Re: [Fed-Talk] Some thoughts on Apple and the Enterprise
Re: [Fed-Talk] Some thoughts on Apple and the Enterprise
- Subject: Re: [Fed-Talk] Some thoughts on Apple and the Enterprise
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 30 Apr 2009 02:16:58 -0400
comments below
On Apr 29, 2009, at 11:05 AM, Allan B. Marcus wrote:
WOW! Great list! I happen to be meeting at Apple next week with the
enterprise folks, so I will bring this up. Please see my comments in-
line
below.
--
Thanks,
Allan Marcus
Los Alamos National Lab
505-667-5666
On Mon, April 27, 2009 9:27 pm, Boyd Fletcher wrote:
Over the last couple of years I've been collecting some notes on what
it would take to use Macs in the enterprise and figured it I was time
to post them.
Replace "enterprise" above with "governement"
General:
1. stop being so secretive about o/s and (non-consumer) hardware
announcements. Enterprises/SMB customers DO NOT LIKE surprises.
Agreed.
Hardware:
1. Great laptops and desktops, but lack of onboard smartcard reader
support makes use in DOD, US GOV, and many other governments
problematic and annoying. I hate having to carry around a USB reader.
Those familiar with banking in UK/Europe will know that most if not
all banks now require smartcards to be used when accessing your
account over the Internet by using a small keypad fob type of
device -
I believe that could be implemented in software if Mac had an onboard
reader.
Agreed, although our Apple rep (Tim White) pointed out that Apple
would
probably charge $100 to add a $10 reader.
2. Lack of ability to order computers without BlueTooth, Wireless
Ethernet or Camera or at least a **physical** hardware switch to turn
them off. Yes I know I can pay a Apple Reseller to do this (and I
have) but I shouldn't have too!
I cannot imaging a computer without ethernet. I agree on the other
points.
wireless anything is bad in secure places
3. Lack of full hard disk based encryption. FileVault is not secure
and can not be made secure without hardware assist (i.e. a TPM).
Since
Apple "owns" its o/s and hardware it should be able to do hard disk
based encryption better than anyone else. It also has to integrate
with an Enterprise key recovery.
I don't agree that Apple should do this; I think this is best left to
third parties that are supported by Apple. I _do_ feel, however,
that all
computers should have user accessible hard drives so they can be
swapped
out with TCG's OPAL standard drives. This blog posting not
withstanding
<http://blog.pgp.com/index.php/tag/cuda/> I think hardware is faster
than
software. We are about to embark on testing to confirm or deny that
hypothesis. I will post results if I can.
strongly disagree. all the bolt-on after market approaches have lots
of technical and supportability issues.
this needs to be a core o/s and h/w capability just like wireless
ethernet and graphics cards.
4. lack of desk side server. the Mac Pro lacks redundant power, and
its high end graphics aren't needed in a desk side server.
In general, Apple's breathe of product line is pretty deficient. A
lack of
a mid range desktop system is also sorely missed. Sorry, the iMac is
cool,
be we don't need to buy new glossy monitors every three years. In
fact, we
don't need glossy monitors EVER.
definitely agree. glossy is bad engineering. bad ergonomics.
5. lack of a 4 CPI socket server with large # disk storage capacity.
some time you just needs lots of CPU and Cores to run big databases
or
apps (like peoplesoft or oracle)
I don't know about this one. Seems like you want a PowerEdge R710 (6
hard
drive system). I miss 4 hard drive bays so I can have one for boot and
there needs to be an xserve capable of running a real database and
enterprise level performance. i.e. 64GB RAM and 16 cores.
three for RIAD 5. Xserve is obviously not very important to Apple;
it's
not even listed on the front page of the Apple Store or the business
page
of the Apple store; you have to search for it! I would be MUCH more
happy
if Apple let us run Mac OS X Server on a VMWare server infrastructure.
That said, support for Mac OS X client in VMware is pretty darned
important.
6. build a version of the iphone without a camera and with a pull out
keyboard like the palm pre. typing long message on the iphone is
painful compared to the BB and accuracy is lower.
Would be nice, but heck, we don't even have AT&T in Los Alamos!
7. build a embeddable version of the iphone/ipod touch that can be
used in other devices (like handheld scanners/inventory system,
etc...).
Interesting
8. add ability to use removable memory chips with the iphone/ipod
touch
Is this common in smart phones?
yes. almost all have them except iphone
9. add firewire back to the MacBook. All devices must have firewire.
Targeted disk mode is one of the coolest reasons to use a Mac! or
work
with the USB folks to add that support to USB 3.0
I think FW is dead. Too bad though, it was a good technology.
Software:
1. SmartCard support though natively implemented in the O/S has a
very
very poor user interface requiring non-technical users to directly
and
frequently use Keychain Access to access most US GOV/DOD CAC/PIV
protected web sites because Safari can't be configured to always send
the SC with HTTPS connections and Safari (or o/s - users don't care)
does not support using wildcards for URLs. In otherw ords, no one
cares if the o/s has native SC support if the UI implementation is
brain dead. Users are tired of excuses. they just want it to work
SEEMLESSLY every time, all the time - regardless of whether or not
the
IIS web site is configured correctly.
Agreed, SC support needs to be better.
2. lack of clean and complete integration with MS AD. MS is never
going away and Macs need to better integrate seamlessly with AD. this
covers three main areas:
a. Authentication and Authorizations including full use of
Kerberos ticketing. The third party app from Thursby is a very good
step forward but it should be integrated natively into the operating
system.
b. AD Group Policy Object (GPO) support. Enterprises need to be
able to manage all their boxes via a single interface and in the real
world that is Microsoft Management Console (MMC). Apple needs to add
full GPO support to MacOS and expose either its own MMC plugin OR
better yet just integrate with the existing ones.
I think we are talking about MCX through GPO.
nope. MCX is a Apple technology. enterprises need to be able to manage
Macs using Active Directory and AD GPO. not Mac servers.
c. support for centralized security/application logging
Doesn't syslog already do this?
nope. only supports a limit subset of applications. a large number of
unix/mac apps use their own log files and o/s audit doesn't use syslog.
syslog is archaic technology.
Unix/Linux/MacOS X needs a enterprise class, scalable, searchable,
logging/auditing subsystem and works with distributed clients/servers
and supports unicode and binary data AND that all the apps actually
use via an O/S provided API.
3. Security. Good but needs major improvements.
a. ASLR (Address Space Layout Randomization) is effectively broken
in Leopard though its reported to be fixed in Snow Leopard.
b. NX (No eXecute) support should be enabled by default for
EVERYTHING on Macs (including the kernel) with no way to disable it.
c. -fstack-protect/-dFORTIFY_SOURCE must be enabled by default
when using gcc and all Apple apps should be compiled with them
enabled. stack smashing must be better contained.
Good points
d. Apple should include a sub-panel under security that allows the
user to easily implement the US GOV vetted Apple Security lockdowns
easily. Perhaps using a slider approach (low, med, high, paranoid).
Interesting idea, but we would need FDCC for Mac first. To get
there, we
need Apple to support and pay for the whole SCAP process. This is
one of
the main topics I will be discussing with Apple next week. This one is
very neaer and dear to me; I was the CIS Mac Benchmark lead for
Leopard,
and I will probably do it for Snow Leopard too.
Apple also needs to work much faster to get their benchmark out. I
mean
they just got the Leopard one out a few months ago and Snow leopard is
almost out! That said, let's see how long MS takes to get out a
benchmark
for WIndows 7.
FDCC is not required for this. good idea though.
there is no technical reason why apple could not implement its own
security guidance via a preference panel
e. All core o/s settings (esp security ones) should be enforceable
via GPO
at least form the command line and or MCX.
need to be integrated with MS AD infrastructure.
f. file vault needs to scrapped. its too easy too hack. One of two
things needs to be implemented:
FV needs is useful for the non-enterprise market. Enterprise and
government should use FDE.
1. software based disk encryptionn for ENTIRE o/s but with
hardware assist (TPM)
2. or, (PREFERRED) harddisk based disk encryption with support
for enterprise key recovery.
There seems to be good third party support now. Even MS doesn't
offer FDE.
g. Macs needs TPM based trusted boot, trusted application and
trusted runtime/execution. this is eliminate > 95% of all stack
smashing/malicious content based attacks.
agreed
h. centralized logging to both apple servers AND MS Windows
servers.
again, syslog does this for Apple/*NIX.
i. Apple firewall does not support port/protocol settings (it used
to in tiger) this is very very bad since it requires 3rd additions
(or command line app usage - not very user friendly) and the
capability was present in Tiger - albeit it needed range and wildcard
support. this is huge deficiency.
I would argue that central management and central reporting is needed.
k. ability to log into a mac and encrypted a harddisk with a
smartcard. and EASILY set this up graphically
Good opportunity for third party.
l. wrap all apps with stricter SE Darwin policies. Especially
externally facing apps like Safari.
agreed
m. add an Applications menu to the Apple button (like Programs on
Windows)
ew. You can do this with a number of free and shareware apps.
Personally,
I prefer the dock. I think this is a matter of personal taste.
n. Add LOCKSCREEN to the Apple button menu and CTRL-ALT-DEL to
quickly lock the screen.
Go to keychain access and show it in the menu bar, then you have a
menu
item to lock the screen. This needs a keyboard equivalent, and I
wasn't
able to get one to work with the Keyboard System Pref. Anyone get a
key to
work?
o. add ability to graphically manage plugins in Safari 4.0 like
you can in Firefox.
Agreed
4. Though Apple has a good installer applications can use and a good
update system for its apps it needs to:
a. allow (and strongly advocate) third party products to use the
apple updater tool for distributing patches and upgraded versions.
c. there is no consistent graphical interface to remove apps,
extensions, fonts, startup items, frameworks, etc.. accessible via
the
software inventory interface in System Profile (which part should
really be its own pref panel).
I would argue that Apple needs a package management system that
allows for
third party usage, updates, dependancies, and uninstalls. I will let
Apple
figure out how to implement.
5. AddressBook, Calendar, and Mail needs to be integrated into a
single user interface. the market has clearly spoken on this one,
people wants a single cleanly integrated app. The popularity of
Outlook and Entourage is largely driven by the integrated UI. Yes,
some people like separate apps but they are in a very small minority.
Again, ew. My guess is that Entourage is use primarily where
required by
Exchange and nowhere else. Once snow leopard comes out, I'll bet
Entourage
usage drops dramatically. I tried to use Entourage and it was just
painful.
based on MS sales of MS Office 2008 i don't believe that is correct.
Entourage is a far more capable mail client than Leopard's mail client.
6. Addressbook, Calendar, and Mail need to support CAC/PIV
authentication with OWA in Snow Leopard or they are useless in US
GOV.
agreed
7. Addressbook needs to support searching (and caching) of the
Exchange GAL via OWA or its not very useful for enterprise customers
(i.e. see OWA GAL Search)
agreed
8. open up the o/s testing to a large audiences. being secret about
the o/s and application testing is a surefire way to make enterprise
and Small/Mediuum business customers unhappy
ummm, I got on the seed list. Did you try?
9. add a virtual directory server to MacOS server so you can
aggregate
LDAP, AD, and other directories into a common directory for
authentication and authorization.
I don't know about this one.
10. add ability to disable all USB drives (thumb and hard disk) via
security pref and GPO
Isn't this there now with MCX? We use it.
11. add ability to disable execution and installation from USB media
and CDCROM media via security pref and GPO
agreed. finer grained security controls are welcome.
12. fix the trackpad pref panel so that all the gestures can be
individually turned off. also add ability to turn off trackpad
zooming
in Safari 4
Nice, but not really an enterprise thing.
13. add ability to change fan speeds. the default is two low for real
laptop use. running 3000 RPM is much more tolerable.
seems to work fine for me. Try smcFanControl <http://www.eidac.de>
i use but it should be part of the o/s. or the o/s should use more
reasonable values.
14. add ability to set a sort option on directory listing to always
show directories first (like windows and pathfinder). this is much
more efficient and user friendly than the current approach of
embedding directories and file together.
ew.
15. fix Java support timeliness. Waiting > 1.5 years after Java 6.0
became available for Windows/Linux to get it on Mac is not
acceptable.
And the latest Java 6.0 releases are still not available.
agreed.
16. ship Flash and Silverlight with the box
Silverlight? Anyone actually use that?
yes in the corporate/enterprise world.
17. add ODF support for iWork.
Nice, but not really an enterprise thing. Let's face it MS Office is
the
enterprise tool, and OO is the viable alternative.
unless you work in europe ;)
18. increase Quicktime support for more media formats (see list from
VLC especially xiph.org ones)
agreed. and add ac3 passthru support. But this is for home, not
enterprise.
19. ability to turn off the new page preview mode (Top Sites) in
Safari 4.0 is neat but can be annoying AND it assumes you have good
internet connection.
no comment
20. fine grain control (i.e. parental control for regular users) on
what apps can be installed, who can install then, who can use then
and
when. Also need better mechanisms to push software installs down to
clients - especially from windows servers.
again, finer security control is appreciated.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden