[Fed-Talk] Fed-Talk monthly FAQ
[Fed-Talk] Fed-Talk monthly FAQ
- Subject: [Fed-Talk] Fed-Talk monthly FAQ
- From: Rex Sanders <email@hidden>
- Date: Sun, 01 May 2011 11:00:00 -0700
1 questions edited or added this month.
Comments, corrections, additions welcome.
-- Rex Sanders, USGS
rsanders ---at--- usgs.gov
"Not only can Apple not please everyone,
it's not remotely interested in doing so."
-- Jason Snell, MacWorld magazine, June 2010
==========
Fed-Talk mailing list
Frequently Asked Questions
Emailed monthly to fed-talk ---at--- lists.apple.com.
Last update: 25 April 2011.
Entries changed since last month marked with (*) in Contents.
No endorsement of any product should be implied from inclusion in this message.
Contents:
General:
----- What is Fed-Talk?
----- How can I get on or off the Fed-Talk mailing list?
----- How can I search the Fed-Talk archives before mailing my question to the entire list?
----- How can I browse the Fed-Talk archives?
----- Why doesn't Apple support the Enterprise market?
----- How can Apple sell stuff to the Government when they don't do "Z"?
----- How can I ask Apple to support Z?
----- How can I get a Volatility Statement for Apple Products?
----- How can I buy Apple products for the Federal Government?
----- Can I buy Apple products for personal use with a discount?
----- Does Apple have a web site for Federal Government customers? (*)
Mac OS X:
----- Which versions of Mac OS X are supported by Apple?
----- How can I get my CAC card or PIV card to work with Mac OS X?
----- Where can I find Mac OS X security guidelines or STIGs?
----- Where can I find SCAP, or continous security monitoring tools, for Mac OS X?
----- What is the Army Golden Master? What is it's status?
----- What is USGCB? Where is the Mac OS X USGCB?
----- What is the status of FIPS 140-2 cryptographic validation for Mac OS X?
----- How do I meet the OMB M-06-16 requirement for encryption on Mac OS X?
----- How can I buy Macs without cameras, Bluetooth, or WiFi hardware?
----- Can't you disable cameras, Bluetooth, or WiFi with software, duct tape, SuperGlue, etc.?
----- What are some IPv6 issues that affect Mac OS X?
iOS:
----- How can I get my CAC card or PIV card to work with iOS?
----- Where can I find iOS security guidelines or STIGs?
----- Where is Apple's iOS security guide?
----- What is USGCB? Where is the iOS USGCB?
----- What is the status of FIPS 140-2 cryptographic validation for iOS?
----- How do I meet the OMB M-06-16 requirement for encryption on iOS?
----- How can I make iTunes purchases without paying sales tax?
----- How can I buy iOS devices without cameras, Bluetooth, or WiFi hardware?
----- Can't you disable cameras, Bluetooth, or WiFi with software, duct tape, SuperGlue, etc.?
----- What are some IPv6 issues that affect iOS?
----- What VPN servers and settings work with iOS?
========== General
----- What is Fed-Talk?
Fed-Talk is an unmoderated discussion list to discuss the uses of existing Apple technologies within, and specific to the Federal government.
----- How can I get on or off the Fed-Talk mailing list?
See the footer in every Fed-Talk message.
See also http://lists.apple.com/mailman/listinfo/fed-talk
Do not send subscribe or unsubscribe requests to the entire list.
----- How can I search the Fed-Talk archives before mailing my question to the entire list?
In theory you can use Apple's mailing list search engine from the Fed-Talk home page:
http://lists.apple.com/mailman/listinfo/fed-talk
In practice, Google works much better:
http://www.google.com/search?q=site:lists.apple.com+Fed-Talk
----- How can I browse the Fed-Talk archives?
http://lists.apple.com/archives/Fed-talk
----- Why doesn't Apple support the Enterprise market?
Apple is primarily a Consumer company, and is not focused on Enterprise or Federal Government issues. Apple provides limited support to the Enterprise market, different from other IT vendors.
Probably what concerns you is support for your favorite Enterprise-like feature, service, or process.
----- How can Apple sell stuff to the Government when they don't do "Z"?
The Federal Government is a large, diverse market. Just because Z is required in your part, doesn't mean Z is required in every part. Just because OMB/NIST/... requires Z for the entire Government, doesn't mean Z is being enforced everywhere uniformly. Apple manages to sell plenty of Macs, iPhones, iPads, and other stuff to many parts of the Federal Government without Z. Please make clear in your messages that *your part* of the Government requires Z now.
For "Z", substitute your favorite feature, service, or process.
----- How can I ask Apple to support "Z"?
- Contact your agency's Apple sales rep, who will probably tell you to ...
- Get a free Apple Developer account at http://developer.apple.com/programs/register/ Post a detailed request on http://bugreport.apple.com. Indicate approximately how many Macs are affected. Be realistic, and report numbers only for your part of the Government. Report the bug number to your Apple sales and engineering reps. Yes, reporting a feature request through the bug tracking system is the correct method. You should get a reply from Apple. You won't always get a reply you like.
- Send email to feedback ---at--- apple.com. You are not likely to get a reply from Apple.
- Posting your request on Fed-Talk will not work. You might get sympathy from other list members.
----- How can I get a Volatility Statement for Apple Products?
Some sites require vendors statements certifying no non-volatile memory after hardware power down, except for hard drives.
Federal Government representatives can send an email message to "AppleFederal -- at-- apple.com" and request a Volatility Statement for Apple Products.
What is needed in the request is at least ONE of the following:
- Product Serial Number (ie. W891302D7XZ)
- Product Part Number (ie. MB449LL/A)
- Product Model Number (ie. A1279)
----- How can I buy Apple products for the Federal Government?
Follow the purchasing rules for your part of the Government - every part is different.
Some sources that might be available to you include:
- Apple online store for Government charge card purchases
http://www.apple.com/r/store/government/smartpay.html
- Apple GSA schedule (GS-35F-0086T) and other major Federal contracts:
http://www.apple.com/r/store/government/reseller.html
- NASA SEWP:
http://sewp.nasa.gov/
- Army CHESS Consolidated Buy
https://chess.army.mil/ascp/commerce/consolidatedBuy/index.jsp
Note: "Apple is the ONLY holder of GSA schedule for Apple products. Any other listing by any other company for Apple branded products are selling them without an official letter of supply." Apple Government Channel Manager, 30 September 2009
Tip: To find Apple GSA products and pricing, search for "GS-35F-0086T" on:
https://www.gsaadvantage.gov/
----- Can I buy Apple products for personal use with a discount?
Apple offers a Federal Employee Purchase Plan that allows Federal Employees and Federal Contractors to purchase up to six system bundles a year for yourself or family and friends that you sponsor. Apple offers similar plans to many other large corporations. Yes, this is legal.
http://www.apple.com/r/store/government/epp.html
Apple's policy:
http://www.apple.com/r/store/government/fedepppolicies.html
Some Fed-Talk readers report better discounts, and no sales tax collection, purchasing through Amazon. Caveat emptor.
----- Does Apple have a web site for Federal Government customers?
Not any more.
Apple used to support http://www.apple.com/federal , but that's gone now.
Here are some useful links that were on that page:
Accessibility, including Section 508 VPATs
http://www.apple.com/accessibility/
Government stores, including GSA schedules
http://www.apple.com/r/store/government/
Business resources
http://www.apple.com/business/
Environment
http://www.apple.com/environment/
Energy Efficiency, including Energy Star and EPEAT
http://www.apple.com/environment/energy-efficiency/
Export information
http://www.apple.com/legal/export.html
Security
http://www.apple.com/support/security/
Common Criteria
https://ssl.apple.com/support/security/commoncriteria/
========== Mac OS X
----- Which versions of Mac OS X are supported by Apple?
Apple doesn't explicitly state Mac OS X version support policies.
In brief:
- Mac OS X v10.6 Snow Leopard is fully supported.
- Mac OS X v10.5 Leopard is supported for serious bug fixes and security fixes.
- Previous versions have very limited support.
- When Apple releases Mac OS X v10.7 Lion, expect 10.5 support to end soon after.
"... the final version of Lion will ship to customers this summer.", Apple 2/24/2011
Based on years of observation, the support pattern appears to be:
- Apple fully supports the current operating system.
- Apple releases security fixes, and some bug fixes, for the 10.N-1 operating system.
- Sometimes, Apple releases security fixes for the 10.N-2 operating system.
Certain components of Mac OS X have different, unstated, support policies. For example, Safari and iTunes updates for Mac OS X v10.4 Tiger continue to be released.
----- How can I get my CAC card or PIV card to work with Mac OS X?
Your best source is within your part of the Federal Government. Otherwise ...
First, you need a card reader.
Macs: No Macs have slots suitable for internal card readers similar to what you can find from other vendors. External USB card readers will work with most Macs. Supported card readers can be found here:
http://smartcardservices.macosforge.org/trac/wiki/smartcardccid
Second, you need software support.
All [Apple supported] Smart Card related questions, assistance and guidance is at the SmartCardServices project at Mac OS Forge
http://smartcardservices.macosforge.org/
Separate Smart Card related mailing lists:
http://smartcardservices.macosforge.org/trac/wiki/MailLists
New Gemalto TOPDLGX4 144 CACs require a beta tokend available at
http://smartcardservices.macosforge.org/trac/wiki/installers#TokendReleases
Try these instructions:
https://sites.google.com/a/compsolve.net/mac-cac/
http://militarycac.com/apple.htm
Try these Entourage instructions:
http://lists.apple.com/archives/fed-talk/2009/Jul/msg00002.html
Try this DodTechpedia Wiki entry:
https://www.dodtechipedia.mil/dodwiki/x/DoOeAg
"Any DoD user with a CAC can quickly access the DoDTechpedia wiki. All Federal Government employees and contractors can reach the wiki for general interaction, with some additional registration actions."
Thursby sells Mac OS X software to support CAC and PIV cards for Active Directory, Exchange, DFS, and Network volume integration:
ADmitMac PKI http://www.thursby.com/products/pki.html
The Army Golden Master for Mac OS X includes Thursby software for CAC and AD support (see below).
Thursby sells Mac OS X software for simple CAC web access to secure government sites, including AKO and OWA mail, typically used by remote or home users:
PKard for Mac http://www.thursby.com/products/pkard.html
----- Where can I find Mac OS X security guidelines or STIGs?
Your best source is within your part of the Federal Government. If you can't find one ...
Apple Security Guides:
http://www.apple.com/support/security/guides/
Apple Common Criteria info:
http://www.apple.com/support/security/commoncriteria/
NSA Security Configuration Guides, which point back to the Apple documents:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac
NSA Hardening Tips for Mac OS X 10.6 Snow Leopard
http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf
Center for Internet Security:
http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.unix.osx
http://www.cisecurity.org/tools2/osx/CIS_MacOSX_10.5_Benchmark_v1.0.pdf
http://www.cisecurity.org/tools2/CIS_Apple_Safari_Benchmark_v1.0.0.pdf (Safari 4)
Draft DOD-DISA-IASE STIG for Mac OS X v10.5 (Leopard)
http://iase.disa.mil/stigs/draft-stigs/index.html
You should not adopt these guides wholesale, they are the starting point for a STIG (Security Technical Implementation Guide) specific to your part of the Government.
----- Where can I find SCAP, or continous security monitoring tools, for Mac OS X?
SCAP tools might be available for Mac OS X because "they are generally just Java based XML interpreters." However, there is no SCAP content for Mac OS X.
http://scap.nist.gov/
Some Federal sites have written their own Mac OS X security monitoring tools, and will make them available upon request:
Los Alamos National Laboratory - contact Allan Marcus, allan ---at--- lanl.gov
DoD High Performance Computing Modernization Program - contact David Jaccard, dave.jaccard.ctr ---at--- hpcmo.hpc.mil
----- What is the Army Golden Master?
AGM is a standard, secure Windows or Mac OS X image for the Army, preloaded with approved applications. AGM ships on Mac purchases from the Army's Consolidated Buy:
https://chess.army.mil/ascp/commerce/consolidatedBuy/index.jsp
----- What is USGCB? Where is the Mac OS X USGCB?
The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration (FDCC) mandate.
http://usgcb.nist.gov
FDCC settings for Windows XP and Vista have been released and widely implemented. USGCB settings for Windows 7 were released 24 September 2010.
"Candidate settings for Mac OS X and Red Hat Enterprise systems should be available soon."
No announcements have been made about USGCB settings for any version of iOS.
"NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software for which NIST has not developed a publication, security configuration checklist, or virtual testing environment."
----- What is the status of FIPS 140-2 cryptographic validation for Mac OS X?
As of 9 March 2011, "Apple FIPS Cryptographic Module" for Mac OS X v10.6 is "Validated".
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1514
Questions remain on which parts of Mac OS X v10.6 use FIPS validated encryption, and what settings are necessary to assure and audit that encryption.
---- How do I meet the OMB M-06-16 requirement for encryption on Mac OS X?
You mean the one we were supposed to have fully deployed by August 7, 2006? You need encryption using FIPS 140-2 validated cryptographic modules.
http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf
Some parts of the Government have approved interim or final encryption methods for Mac OS X. Ask your security people.
Mac OS X v10.6 Filevault or Disk Utility encrypted disk images might meet your needs for FIPS 140-2 validated encryption.
Some third party products support FIPS 140-2 validated encryption for Mac OS X.
According to http://lists.apple.com/archives/fed-talk/2009/Aug/msg00058.html
"A short list of the top three _who work very closely with Apple_ are:"
CheckPoint - PointSec PC for Mac
http://www.checkpoint.com/products/datasecurity/pc/
PGP - Whole Disk Encryption
http://www.pgp.com/products/wholediskencryption/
WinMagic - SecureDoc
http://www.winmagic.com/products/full-disk-encryption-for-mac
CheckPoint PointSec and WinMagic SecureDoc are available on the GSA/DOD Data At Rest SmartBUY BPA
http://www.gsa.gov/portal/content/110521
Other vendors may have FIPS 140-2 validated encryption products for Mac OS X, including encrypted disk drives and flash drives.
Ask potential vendors for their specific FIPS 140-2 certification number for that particular Mac OS X product. Then check the NIST list of validated modules:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Some vendors confuse using a FIPS 140-2 accepted algorithm (e.g. 3DES, AES), with having a FIPS 140-2 validated solution. Writing buggy encryption software is easy. Getting FIPS 140-2 validation is hard. Caveat emptor.
----- How can I buy Macs without cameras, Bluetooth, or WiFi hardware?
Two Apple resellers are authorized to remove these devices from Macs before shipping them to you:
- Holman's http://www.holmans.com
- Intelligent Decisions http://www.intelligent.net
These modified Macs must be serviced by these resellers under Apple warranty or AppleCare. You cannot send modified Macs directly to Apple for warranty or AppleCare repair.
----- Can't you disable cameras, Bluetooth, or WiFi with software, duct tape, SuperGlue, etc.?
Yes. However, some parts of the Federal Government require removal of the offending parts.
----- What are some IPv6 issues that affect Mac OS X?
The Federal Government (except DoD) has been told to roll out IPv6 on an aggressive schedule:
http://www.cio.gov/Documents/IPv6MemoFINAL.pdf
"Upgrade public/external facing servers and services (e.g. web, email, DNS, ISP services, etc) to operationally use native IPv6 by the end of FY 2012"
"Upgrade internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014"
* Mac OS X v10.6 Snow Leopard does not handle IPv6 DNS records consistently, leading to apparent unavailability of IPv6 hosts, or several minute timeouts. Bugreport 7612070 has been open for a while.
* Mac OS X v10.6.5 changed certain default 6to4 tunneling behaviors as described here:
http://arstechnica.com/apple/news/2010/11/apple-fixes-broken-ipv6-by-breaking-it-some-more.ars
Be sure to read the comments for alternative viewpoints.
* Mac OS X v10.5 did not support RFC 3041, Mac OS X v10.6 might not support RFC 3041. RFC 3041 is obsolete, replaced by RFC 4941 http://tools.ietf.org/html/rfc4941 , and some consider RFC 3041 harmful http://tools.ietf.org/html/draft-dupont-ipv6-rfc3041harmful-05 .
* Mac OS X does not support router-assigned addresses -- self-assigned addresses only.
* Mac OS X does not support DHCPv6
These last two points mean:
* You must rely on Mac OS X self-assigned IPv6 addresses, rather than DHCP-assigned IPv6 addresses.
* You must use dual-stack IPv4/IPv6 environment for automatic assignment of DNS server addresses.
Parts of DoD have had dual-stack IPv6 running for several years.
Apple Airport is silently managed using IPv6 local addresses, unless you turn off IPv6.
Search Apple Support for Mac OS X IPv6 documents and issues:
http://support.apple.com/kb/index?page=search&q=IPv6
========== iOS
----- How can I get my CAC card or PIV card to work with iOS?
Your best source is within your part of the Federal Government. Otherwise ...
First, you need a card reader.
No card readers are available for iPhones or iPads.
Biometric Associates claims iPhone + Good S/MIME support for their Bluetooth card reader is coming in "Q4 2010".
http://www.biometricassociates.com
----- Where can I find iOS security guidelines or STIGs?
Your best source is within your part of the Federal Government. If you can't find one ...
Draft DOD-DISA-IASE iOS STIG using Good Technology tools:
http://iase.disa.mil/stigs/draft-stigs/index.html
Note: iOS Draft STIG missing as of Feb 15, 2011.
Center for Internet Security iOS 4.1 Security Configuration Benchmark:
http://cisecurity.org/en-us/?route=downloads.show.single.iphone.120
You should not adopt these guides wholesale, they are the starting point for a STIG (Security Technical Implementation Guide) specific to your part of the Government.
----- Where is Apple's iOS security guide?
Not available at this time.
Apple discusses many iPhone and iPad security features here:
http://images.apple.com/iphone/business/docs/iPhone_Security.pdf
http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf
http://www.apple.com/support/iphone/enterprise/
http://www.apple.com/support/ipad/enterprise/
----- What is USGCB? Where is the iOS USGCB?
The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration (FDCC) mandate.
http://usgcb.nist.gov
No announcements have been made about USGCB settings for any version of iOS.
"NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software for which NIST has not developed a publication, security configuration checklist, or virtual testing environment."
----- What is the status of FIPS 140-2 cryptographic validation for iOS?
Apple submitted "iPhone FIPS Cryptographic Module" and "iPad FIPS Cryptographic Module" for validation in mid-2010.
As of 15 November 2010, both modules are status "IUT" - Implementation Under Test".
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
To decipher the status categories:
http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
---- How do I meet the OMB M-06-16 requirement for encryption on iOS?
Apple is in progress to get FIPS 140-2 validation for iOS devices (see earlier question). FIPS 140-2 validated encryption for iOS is not available through Apple at this time. iPhones 3G and newer, and iPads, support built-in encryption which has not been validated.
Apps can provide iOS FIPS 140-2 validated encryption for data in their app sandbox along with other features.
Products suggested by others include:
- Good for Enterprise iPhone http://www.good.com/iphone
- Little Red Wagon Pinecone http://www.lrwtechnologies.com/pinecone.html
Do your homework! See the previous question.
Mocana announced a FIPS 140-2 validated iPhone OS *module* (Nanocrypto) which developers may use to build FIPS 140-2 validated products.
http://mocana.com/press2010-04-05.html
----- How can I make iTunes purchases without paying sales tax?
Many Government purchasers have not been charged sales tax on iTunes purchases.
However, your first iTunes purchase might trigger a charge card account freeze, until your issuing bank confirms that it's really you.
Maybe Apple fixed the sales tax problem, but just in case ...
Solution 1: Make the purchase with sales tax, then contact your Apple sales rep to get the tax removed after the fact. (from Apple Federal sales rep)
Solution 2: "There is a process where you can request reimbursement for the tax. You send the request to itunes_tax_refunds ---at--- apple.com. You must include a copy of your tax exemption status and a copy of your invoice. The tax refund will be provided in the form of a check. Refunds can not be made back to the card that was used to make the purchase." (unverified, from Fed-Talk posting 18 Feb 2010)
See the iTunes and App Store Terms & Conditions
http://www.apple.com/legal/itunes/us/terms.html
Apple has *removed*:
"No customers are eligible for tax exemptions for transactions made on the Service."
and now has:
"Your total price will include the price of the product plus any applicable sales tax; such sales tax is based on the bill-to address and the sales tax rate in effect at the time you download the product. We will charge tax only in states where digital goods are taxable."
----- How can I buy iOS devices without cameras, Bluetooth, or WiFi hardware?
You can't.
----- Can't you disable cameras, Bluetooth, or WiFi with software, duct tape, SuperGlue, etc.?
Yes. However, some parts of the Federal Government require removal of the offending parts.
----- What are some IPv6 issues that affect iOS?
iOS 4.0 and later support dual-stack IPv4/IPv6.
Earlier iOS versions do not support IPv6.
----- What VPN servers and settings work with iOS?
iOS supports properly configured Cisco, F5, Juniper, PPTP, and LT2P/IPsec VPN servers.
http://developer.apple.com/library/ios/#featuredarticles/FA_VPN_Server_Configuration_for_iPhone_OS/Introduction/Introduction.html
Cisco has released an iOS VPN client. Search the iTunes App store for "Cisco AnyConnect" or try:
http://itunes.apple.com/us/app/cisco-anyconnect/id392790924
Juniper has released an iOS VPN client. Search the iTunes App store for "Junos Pulse" or try:
http://itunes.apple.com/us/app/junos-pulse/id381348546
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden