RE: [Fed-Talk] Some thoughts on Apple and the Enterprise
RE: [Fed-Talk] Some thoughts on Apple and the Enterprise
- Subject: RE: [Fed-Talk] Some thoughts on Apple and the Enterprise
- From: "Sanderson, David C CTR USA" <email@hidden>
- Date: Wed, 29 Apr 2009 11:32:38 -0400
- Thread-topic: [Fed-Talk] Some thoughts on Apple and the Enterprise
> I cannot imaging a computer without ethernet
I think the wish was for the ability to order computers without
"Wireless Ethernet", not without any ethernet.
>> add ability to use removable memory chips with the iphone/ipod
>> touch
>>
> Is this common in smart phones?
I imagine the request is for something like an sd slot to add additional
storage. I don't know about "common", but my Nokia certainly has it,
and I've seen it in many models.
-----Original Message-----
From: fed-talk-bounces+david.c.sanderson=email@hidden
[mailto:fed-talk-bounces+david.c.sanderson=email@hidden]
On Behalf Of Allan B. Marcus
Sent: Wednesday, April 29, 2009 11:06 AM
To: Boyd Fletcher
Cc: email@hidden
Subject: Re: [Fed-Talk] Some thoughts on Apple and the Enterprise
WOW! Great list! I happen to be meeting at Apple next week with the
enterprise folks, so I will bring this up. Please see my comments
in-line below.
--
Thanks,
Allan Marcus
Los Alamos National Lab
505-667-5666
On Mon, April 27, 2009 9:27 pm, Boyd Fletcher wrote:
> Over the last couple of years I've been collecting some notes on what
> it would take to use Macs in the enterprise and figured it I was time
> to post them.
Replace "enterprise" above with "governement"
>
> General:
>
>
> 1. stop being so secretive about o/s and (non-consumer) hardware
> announcements. Enterprises/SMB customers DO NOT LIKE surprises.
Agreed.
>
>
> Hardware:
>
> 1. Great laptops and desktops, but lack of onboard smartcard reader
> support makes use in DOD, US GOV, and many other governments
> problematic and annoying. I hate having to carry around a USB reader.
> Those familiar with banking in UK/Europe will know that most if not
> all banks now require smartcards to be used when accessing your
> account over the Internet by using a small keypad fob type of device -
> I believe that could be implemented in software if Mac had an onboard
> reader.
Agreed, although our Apple rep (Tim White) pointed out that Apple would
probably charge $100 to add a $10 reader.
>
> 2. Lack of ability to order computers without BlueTooth, Wireless
> Ethernet or Camera or at least a **physical** hardware switch to turn
> them off. Yes I know I can pay a Apple Reseller to do this (and I
> have) but I shouldn't have too!
I cannot imaging a computer without ethernet. I agree on the other
points.
>
> 3. Lack of full hard disk based encryption. FileVault is not secure
> and can not be made secure without hardware assist (i.e. a TPM). Since
> Apple "owns" its o/s and hardware it should be able to do hard disk
> based encryption better than anyone else. It also has to integrate
> with an Enterprise key recovery.
I don't agree that Apple should do this; I think this is best left to
third parties that are supported by Apple. I _do_ feel, however, that
all computers should have user accessible hard drives so they can be
swapped out with TCG's OPAL standard drives. This blog posting not
withstanding <http://blog.pgp.com/index.php/tag/cuda/> I think hardware
is faster than software. We are about to embark on testing to confirm or
deny that hypothesis. I will post results if I can.
>
> 4. lack of desk side server. the Mac Pro lacks redundant power, and
> its high end graphics aren't needed in a desk side server.
In general, Apple's breathe of product line is pretty deficient. A lack
of a mid range desktop system is also sorely missed. Sorry, the iMac is
cool, be we don't need to buy new glossy monitors every three years. In
fact, we don't need glossy monitors EVER.
>
> 5. lack of a 4 CPI socket server with large # disk storage capacity.
> some time you just needs lots of CPU and Cores to run big databases or
> apps (like peoplesoft or oracle)
>
I don't know about this one. Seems like you want a PowerEdge R710 (6
hard drive system). I miss 4 hard drive bays so I can have one for boot
and three for RIAD 5. Xserve is obviously not very important to Apple;
it's not even listed on the front page of the Apple Store or the
business page of the Apple store; you have to search for it! I would be
MUCH more happy if Apple let us run Mac OS X Server on a VMWare server
infrastructure.
That said, support for Mac OS X client in VMware is pretty darned
important.
> 6. build a version of the iphone without a camera and with a pull out
> keyboard like the palm pre. typing long message on the iphone is
> painful compared to the BB and accuracy is lower.
Would be nice, but heck, we don't even have AT&T in Los Alamos!
>
> 7. build a embeddable version of the iphone/ipod touch that can be
> used in other devices (like handheld scanners/inventory system,
etc...).
>
Interesting
> 8. add ability to use removable memory chips with the iphone/ipod
> touch
>
Is this common in smart phones?
> 9. add firewire back to the MacBook. All devices must have firewire.
> Targeted disk mode is one of the coolest reasons to use a Mac! or work
> with the USB folks to add that support to USB 3.0
>
I think FW is dead. Too bad though, it was a good technology.
>
> Software:
>
> 1. SmartCard support though natively implemented in the O/S has a very
> very poor user interface requiring non-technical users to directly and
> frequently use Keychain Access to access most US GOV/DOD CAC/PIV
> protected web sites because Safari can't be configured to always send
> the SC with HTTPS connections and Safari (or o/s - users don't care)
> does not support using wildcards for URLs. In otherw ords, no one
> cares if the o/s has native SC support if the UI implementation is
> brain dead. Users are tired of excuses. they just want it to work
> SEEMLESSLY every time, all the time - regardless of whether or not the
> IIS web site is configured correctly.
Agreed, SC support needs to be better.
>
>
> 2. lack of clean and complete integration with MS AD. MS is never
> going away and Macs need to better integrate seamlessly with AD. this
> covers three main areas:
>
> a. Authentication and Authorizations including full use of
> Kerberos ticketing. The third party app from Thursby is a very good
> step forward but it should be integrated natively into the operating
> system.
>
> b. AD Group Policy Object (GPO) support. Enterprises need to be
> able to manage all their boxes via a single interface and in the real
> world that is Microsoft Management Console (MMC). Apple needs to add
> full GPO support to MacOS and expose either its own MMC plugin OR
> better yet just integrate with the existing ones.
I think we are talking about MCX through GPO.
>
> c. support for centralized security/application logging
Doesn't syslog already do this?
>
> 3. Security. Good but needs major improvements.
>
> a. ASLR (Address Space Layout Randomization) is effectively broken
> in Leopard though its reported to be fixed in Snow Leopard.
> b. NX (No eXecute) support should be enabled by default for
> EVERYTHING on Macs (including the kernel) with no way to disable it.
> c. -fstack-protect/-dFORTIFY_SOURCE must be enabled by default
> when using gcc and all Apple apps should be compiled with them
> enabled. stack smashing must be better contained.
Good points
> d. Apple should include a sub-panel under security that allows the
> user to easily implement the US GOV vetted Apple Security lockdowns
> easily. Perhaps using a slider approach (low, med, high, paranoid).
Interesting idea, but we would need FDCC for Mac first. To get there, we
need Apple to support and pay for the whole SCAP process. This is one of
the main topics I will be discussing with Apple next week. This one is
very neaer and dear to me; I was the CIS Mac Benchmark lead for Leopard,
and I will probably do it for Snow Leopard too.
Apple also needs to work much faster to get their benchmark out. I mean
they just got the Leopard one out a few months ago and Snow leopard is
almost out! That said, let's see how long MS takes to get out a
benchmark for WIndows 7.
> e. All core o/s settings (esp security ones) should be enforceable
> via GPO
at least form the command line and or MCX.
> f. file vault needs to scrapped. its too easy too hack. One of two
> things needs to be implemented:
FV needs is useful for the non-enterprise market. Enterprise and
government should use FDE.
>
> 1. software based disk encryptionn for ENTIRE o/s but with
> hardware assist (TPM)
>
> 2. or, (PREFERRED) harddisk based disk encryption with support
> for enterprise key recovery.
There seems to be good third party support now. Even MS doesn't offer
FDE.
> g. Macs needs TPM based trusted boot, trusted application and
> trusted runtime/execution. this is eliminate > 95% of all stack
> smashing/malicious content based attacks.
agreed
>
> h. centralized logging to both apple servers AND MS Windows
servers.
again, syslog does this for Apple/*NIX.
> i. Apple firewall does not support port/protocol settings (it used
> to in tiger) this is very very bad since it requires 3rd additions
> (or command line app usage - not very user friendly) and the
> capability was present in Tiger - albeit it needed range and wildcard
> support. this is huge deficiency.
I would argue that central management and central reporting is needed.
> k. ability to log into a mac and encrypted a harddisk with a
> smartcard. and EASILY set this up graphically
Good opportunity for third party.
> l. wrap all apps with stricter SE Darwin policies. Especially
> externally facing apps like Safari.
agreed
> m. add an Applications menu to the Apple button (like Programs on
> Windows)
ew. You can do this with a number of free and shareware apps.
Personally, I prefer the dock. I think this is a matter of personal
taste.
> n. Add LOCKSCREEN to the Apple button menu and CTRL-ALT-DEL to
> quickly lock the screen.
Go to keychain access and show it in the menu bar, then you have a menu
item to lock the screen. This needs a keyboard equivalent, and I wasn't
able to get one to work with the Keyboard System Pref. Anyone get a key
to work?
> o. add ability to graphically manage plugins in Safari 4.0 like
> you can in Firefox.
Agreed
>
>
> 4. Though Apple has a good installer applications can use and a good
> update system for its apps it needs to:
>
> a. allow (and strongly advocate) third party products to use the
> apple updater tool for distributing patches and upgraded versions.
> c. there is no consistent graphical interface to remove apps,
> extensions, fonts, startup items, frameworks, etc.. accessible via the
> software inventory interface in System Profile (which part should
> really be its own pref panel).
I would argue that Apple needs a package management system that allows
for third party usage, updates, dependancies, and uninstalls. I will let
Apple figure out how to implement.
>
> 5. AddressBook, Calendar, and Mail needs to be integrated into a
> single user interface. the market has clearly spoken on this one,
> people wants a single cleanly integrated app. The popularity of
> Outlook and Entourage is largely driven by the integrated UI. Yes,
> some people like separate apps but they are in a very small minority.
Again, ew. My guess is that Entourage is use primarily where required by
Exchange and nowhere else. Once snow leopard comes out, I'll bet
Entourage usage drops dramatically. I tried to use Entourage and it was
just painful.
>
> 6. Addressbook, Calendar, and Mail need to support CAC/PIV
> authentication with OWA in Snow Leopard or they are useless in US GOV.
agreed
>
> 7. Addressbook needs to support searching (and caching) of the
> Exchange GAL via OWA or its not very useful for enterprise customers
> (i.e. see OWA GAL Search)
>
agreed
> 8. open up the o/s testing to a large audiences. being secret about
> the o/s and application testing is a surefire way to make enterprise
> and Small/Mediuum business customers unhappy
>
ummm, I got on the seed list. Did you try?
>
> 9. add a virtual directory server to MacOS server so you can aggregate
> LDAP, AD, and other directories into a common directory for
> authentication and authorization.
I don't know about this one.
>
> 10. add ability to disable all USB drives (thumb and hard disk) via
> security pref and GPO
Isn't this there now with MCX? We use it.
>
> 11. add ability to disable execution and installation from USB media
> and CDCROM media via security pref and GPO
agreed. finer grained security controls are welcome.
>
> 12. fix the trackpad pref panel so that all the gestures can be
> individually turned off. also add ability to turn off trackpad zooming
> in Safari 4
Nice, but not really an enterprise thing.
>
> 13. add ability to change fan speeds. the default is two low for real
> laptop use. running 3000 RPM is much more tolerable.
seems to work fine for me. Try smcFanControl <http://www.eidac.de>
>
> 14. add ability to set a sort option on directory listing to always
> show directories first (like windows and pathfinder). this is much
> more efficient and user friendly than the current approach of
> embedding directories and file together.
ew.
>
> 15. fix Java support timeliness. Waiting > 1.5 years after Java 6.0
> became available for Windows/Linux to get it on Mac is not acceptable.
> And the latest Java 6.0 releases are still not available.
>
agreed.
> 16. ship Flash and Silverlight with the box
Silverlight? Anyone actually use that?
>
> 17. add ODF support for iWork.
Nice, but not really an enterprise thing. Let's face it MS Office is the
enterprise tool, and OO is the viable alternative.
>
> 18. increase Quicktime support for more media formats (see list from
> VLC especially xiph.org ones)
agreed. and add ac3 passthru support. But this is for home, not
enterprise.
>
> 19. ability to turn off the new page preview mode (Top Sites) in
> Safari 4.0 is neat but can be annoying AND it assumes you have good
> internet connection.
no comment
>
> 20. fine grain control (i.e. parental control for regular users) on
> what apps can be installed, who can install then, who can use then and
> when. Also need better mechanisms to push software installs down to
> clients - especially from windows servers.
again, finer security control is appreciated.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
rmy.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden