Re: [Fed-Talk] Remediating & Patching Macs
Re: [Fed-Talk] Remediating & Patching Macs
- Subject: Re: [Fed-Talk] Remediating & Patching Macs
- From: "Marcus, Allan B" <email@hidden>
- Date: Thu, 31 Mar 2016 18:01:21 +0000
- Thread-topic: [Fed-Talk] Remediating & Patching Macs
Absolutely more secure. The only issue is the potential to break something. For example, the recent xCode 7.3 upgrade caused soem issues for some of pour scientists with their configuration of the Intel compiler.
On the whole, the issues you will need to resolve as a result of a breakage associated with an update are probably far less than dealing with a incident because you didn’t update.
--
Thanks,
Allan Marcus
Los Alamos National Laboratory
505-667-5666
email@hidden
On 3/31/16, 11:29 AM, "fed-talk-bounces+allan=email@hidden on behalf of van Bronkhorst, Erik W CIV NAVAIR, 492200D" <fed-talk-bounces+allan=email@hidden on behalf of email@hidden> wrote:
>
>I am just wondering if automatically installing patches is more, or less secure
>than requiring some sort of human scrutiny.
>
>--
>Code 492200D Erik van Bronkhorst
>NAVAIRWARCENWPNDIV
>1900 N KNOX ROAD STOP 6220
>China Lake CA 93555-6106
>
>email@hidden
>email@hidden
>760 939 1421 work
>760 301 6246 cell
>________________________________
>From: fed-talk-bounces+erik.vanbronkhorst=email@hidden [fed-talk-bounces+erik.vanbronkhorst=email@hidden] on behalf of Trater, James R. [email@hidden]
>Sent: Thursday, March 31, 2016 10:24 AM
>To: Carib Mendez; email@hidden
>Subject: [Non-DoD Source] Re: [Fed-Talk] Remediating & Patching Macs
>
>If cost is a major consideration, I suggest looking at the combination of Munki + MunkiReport-PHP + AutoPKG + Reposado for doing software/patch management. These are software management tools - not full-on configuration management like Casper - but they work really well and the software itself is free.
>
>I can go into more detail if you like, but these solution let you control the distribution of OS and applications updates (through branches) and the AutoPKG recipes can automatically download the latest application updates for popular software such as Adobe Flash, MS Office, Firefox, etc. We stage all of the updates on a dedicates Mac and then rsync them to a pair of load balanced Linux servers that our clients point to. You can secure your distribution server (which is basically just a web server) with SSL and optional certificate or basic auth.
>
>Jim
>
>
>
>From: <fed-talk-bounces+traterjr=email@hidden<mailto:fed-talk-bounces+traterjr=email@hidden>> on behalf of Carib Mendez <email@hidden<mailto:email@hidden>>
>Date: Thursday, March 31, 2016 at 12:57 PM
>To: "email@hidden<mailto:email@hidden>" <email@hidden<mailto:email@hidden>>
>Subject: Re: [Fed-Talk] Remediating & Patching Macs
>
>David,
>
>Personally I find the Casper suite by JAMF to be the most robust solution. We use it at the National Defense University and I know that it is used elsewhere in DoD including OSD. In addition to patch management, it has the ability to apply policy (STIG settings) as well. We’ve been using it for many years and are extremely pleased with it’s capabilities.
>
>There are some open source tools as well, and if you were really desperate SCCM is supposed to be able to do patching of Macs as well.
>
>
>Carib
>
>On Mar 31, 2016, at 11:16 AM, "Downin, David M CIV NSWCCD West Bethesda, 893" <email@hidden<mailto:email@hidden>> wrote:
>
>Although there is no mandate from NAVSEA or NSWC to ban macs, it seems as if they are trying to get rid of them on base.
>
>General theme is macs are dead through attrition. Can only replace a Mac if u provide a POAM & business plan that demonstrates
>
>how you plan to move your software off the Mac to a PC platform with the funding and timeline in place.
>
>
>They complained that we were doing updates directly through Apple and not through DISA servers. Was afterwards able to give them the
>
>link for the STIG put out by DISA/NIST section 3.2 Software Updates that states Apple Computer is a DOD approved resource for updates.
>
>They complained that we don't have an automatic process in place to push updates to the macs. And it seems that a presentation
>
>was given that showed Macs are not as secure as Linux & Windows machines.
>
>
>What I'm looking for is how other places remediate and patch their Macs. Is there a way to push the updates to Macs? Are there any
>
>good documented cases that show a fair comparison of how secure each platform is? I have a feeling someone saw the article that
>
>stated Macs aren't as secure because there were more CVEs issued to OS X than any other software and ran with it. Of course,
>
>that doesn't take into account the severity of each, time taken to patch, and probably a host of other data points I'm not thinking about.
>
>
>_______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden<mailto:email@hidden>)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden<mailto:email@hidden>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden