400
One related question... poking around in the MCX controls today. Under
Parental Controls, there is the option to block certain websites. Does
anyone know if it accepts wild cards, and if so, if that in turn blocks
the host(s) listed for more than just port 80? Wondering if adding any
of the sync. servers for MobileMe might work there. I don't really want
to block the website... personally, I'd rather users have the option of
the web interface as an alternative to trying to get MobileMe working on
their desktops, but just wondering if this might be an alternative.
Parental Controls doesn't seem to have any other method (at least
through MCX) to deny access.
I have tested MobileMe... BacktomyMac times out on connect, but works
enough that I see my home machine appearing in the sidebar. That's good
for a few support requests right there, as users see it, and will
contact the helpdesk to ask how to make it work. The address book does
sync successfully, which for a .gov environment raises some concerns
about PII.
A partial solution is to simply remove the .Mac/MobileMe preference pane
through MCX, but that doesn't really disable it, it just removes user's
access to log in. Likewise, I can block the MobileMe update in Software
Updates, but at what cost? Users may still get prompted to update, and
if later patches fix any security holes in the .Mac/MobileMe settings,
they wouldn't be applied.
Per my meeting this AM, I'm not sure that a DNS black hole can get
approved... too many links in that chain of command to deal with I expect.
Taylor
Joel Esler wrote:
Blackhole the domain in your environment.
J
On Jul 14, 2008, at 4:05 PM, Taylor Armstrong wrote:
Thanks Todd.
Admin - some users will have it. Not all, but I'd like to plan for
worst-case scenarios.
Don't have much control over the firewall, but I'll bring it up at
the next meeting. We don't have many Macs... technically, I am "but
a lowly helpdesk grunt" but since none of the sys admin staff have
the time to really look at this, most of the Mac admin duties fall to
me. Firewall policy is set way, way over my head.
My personal MobileMe package is supposed to arrive this week - I may
just need to do some testing on my own to see... it may already be
blocked.
I'm guessing that MobileMe uses most of the same ports/services as
.Mac, so any .Mac advice may very well apply as well.
Taylor
Todd Heberlein wrote:
No OD here, so I'm just trying to get some discussion going on the
best way to do this. MCX controls? I've not looked yet to see if
there is anything specific on the .Mac or MobileMe controls... just
trying to figure out the best angle to take.
Do your users have admin control to their machines? If so, you may
want to look at a network-centric solution (i.e., blocking certain
ports on routers/firewalls). And even if you can find a host-based
solution (i.e., using MobileMe's System Preference pane or
configuring the firewall), adding monitoring rules to your
router/firewall might be a good idea to ensure compliance. (Note:
the "Back to My Mac" tab in the MobileMe System Preference says it
doesn't work through my NAT router.)
I haven't sat down to watch the packet flows yet (I've barely used
Mobile Me), but if everything (or at least too much) runs through
port 80 or 443, you might need to use a web proxy and block based
on URL (as opposed to just address/port combos).
Since Mobile Me is so new, you might want to follow up with another
post in 2-3 weeks once more people have had a more detailed look at it.
Todd
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
W. Taylor Armstrong email@hidden
National Ocean Service IT Support 1305 East-West Highway
Silver Spring, MD 20910
Phone (301) 713-2644
http://nos.noaa.gov/
IT Support Request Email: email@hidden
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
W. Taylor Armstrong email@hidden
NOAA's National Ocean Service IT Support - AA/MB Team Lead
1305 East-West Highway Phone (301) 713-2644
Silver Spring, MD 20910 http://nos.noaa.gov
IT Support Request Email: email@hidden
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden