Re: [U] [Fed-Talk] New Hardware Shipping with New OS and no support for old
Re: [U] [Fed-Talk] New Hardware Shipping with New OS and no support for old
- Subject: Re: [U] [Fed-Talk] New Hardware Shipping with New OS and no support for old
- From: Taylor Armstrong <email@hidden>
- Date: Wed, 19 Oct 2011 10:14:52 -0400
Exactly.
Until we have a CIS benchmark, or something similar that we can hand to
an auditor and state that "this is our standard", we can't deploy that OS.
Note that the CIS benchmark for 10.6 has STILL not been published, much
less one for 10.7.
Is it any wonder that it is easier for our organization to go with
Microsoft under these circumstances?
On 10/18/2011 4:29 PM, Sizemore, Norris A Mr CTR US USA TRADOC USAAC wrote:
> UNCLASSIFIED////
>
> The only problem would be that the new OS is still a violation to some
> IA departments. If the hardware will not let you downgrade to a
> supported OS version, then the organization is dead in the water until
> the new OS passes IA approval.
>
> -Norris
>
> -----Original Message-----
> From: fed-talk-bounces+norris.sizemore=email@hidden
> [mailto:fed-talk-bounces+norris.sizemore=email@hidden]
> On Behalf Of Pike, Michael (IHS/HQ)
> Sent: Tuesday, October 18, 2011 4:25 PM
> To: Kachman, Donald R. Jr (DJ) - (ESE)
> Cc: Mr. William G. Cerniuk; Fed Talk
> Subject: Re: [Fed-Talk] New Hardware Shipping with New OS and no support
> for old
>
> Technically you can support an old OS on new equipment with VMWare or
> Parallels, but is an OS within an OS. If that would be a viable work
> around.
>
> Mike
>
> On Oct 18, 2011, at 7:38 AM, Kachman, Donald R. Jr (DJ) - (ESE) wrote:
>
> Yes and we have enterprise development account. The issue is less us
> understanding the new OS, but rather the solutions we own supporting it.
> It has been rare that enterprise solutions are ready day one.
>
> Stockpiling equipment seems expensive, especially if you do not want it
> sitting on the shelf collecting dust.
>
> It would make sense, especially from an enterprise standpoint, that
> Apple would understand that large enterprises cannot just switch over in
> a few months.
>
> I'm not sure I understand why Apple, as innovative as they are, can't
> come up with a creative way to support an older OS on new equipment.
>
> Best Regards,
>
> DJ Kachman
> CISSP CNSS/NSA
>
> From: Mr. William G. Cerniuk [mailto:email@hidden]
> Sent: Tuesday, October 18, 2011 8:40 AM
> To: Trouton, Rich R; Benjamin, Charles (NIH/CIT) [E]; Fed Talk; Kachman,
> Donald R. Jr (DJ) - (ESE)
> Subject: Re: [Fed-Talk] New Hardware Shipping with New OS and no support
> for old
>
> The approach to purchasing models that can run the older OS only lasts
> for about a month after a release of a new OS. In fairly short order
> after a new release of an OS, all Macs have updated ROMs to leverage the
> new capabilities of the OS. Once the ROM has been updated, you cannot
> successfully re-install legacy operating systems on the machine. It has
> been this way since 1984. (27 years)
>
> We all have the capability of obtaining the latest pre-release of Apple
> software months ahead of release and this includes iOS as well as Mac OS
> X. By the time Apple releases an operating system, there really should
> be very few surprises. This is how the Apple developer community pulls
> off the simultaneous releases of software that leverage the new
> capabilities on day-1 of a new OS from Apple:
>
> <image001.png>
>
> The thing to remember is that Apple is a hardware company and as such
> treats the operation system as firmware, integrated, tested, no unknowns
> in the platforms upon which it runs. This software has been heavily
> tested both at Apple and by people such as our group here
> (http://radar.apple.com).
>
> By contrast (and I mean 180 degrees) Microsoft sells software which may
> or many not work with the hardware you have and which may or may not
> have been tested on the hardware you have. A new OS from Microsoft has
> many external dependencies, especially with an enterprise configuration,
> as there are so many moving parts and so many drivers from so many other
> companies that it is amazing that Microsoft pulls it off.
>
> Best,
> Wm.
>
> On Oct 13, 2011, at 1:02 PM, Trouton, Rich R wrote:
>
>
> Another way to handle it is to provide your users with a list of "these
> models can still run (previous OS). If you need a Mac, please buy one of
> these" and have an (previous OS) image ready that you can apply to
> qualifying Macs as they come in.
>
> That approach gives you a way to keep supporting the old OS, gain time
> to prepare to support the new OS, and still provide your folks with new
> stuff. Does it help if your director says "I don't care, I want that new
> (only runs the new OS) Mac,"? No, but at least that confines the problem
> to a numerically smaller group of users.
>
> Thanks,
> Rich
>
>
> On Oct 13, 2011, at 11:16 AM, Benjamin, Charles (NIH/CIT) [E] wrote:
>
>
> Apple does make this incredibly hard on enterprises. It is my biggest
> peeve.
>
> We are trying to address this by going to a lifecycle model, which would
> include spares. We are already doing this with Windows PC's so we have
> some basis to model after. So we will try to predict what we need in
> advance and basically use the "older model" until the new OS is ready
> for production. I don't know how well this will work initially as we
> are still assessing things to try and predict models to buy for
> roles/functions/replacements. As luck would have it, Lion was released
> before we got started and it is very much a game changer OS versus 10.4,
> 10.5,10.6 which is the style OS we were preparing for. Right now we have
> best effort support for Lion boxes in use while trying to preserve our
> 10.6 installs.
>
> That being said, my suspicion is life cycle will be the way to handle
> it. By having the hardware in advance and knowing approximately when the
> new OS is coming you setup your hardware buys so that you can give
> yourself 6 months to a year to prepare for the new OS. Of course this
> assumes the budget flexibility to do it and enough political clout to
> stop the "Oh new shiny model" buys. :)
>
> Chuck Benjamin
> DHHS/NIH/CIT/DCS/SSB/DSS
> CIT Desktop Security Team
> email@hidden<mailto:email@hidden
> .gov>
>
> From: Kachman, Donald R. Jr (DJ) - (ESE) [mailto:email@hidden]
> Sent: Thursday, October 13, 2011 10:49 AM
> To: 'email@hidden<mailto:'email@hidden>'
> Subject: [Fed-Talk] New Hardware Shipping with New OS and no support for
> old
>
> I'm looking for information on how other agencies handle Apple's policy
> that they ship hardware with the latest OS and do not support previous
> versions, typically within a short window after the latest OS is
> released.
>
> An example, Lion was released in August and all equipment subsequent is
> shipped with Lion. As a federal agency, we do not move to the latest
> without security, management, and user testing. In fact, some of the
> security software we use, has not been available right after.
>
> Another example is that iOS 5 is now shipped on all iOS devices. Do
> other federal agencies just wholesale take the new OS and then attempt
> to manage and secure it later?
>
> Knowing that the future happens rapidly in this environment, we are
> responsible as managers and security staff, to ensure that what is put
> out there is indeed secure and protects the data that we are entrusted
> with.
>
> Thoughts and practices from other agencies?
>
> Best Regards,
> DJ Kachman
> Director, Security and Mobile Division, Client Security, ESE Battle
> Creek, MI 49051
> (269) 317-5481
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list
> (email@hidden<mailto:email@hidden>)
> Help/Unsubscribe/Update your Subscription:
> org
>
> This email sent to
> email@hidden<mailto:email@hidden>
>
> ---
> Rich Trouton
> email@hidden<mailto:email@hidden>
>
> JFRC Help Desk
> phone: x4030
> email: email@hidden<mailto:email@hidden>
>
> The best way to get in touch with me is through email.
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list
> (email@hidden<mailto:email@hidden>)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden<mailto:email@hidden>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list
> (email@hidden<mailto:email@hidden>)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> army.mil
>
> This email sent to email@hidden
>
> UNCLASSIFIED////
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
W. Taylor Armstrong email@hidden
NOAA's National Ocean Service Domain Infrastructure Team
1305 East-West Highway Phone (301) 713-1156
Silver Spring, MD 20910 http://nos.noaa.gov
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden