Over the last couple of years I've been collecting some notes on what it would take to use Macs in the enterprise and figured it I was time to post them.
General:
1. stop being so secretive about o/s and (non-consumer) hardware announcements. Enterprises/SMB customers DO NOT LIKE surprises.
Hardware:
1. Great laptops and desktops, but lack of onboard smartcard reader support makes use in DOD, US GOV, and many other governments problematic and annoying. I hate having to carry around a USB reader. Those familiar with banking in UK/Europe will know that most if not all banks now require smartcards to be used when accessing your account over the Internet by using a small keypad fob type of device - I believe that could be implemented in software if Mac had an onboard reader.
2. Lack of ability to order computers without BlueTooth, Wireless Ethernet or Camera or at least a **physical** hardware switch to turn them off. Yes I know I can pay a Apple Reseller to do this (and I have) but I shouldn't have too!
3. Lack of full hard disk based encryption. FileVault is not secure and can not be made secure without hardware assist (i.e. a TPM). Since Apple "owns" its o/s and hardware it should be able to do hard disk based encryption better than anyone else. It also has to integrate with an Enterprise key recovery.
4. lack of desk side server. the Mac Pro lacks redundant power, and its high end graphics aren't needed in a desk side server.
5. lack of a 4 CPI socket server with large # disk storage capacity. some time you just needs lots of CPU and Cores to run big databases or apps (like peoplesoft or oracle)
6. build a version of the iphone without a camera and with a pull out keyboard like the palm pre. typing long message on the iphone is painful compared to the BB and accuracy is lower.
7. build a embeddable version of the iphone/ipod touch that can be used in other devices (like handheld scanners/inventory system, etc...).
8. add ability to use removable memory chips with the iphone/ipod touch
9. add firewire back to the MacBook. All devices must have firewire. Targeted disk mode is one of the coolest reasons to use a Mac! or work with the USB folks to add that support to USB 3.0
Software:
1. SmartCard support though natively implemented in the O/S has a very very poor user interface requiring non-technical users to directly and frequently use Keychain Access to access most US GOV/DOD CAC/PIV protected web sites because Safari can't be configured to always send the SC with HTTPS connections and Safari (or o/s - users don't care) does not support using wildcards for URLs. In otherw ords, no one cares if the o/s has native SC support if the UI implementation is brain dead. Users are tired of excuses. they just want it to work SEEMLESSLY every time, all the time - regardless of whether or not the IIS web site is configured correctly.
2. lack of clean and complete integration with MS AD. MS is never going away and Macs need to better integrate seamlessly with AD. this covers three main areas:
a. Authentication and Authorizations including full use of Kerberos ticketing. The third party app from Thursby is a very good step forward but it should be integrated natively into the operating system.
b. AD Group Policy Object (GPO) support. Enterprises need to be able to manage all their boxes via a single interface and in the real world that is Microsoft Management Console (MMC). Apple needs to add full GPO support to MacOS and expose either its own MMC plugin OR better yet just integrate with the existing ones.
c. support for centralized security/application logging
3. Security. Good but needs major improvements.
a. ASLR (Address Space Layout Randomization) is effectively broken in Leopard though its reported to be fixed in Snow Leopard. b. NX (No eXecute) support should be enabled by default for EVERYTHING on Macs (including the kernel) with no way to disable it. c. -fstack-protect/-dFORTIFY_SOURCE must be enabled by default when using gcc and all Apple apps should be compiled with them enabled. stack smashing must be better contained. d. Apple should include a sub-panel under security that allows the user to easily implement the US GOV vetted Apple Security lockdowns easily. Perhaps using a slider approach (low, med, high, paranoid). e. All core o/s settings (esp security ones) should be enforceable via GPO f. file vault needs to scrapped. its too easy too hack. One of two things needs to be implemented:
1. software based disk encryptionn for ENTIRE o/s but with hardware assist (TPM)
2. or, (PREFERRED) harddisk based disk encryption with support for enterprise key recovery. g. Macs needs TPM based trusted boot, trusted application and trusted runtime/execution. this is eliminate > 95% of all stack smashing/malicious content based attacks.
h. centralized logging to both apple servers AND MS Windows servers. i. Apple firewall does not support port/protocol settings (it used to in tiger) this is very very bad since it requires 3rd additions (or command line app usage - not very user friendly) and the capability was present in Tiger - albeit it needed range and wildcard support. this is huge deficiency. k. ability to log into a mac and encrypted a harddisk with a smartcard. and EASILY set this up graphically l. wrap all apps with stricter SE Darwin policies. Especially externally facing apps like Safari. m. add an Applications menu to the Apple button (like Programs on Windows) n. Add LOCKSCREEN to the Apple button menu and CTRL-ALT-DEL to quickly lock the screen. o. add ability to graphically manage plugins in Safari 4.0 like you can in Firefox.
4. Though Apple has a good installer applications can use and a good update system for its apps it needs to:
a. allow (and strongly advocate) third party products to use the apple updater tool for distributing patches and upgraded versions. c. there is no consistent graphical interface to remove apps, extensions, fonts, startup items, frameworks, etc.. accessible via the software inventory interface in System Profile (which part should really be its own pref panel).
5. AddressBook, Calendar, and Mail needs to be integrated into a single user interface. the market has clearly spoken on this one, people wants a single cleanly integrated app. The popularity of Outlook and Entourage is largely driven by the integrated UI. Yes, some people like separate apps but they are in a very small minority.
6. Addressbook, Calendar, and Mail need to support CAC/PIV authentication with OWA in Snow Leopard or they are useless in US GOV.
7. Addressbook needs to support searching (and caching) of the Exchange GAL via OWA or its not very useful for enterprise customers (i.e. see OWA GAL Search)
8. open up the o/s testing to a large audiences. being secret about the o/s and application testing is a surefire way to make enterprise and Small/Mediuum business customers unhappy
9. add a virtual directory server to MacOS server so you can aggregate LDAP, AD, and other directories into a common directory for authentication and authorization.
10. add ability to disable all USB drives (thumb and hard disk) via security pref and GPO
11. add ability to disable execution and installation from USB media and CDCROM media via security pref and GPO
12. fix the trackpad pref panel so that all the gestures can be individually turned off. also add ability to turn off trackpad zooming in Safari 4
13. add ability to change fan speeds. the default is two low for real laptop use. running 3000 RPM is much more tolerable.
14. add ability to set a sort option on directory listing to always show directories first (like windows and pathfinder). this is much more efficient and user friendly than the current approach of embedding directories and file together.
15. fix Java support timeliness. Waiting > 1.5 years after Java 6.0 became available for Windows/Linux to get it on Mac is not acceptable. And the latest Java 6.0 releases are still not available.
16. ship Flash and Silverlight with the box
17. add ODF support for iWork.
18. increase Quicktime support for more media formats (see list from VLC especially xiph.org ones)
19. ability to turn off the new page preview mode (Top Sites) in Safari 4.0 is neat but can be annoying AND it assumes you have good internet connection.
20. fine grain control (i.e. parental control for regular users) on what apps can be installed, who can install then, who can use then and when. Also need better mechanisms to push software installs down to clients - especially from windows servers.
Not Enterprise but cool nonetheless:
1. write a API for game controllers (like PSP or Xbox/Wii controllers) 2. develop a controller shell with joystick and + keyboard with other buttons. Some games will always work better this way than using on screen or accelerometer based controls 3. add an optional snap-on lipo battery to the game controller shell's bottom for those long trips/flights sometimes you just need 20+ hours of real battery life. ;)
|