[Fed-Talk] Fed-Talk monthly FAQ
[Fed-Talk] Fed-Talk monthly FAQ
- Subject: [Fed-Talk] Fed-Talk monthly FAQ
- From: Rex Sanders <email@hidden>
- Date: Wed, 1 Sep 2010 11:00:00 -0700
No questions edited or added this month.
Comments, corrections, additions welcome.
-- Rex Sanders, USGS
rsanders ---at--- usgs.gov
"Not only can Apple not please everyone, it's not remotely interested in doing so."
Jason Snell, MacWorld magazine, June 2010
==========
Fed-Talk mailing list
Frequently Asked Questions
Emailed monthly to fed-talk ---at--- lists.apple.com.
Last update: 19 July 2010.
Entries added or edited since last month marked with (*) in Contents.
No endorsement of any product should be implied from inclusion in this message.
Contents:
----- What is Fed-Talk?
----- How can I get on or off the Fed-Talk mailing list?
----- How can I search the Fed-Talk archives before mailing my question to the entire list?
----- How can I browse the Fed-Talk archives?
----- Why doesn't Apple support the Enterprise market?
----- How can Apple sell stuff to the Government when they don't do "Z"?
----- How can I ask Apple to support Z?
----- Which versions of Mac OS X are supported by Apple?
----- How can I get my CAC card or PIV card to work?
----- Where can I find Mac OS X security guidelines or STIGs?
----- Where can I find SCAP, or continous security monitoring tools, for Mac OS X?
----- Where can I find iOS security guidelines or STIGs?
----- Where is Apple's iPhone security guide?
----- What is the Army Golden Master? What is it's status?
----- What is the status of FIPS 140-2 cryptographic validation for Mac OS X?
----- What is the status of FIPS 140-2 cryptographic validation for iOS?
----- What is USGCB? Where is the Mac OS X USGCB? Where is the iOS USGCB?
----- How do I meet the OMB M-06-16 requirement for encryption on Mac OS X?
----- How do I meet the OMB M-06-16 requirement for encryption on iOS?
----- How can I get a Volatility Statement for Apple Products?
----- How can I buy Apple products for the Federal Government?
----- How can I buy Macs without cameras, Bluetooth, or WiFi hardware?
----- Can't you disable cameras, Bluetooth, or WiFi with software, duct tape, SuperGlue, etc.?
----- How can I make iTunes purchases without paying sales tax?
----- Can I buy Apple products for personal use with a discount?
----- Does Apple have a web site for Federal Government customers?
==========
----- What is Fed-Talk?
Fed-Talk is an unmoderated discussion list to discuss the uses of existing Apple technologies within, and specific to the Federal government.
----- How can I get on or off the Fed-Talk mailing list?
See the footer in every Fed-Talk message.
See also http://lists.apple.com/mailman/listinfo/fed-talk
Do not send subscribe or unsubscribe requests to the entire list.
----- How can I search the Fed-Talk archives before mailing my question to the entire list?
In theory you can use Apple's mailing list search engine from the Fed-Talk home page:
http://lists.apple.com/mailman/listinfo/fed-talk
In practice, Google works much better:
http://www.google.com/search?q=site:lists.apple.com+Fed-Talk
----- How can I browse the Fed-Talk archives?
http://lists.apple.com/archives/Fed-talk
----- Why doesn't Apple support the Enterprise market?
Apple is primarily a Consumer company, and is not focused on Enterprise or Federal Government issues. Apple provides limited support to the Enterprise market, different from other IT vendors.
Probably what concerns you is support for your favorite Enterprise-like feature, service, or process.
----- How can Apple sell stuff to the Government when they don't do "Z"?
The Federal Government is a large, diverse market. Just because Z is required in your part, doesn't mean Z is required in every part. Just because OMB/NIST/... requires Z for the entire Government, doesn't mean Z is being enforced everywhere uniformly. Apple manages to sell plenty of Macs, iPhones, iPads, and other stuff to many parts of the Federal Government without Z. Please make clear in your messages that *your part* of the Government requires Z now.
For "Z", substitute your favorite feature, service, or process.
----- How can I ask Apple to support "Z"?
- Contact your agency's Apple sales rep, who will probably tell you to ...
- Get a free Apple Developer account at http://developer.apple.com/programs/register/ Post a detailed request on http://bugreport.apple.com. Indicate approximately how many Macs are affected. Be realistic, and report numbers only for your part of the Government. Report the bug number to your Apple sales and engineering reps. Yes, reporting a feature request through the bug tracking system is the correct method. You should get a reply from Apple. You won't always get a reply you like.
- Send email to feedback ---at--- apple.com. You are not likely to get a reply from Apple.
- Posting your request on Fed-Talk will not work. You might get sympathy from other list members.
----- Which versions of Mac OS X are supported by Apple?
Apple doesn't explicitly state Mac OS X version support policies.
In brief:
- Mac OS X v10.6 Snow Leopard is fully supported.
- Mac OS X v10.5 Leopard is supported for serious bug fixes and security fixes.
- Previous versions have very limited support.
Based on years of observation, the support pattern appears to be:
- Apple fully supports the current operating system.
- Apple releases security fixes, and some bug fixes, for the 10.N-1 operating system.
- Sometimes, Apple releases security fixes for the 10.N-2 operating system.
Certain components of Mac OS X have different, unstated, support policies. For example, Safari and iTunes updates for Mac OS X v10.4 Tiger continue to be released.
----- How can I get my CAC card or PIV card to work?
Your best source is within your part of the Federal Government. Otherwise ...
First, you need a card reader.
Macs: No Macs have slots suitable for internal card readers similar to what you can find from other vendors. External USB card readers will work with most Macs. Supported card readers can be found here:
http://smartcardservices.macosforge.org/trac/wiki/smartcardccid
iPhones and iPads: No card readers are available for iPhones or iPads at this time.
Second, you need software support.
All [Apple supported] Smart Card related questions, assistance and guidance is at the SmartCardServices project at Mac OS Forge
http://smartcardservices.macosforge.org/
Separate Smart Card related mailing lists:
http://smartcardservices.macosforge.org/trac/wiki/MailLists
New Gemalto TOPDLGX4 144 CACs require a beta tokend available at
http://smartcardservices.macosforge.org/trac/wiki/installers#TokendReleases
Try these instructions:
https://sites.google.com/a/compsolve.net/mac-cac/
http://militarycac.com/apple.htm
Also try these Entourage instructions:
http://lists.apple.com/archives/fed-talk/2009/Jul/msg00002.html
Thursby sells software to support CAC or PIV cards for Active Directory and Exchange:
ADmitMac for CAC: http://www.thursby.com/products/afc.html
ADmitMac for PIV: http://www.thursby.com/products/piv.html
----- Where can I find Mac OS X security guidelines or STIGs?
Your best source is within your part of the Federal Government. If you can't find one ...
Apple Security Guides:
http://www.apple.com/support/security/guides/
Center for Internet Security:
http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.unix.osx
http://www.cisecurity.org/tools2/osx/CIS_MacOSX_10.5_Benchmark_v1.0.pdf
http://www.cisecurity.org/tools2/CIS_Apple_Safari_Benchmark_v1.0.0.pdf (Safari 4)
You should not adopt these guides wholesale, they are the starting point for a STIG (Security Technical Implementation Guide) specific to your part of the Government.
----- Where can I find SCAP, or continous security monitoring tools, for Mac OS X?
SCAP tools might be available for Mac OS X because "they are generally just Java based XML interpreters." However, there is no SCAP content for Mac OS X.
http://scap.nist.gov/
Some Federal sites have written their own Mac OS X security monitoring tools, and will make them available upon request:
Los Alamos National Laboratory - contact Allan Marcus, allan ---at--- lanl.gov
DoD High Performance Computing Modernization Program - contact David Jaccard, dave.jaccard.ctr ---at--- hpcmo.hpc.mil
----- Where can I find iOS security guidelines or STIGs?
Your best source is within your part of the Federal Government. If you can't find one ...
iPhone OS 3.1.2:
Center for Internet Security:
http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.mobile.iphone
http://www.cisecurity.org/tools2/iphone/CIS_Apple_iPhone_3.1.2_Benchmark_v1.1.0.pdf
iPhone OS 3.1 with MMS:
Try this post to Fed-Talk:
http://lists.apple.com/archives/Fed-talk/2009/Sep/msg00200.html
You should not adopt these guides wholesale, they are the starting point for a STIG (Security Technical Implementation Guide) specific to your part of the Government.
----- Where is Apple's iOS security guide?
Not available at this time.
Apple discusses many iPhone and iPad security features here:
http://images.apple.com/iphone/business/docs/iPhone_Security.pdf
http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf
http://www.apple.com/support/iphone/enterprise/
http://www.apple.com/support/ipad/enterprise/
----- What is the Army Golden Master?
AGM is a standard, secure Windows or Mac OS X image for the Army, preloaded with approved applications. AGM ships on Mac purchases from the Army's Consolidated Buy:
https://chess.army.mil/ascp/commerce/consolidatedBuy/index.jsp
----- What is USGCB? Where is the Mac OS X USGCB? Where is the iOS USGCB?
The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration (FDCC) mandate.
http://usgcb.nist.gov
USGCB configurations for Windows XP and Vista have been released and widely implemented.
Mac OS X 10.5 "Leopard" USGCB development is in progress. No ETA.
No word on USGCB for Mac OS X 10.6 "Snow Leopard", or USGCB for any version of iOS.
"Neither NIST nor OMB precludes use or purchase of systems that do not have an [USGCB] in place."
More info here:
http://lists.apple.com/archives/fed-talk/2009/Nov/msg00005.html
----- What is the status of FIPS 140-2 cryptographic validation for Mac OS X?
As of 30 October 2009
http://lists.apple.com/archives/fed-talk/2009/Oct/msg00131.html
"Mac OS X's built-in Cryptographic Service Provider (CSP) Software Module is currently in process for FIPS 140-2 Level 1 Conformance Validation.
OpenSSL on Mac OS X 10.5/10.6 is not compiled using their FIPS validated crypto module
OpenSSH uses the installed OpenSSL on the platform (see above)
Apache on Mac OS X uses OpenSSL (see above)"
You can follow the progress of "Apple FIPS Cryptographic Module" here:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
Note that IUT means "Implementation Under Test".
----- What is the status of FIPS 140-2 cryptographic validation for iOS?
Apple submitted "iPhone FIPS Cryptographic Module" and "iPad FIPS Cryptographic Module" for validation in mid-2010.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
Note that IUT means "Implementation Under Test".
---- How do I meet the OMB M-06-16 requirement for encryption on Mac OS X?
You mean the one we were supposed to have fully deployed by August 7, 2006? You need encryption using FIPS 140-2 validated cryptographic modules.
http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf
Some parts of the Government have approved interim or final encryption methods for Mac OS X. Ask your security people.
Apple is in progress to get FIPS 140-2 validation for Mac OS X security modules (see previous question). Filevault or Disk Utility encrypted disk images might meet your needs for interim encryption.
Some third party products support FIPS 140-2 validated encryption for Mac OS X.
According to http://lists.apple.com/archives/fed-talk/2009/Aug/msg00058.html
"A short list of the top three _who work very closely with Apple_ are:"
CheckPoint - PointSec PC for Mac
http://www.checkpoint.com/products/datasecurity/pc/
PGP - Whole Disk Encryption
http://www.pgp.com/products/wholediskencryption/
WinMagic - SecureDoc
http://www.winmagic.com/products/full-disk-encryption-for-mac
WinMagic SecureDoc is available on the GSA/DOD Data At Rest BPA
http://www.gsa.gov/Portal/gsa/ep/contentView.do?contentType=GSA_BASIC&contentId=23172
Other vendors may have FIPS 140-2 validated encryption products for Mac OS X, including encrypted disk drives and flash drives.
Ask potential vendors for their specific FIPS 140-2 certification number for that particular Mac OS X product. Then check the NIST list of validated modules:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Some vendors confuse using a FIPS 140-2 accepted algorithm (e.g. 3DES, AES), with having a FIPS 140-2 validated solution. Writing buggy encryption software is easy. Getting FIPS 140-2 validation is hard. Caveat emptor.
---- How do I meet the OMB M-06-16 requirement for encryption on iOS?
Apple is in progress to get FIPS 140-2 validation for iOS devices (see earlier question). FIPS 140-2 validated encryption for iOS is not available through Apple at this time. iPhones 3G and newer, and iPads, support built-in encryption which has not been validated.
Apps can provide iOS FIPS 140-2 validated encryption for data in their app sandbox along with other features.
Products suggested by others include:
- Good for Enterprise iPhone <http://www.good.com/iphone/>http://www.good.com/iphone/
- Little Red Wagon Pinecone <http://www.lrwtechnologies.com/pinecone.html>http://www.lrwtechnologies.com/pinecone.html
Do your homework! See the previous question.
Mocana announced a FIPS 140-2 validated iPhone OS *module* (Nanocrypto) which developers may use to build FIPS 140-2 validated products.
http://mocana.com/press2010-04-05.html
----- How can I get a Volatility Statement for Apple Products?
Some sites require vendors statements certifying no non-volatile memory after hardware power down, except for hard drives.
Federal Government representatives can send an email message to "AppleFederal -- at-- apple.com" and request a Volatility Statement for Apple Products.
What is needed in the request is at least ONE of the following:
- Product Serial Number (ie. W891302D7XZ)
- Product Part Number (ie. MB449LL/A)
- Product Model Number (ie. A1279)
----- How can I buy Apple products for the Federal Government?
Follow the purchasing rules for your part of the Government - every part is different.
Some sources that might be available to you include:
- Apple online store for Government charge card purchases
http://www.apple.com/r/store/government/smartpay.html
- Apple GSA schedule (GS-35F-0086T) and other major Federal contracts:
http://www.apple.com/r/store/government/reseller.html
- NASA SEWP:
http://sewp.nasa.gov/
- Army CHESS Consolidated Buy
https://chess.army.mil/ascp/commerce/consolidatedBuy/index.jsp
Note: "Apple is the ONLY holder of GSA schedule for Apple products. Any other listing by any other company for Apple branded products are selling them without an official letter of supply." Apple Government Channel Manager, 30 September 2009
Tip: To find Apple GSA products and pricing, search for "GS-35F-0086T" on:
https://www.gsaadvantage.gov/
----- How can I buy Macs without cameras, Bluetooth, or WiFi hardware?
Two Apple resellers are authorized to remove these devices from Macs before shipping them to you:
- Holman's http://www.holmans.com
- Intelligent Decisions http://www.intelligent.net
These modified Macs must be serviced by these resellers under Apple warranty or AppleCare. You cannot send modified Macs directly to Apple for warranty or AppleCare repair.
----- Can't you disable cameras, Bluetooth, or WiFi with software, duct tape, SuperGlue, etc.?
Yes. However, some parts of the Federal Government require removal of the offending parts.
----- How can I make iTunes purchases without paying sales tax?
Move to a state without sales tax?
Solution 1: Make the purchase with sales tax, then contact your Apple sales rep to get the tax removed after the fact. (from Apple Federal sales rep)
Solution 2: "There is a process where you can request reimbursement for the tax. You send the request to itunes_tax_refunds ---at--- apple.com. You must include a copy of your tax exemption status and a copy of your invoice. The tax refund will be provided in the form of a check. Refunds can not be made back to the card that was used to make the purchase." (unverified, from Fed-Talk posting 18 Feb 2010)
See the iTunes and App Store Terms & Conditions
http://www.apple.com/legal/itunes/us/terms.htm
http://www.apple.com/legal/itunes/appstore/us/terms.html
Note this phrase in the "Sales Tax" section:
"No customers are eligible for tax exemptions for transactions made on the Service."
----- Can I buy Apple products for personal use with a discount?
Apple offers a Federal Employee Purchase Plan that allows Federal Employees and Federal Contractors to purchase up to six system bundles a year for yourself or family and friends that you sponsor. Apple offers similar plans to many other large corporations. Yes, this is legal.
http://www.apple.com/r/store/government/epp.html
Apple's policy:
http://www.apple.com/r/store/government/fedepppolicies.html
Some Fed-Talk readers report better discounts, and no sales tax collection, purchasing through Amazon. Caveat emptor.
----- Does Apple have a web site for Federal Government customers?
http://www.apple.com/federal
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden