Re: [Fed-Talk] Some thoughts on Apple and the Enterprise
Re: [Fed-Talk] Some thoughts on Apple and the Enterprise
- Subject: Re: [Fed-Talk] Some thoughts on Apple and the Enterprise
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 30 Apr 2009 02:39:16 -0400
http://securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html
i disagree about casual users with AB and Cal. those capabilities are
very popular with people for scheduling events, meetings, birthdays,
etc... and keeping track of people's contact information. outlook is
heavily used on windows PCs in non business environments.
if the integrated Email/AB/Cal apps were not better then Novell, IBM,
and MS and others would not be selling hundreds of millions of
copies.....
On Apr 28, 2009, at 5:49 AM, Wm. Cerniuk wrote:
Cannot argue with many issues below but a couple do stick out..
I personally cannot stand the Entourage interface and especially the
integrated mail/calendar/address book approach. It is very Microsoft
'Window' thing to have a one window world and feels like I have both
hands tied behind my back.
I keep at least one calendar window open on my secondary monitor and
frequently use 3 to sometimes 30+ mail windows, several of them
being mail browsers. I have my mail back to 2001 in Apple Mail and
find the ability to cross reference messages critical to my personal
operation.
Yes, I am a power user on mail.
But consider the casual user... They could care less about the
calendar and rarely get into the address book. Having iCal and
Address Book progressivally disclosed to the user ... as separate
apps (instead of this app-as-dashboard approach) simplifies the
casual user's experience. The apps are buttons on the dock, they are
part of the big "Application" called Mac OS X. Interleaving windows
for all applications essentially makes the Mac one big application
no matter how many 'programs' are integrated into the user experience.
And I rather like the keyboard on the iPhone... Much better than the
BB once I was weened from that keyboard... BB takes too many clicks!
For encryption, PGP Whole Disk is da bomb. It is fast, stable and
user transparent. It is much faster than FileVault...I am not
familiar with the IT management interface any more but I am enamored
with the business functionality and that is what counts.
In general It is IT's job to manage the product that best fulfills
the business' need. I cannot fault Apple for giving a priority to
making the machine useful and suitable for the business requirements
over the IT requirements. IT requirements always take a back seat
to business requirements.
BUT I can be frustrated with you though in the time it seems to
(smart card) take to (smart card) address the non-business
productivity (smart card) objectives. One particular technology
(smart card) comes to mind in fact.
;-)
V/R,
Wm. Cerniuk
(Sent faster from my iPhone 3G)
On Apr 27, 2009, at 11:27 PM, Boyd Fletcher
<email@hidden> wrote:
Over the last couple of years I've been collecting some notes on
what it would take to use Macs in the enterprise and figured it I
was time to post them.
General:
1. stop being so secretive about o/s and (non-consumer) hardware
announcements. Enterprises/SMB customers DO NOT LIKE surprises.
Hardware:
1. Great laptops and desktops, but lack of onboard smartcard reader
support makes use in DOD, US GOV, and many other governments
problematic and annoying. I hate having to carry around a USB
reader. Those familiar with banking in UK/Europe will know that
most if not all banks now require smartcards to be used when
accessing your account over the Internet by using a small keypad
fob type of device - I believe that could be implemented in
software if Mac had an onboard reader.
2. Lack of ability to order computers without BlueTooth, Wireless
Ethernet or Camera or at least a **physical** hardware switch to
turn them off. Yes I know I can pay a Apple Reseller to do this
(and I have) but I shouldn't have too!
3. Lack of full hard disk based encryption. FileVault is not
secure and can not be made secure without hardware assist (i.e. a
TPM). Since Apple "owns" its o/s and hardware it should be able to
do hard disk based encryption better than anyone else. It also has
to integrate with an Enterprise key recovery.
4. lack of desk side server. the Mac Pro lacks redundant power, and
its high end graphics aren't needed in a desk side server.
5. lack of a 4 CPI socket server with large # disk storage
capacity. some time you just needs lots of CPU and Cores to run big
databases or apps (like peoplesoft or oracle)
6. build a version of the iphone without a camera and with a pull
out keyboard like the palm pre. typing long message on the iphone
is painful compared to the BB and accuracy is lower.
7. build a embeddable version of the iphone/ipod touch that can be
used in other devices (like handheld scanners/inventory system,
etc...).
8. add ability to use removable memory chips with the iphone/ipod
touch
9. add firewire back to the MacBook. All devices must have
firewire. Targeted disk mode is one of the coolest reasons to use a
Mac! or work with the USB folks to add that support to USB 3.0
Software:
1. SmartCard support though natively implemented in the O/S has a
very very poor user interface requiring non-technical users to
directly and frequently use Keychain Access to access most US GOV/
DOD CAC/PIV protected web sites because Safari can't be configured
to always send the SC with HTTPS connections and Safari (or o/s -
users don't care) does not support using wildcards for URLs. In
otherw ords, no one cares if the o/s has native SC support if the
UI implementation is brain dead. Users are tired of excuses. they
just want it to work SEEMLESSLY every time, all the time -
regardless of whether or not the IIS web site is configured
correctly.
2. lack of clean and complete integration with MS AD. MS is never
going away and Macs need to better integrate seamlessly with AD.
this covers three main areas:
a. Authentication and Authorizations including full use of
Kerberos ticketing. The third party app from Thursby is a very good
step forward but it should be integrated natively into the
operating system.
b. AD Group Policy Object (GPO) support. Enterprises need to be
able to manage all their boxes via a single interface and in the
real world that is Microsoft Management Console (MMC). Apple needs
to add full GPO support to MacOS and expose either its own MMC
plugin OR better yet just integrate with the existing ones.
c. support for centralized security/application logging
3. Security. Good but needs major improvements.
a. ASLR (Address Space Layout Randomization) is effectively
broken in Leopard though its reported to be fixed in Snow Leopard.
b. NX (No eXecute) support should be enabled by default for
EVERYTHING on Macs (including the kernel) with no way to disable it.
c. -fstack-protect/-dFORTIFY_SOURCE must be enabled by default
when using gcc and all Apple apps should be compiled with them
enabled. stack smashing must be better contained.
d. Apple should include a sub-panel under security that allows
the user to easily implement the US GOV vetted Apple Security
lockdowns easily. Perhaps using a slider approach (low, med, high,
paranoid).
e. All core o/s settings (esp security ones) should be
enforceable via GPO
f. file vault needs to scrapped. its too easy too hack. One of
two things needs to be implemented:
1. software based disk encryptionn for ENTIRE o/s but with
hardware assist (TPM)
2. or, (PREFERRED) harddisk based disk encryption with support
for enterprise key recovery.
g. Macs needs TPM based trusted boot, trusted application and
trusted runtime/execution. this is eliminate > 95% of all stack
smashing/malicious content based attacks.
h. centralized logging to both apple servers AND MS Windows
servers.
i. Apple firewall does not support port/protocol settings (it
used to in tiger) this is very very bad since it requires 3rd
additions (or command line app usage - not very user friendly) and
the capability was present in Tiger - albeit it needed range and
wildcard support. this is huge deficiency.
k. ability to log into a mac and encrypted a harddisk with a
smartcard. and EASILY set this up graphically
l. wrap all apps with stricter SE Darwin policies. Especially
externally facing apps like Safari.
m. add an Applications menu to the Apple button (like Programs on
Windows)
n. Add LOCKSCREEN to the Apple button menu and CTRL-ALT-DEL to
quickly lock the screen.
o. add ability to graphically manage plugins in Safari 4.0 like
you can in Firefox.
4. Though Apple has a good installer applications can use and a
good update system for its apps it needs to:
a. allow (and strongly advocate) third party products to use the
apple updater tool for distributing patches and upgraded versions.
c. there is no consistent graphical interface to remove apps,
extensions, fonts, startup items, frameworks, etc.. accessible via
the software inventory interface in System Profile (which part
should really be its own pref panel).
5. AddressBook, Calendar, and Mail needs to be integrated into a
single user interface. the market has clearly spoken on this one,
people wants a single cleanly integrated app. The popularity of
Outlook and Entourage is largely driven by the integrated UI. Yes,
some people like separate apps but they are in a very small minority.
6. Addressbook, Calendar, and Mail need to support CAC/PIV
authentication with OWA in Snow Leopard or they are useless in US
GOV.
7. Addressbook needs to support searching (and caching) of the
Exchange GAL via OWA or its not very useful for enterprise
customers (i.e. see OWA GAL Search)
8. open up the o/s testing to a large audiences. being secret about
the o/s and application testing is a surefire way to make
enterprise and Small/Mediuum business customers unhappy
9. add a virtual directory server to MacOS server so you can
aggregate LDAP, AD, and other directories into a common directory
for authentication and authorization.
10. add ability to disable all USB drives (thumb and hard disk) via
security pref and GPO
11. add ability to disable execution and installation from USB
media and CDCROM media via security pref and GPO
12. fix the trackpad pref panel so that all the gestures can be
individually turned off. also add ability to turn off trackpad
zooming in Safari 4
13. add ability to change fan speeds. the default is two low for
real laptop use. running 3000 RPM is much more tolerable.
14. add ability to set a sort option on directory listing to always
show directories first (like windows and pathfinder). this is much
more efficient and user friendly than the current approach of
embedding directories and file together.
15. fix Java support timeliness. Waiting > 1.5 years after Java 6.0
became available for Windows/Linux to get it on Mac is not
acceptable. And the latest Java 6.0 releases are still not available.
16. ship Flash and Silverlight with the box
17. add ODF support for iWork.
18. increase Quicktime support for more media formats (see list
from VLC especially xiph.org ones)
19. ability to turn off the new page preview mode (Top Sites) in
Safari 4.0 is neat but can be annoying AND it assumes you have good
internet connection.
20. fine grain control (i.e. parental control for regular users) on
what apps can be installed, who can install then, who can use then
and when. Also need better mechanisms to push software installs
down to clients - especially from windows servers.
Not Enterprise but cool nonetheless:
1. write a API for game controllers (like PSP or Xbox/Wii
controllers)
2. develop a controller shell with joystick and + keyboard with
other buttons. Some games will always work better this way than
using on screen or accelerometer based controls
3. add an optional snap-on lipo battery to the game controller
shell's bottom for those long trips/flights sometimes you just need
20+ hours of real battery life. ;)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden