I’ve not had a chance to read through this in detail yet, but I was just sent a white paper from Corsaire about the security built into OSX (10.4 and 10.5) and some hardening guidelines. At first glance it looks like a good doc and might be worth a read.
Securing Mac OS X Leopard (10.5)
Their site also has some other white papers that are quite good.
After a few weeks waiting, O2 finally shipped an iPhone 3G to me on Tuesday, so I’ve spent a good few hours fiddling with it over the past few days. I thought I’d post up a few thoughts, really for my own benefit in keening some notes.
Compared to the Windows Mobile phones I’m used to, the iPhone setup, activation and registration was a real mess… With pretty much every other phone I’ve used you put in the sim, turn it on and that’s it. I’m really not keen on this requirement to register the phone with iTunes before it can be used.
For consumers it’s probably ok, but in an Enterprise do you really want to install iTunes on your (probably) managed desktops? Personally I can do without iTunes and its MobileMe adverts etc for a work phone. I’m reasonably sure I won’t be the only one either. To be honest I don’t even bother with ActiveSync these days and just do everything over the air. Apparently O2 have some managed services that might help here, and I’ll be looking at them as soon as possible.
The other slight problem was with O2, they managed to incorrectly activate the sim’s or something that lead to a 24 hour delay in activation. It was only with the inside knowledge of our service manager here that we managed to identify and fix the problem. Hopefully this was a one off issue with the two iPhones and sim’s they sent over, but if I’d been an end user I would not have been happy as O2 were initially insisting everything was fine and we had registered the phones incorrectly.
Now it’s all working though, I have to say the device itself is great. Quite a few people have told me that it’s slower and less responsive than the original, but as a new user it seems fine to me.
The apps all work well, and the browsing experience is much better than on Windows mobiles - with the possible exception of the Opera browser on the HTC Touch Diamond.
I’m also impressed with the App Store. I found some great apps for twitter and Facebook, and I can’t wait to see what else appears over the next few months.
Back to the work stuff… the setup of Exchange ActiveSync was nice and easy, and the interface for mail and calendars is nice to use. It’s be good to see tasks etc added in, but I can live without those for now.
Although I’ve played with the configuration tools, I’ve not applied any profiles yet. I’ll be doing that over the next few weeks though.
The big omission in my mind is the ability to set a window where push email is activated. On my Windows phones I have push setup between 7am and 6pm and manual syncs during the evenings and weekends. I find this is not only useful for separating work from home, but also saving battery life and data charges.
Speaking of battery life… Oh dear. Now I’m not really a heavy user. On my other phones I usually keep wifi and bluetooth off, just keeping email pushing down and doing the occasional bit of browsing. Usually I go a day or two between charges on my S620.
When I got the iPhone 2 days ago it was charged more or less all day - in that is was plugged into my laptop while we sorted out the activation problems. Yesterday I turned it on at about 10am and it was dead by 3.30pm. Admittedly I was busy playing with it and trying stuff out. So I got home and charged it up again and turned it off over night.
This morning I turned it on at 8.30ish to try out hahlo.com (a great twitter app)… looking at the usage stats it’s been on for 2 hour’s 33 minutes and I’m at ~40% battery. Wifi, Bluetooth, GPS and everything else apart from 3G and push are off. That’s really not good. At all.
I’ve read that the battery life improves after a few charge cycles… if not, as much as I like it - and despite the the little problems I really do like it - I’ll have to send it back… if it can’t last a full day between charges its really no use to me :(
So overall… I really really like the iPhone 3G. the interface and user experience is much nicer than the standard Windows Mobile phones I’m used to. I’d like to spend some more time with a Touch Diamond as a comparison, but overall it’s streets ahead. I’d also like to loose the iTunes requirement - in an Enterprise I just don’t think that’s on. But… the battery life so far is a killer problem. As it stands today, mine will be dead by noon. But I do really like it. Lots.
Looks like the Mac Live Mesh client has been released - despite the ‘Microsoft Confidential - Internal Use Only’ lable at the bottom of the installation window :)
Anyways, here it is: https://www.mesh.com/Web/MacDownload.aspx
Update: I may have spoken to soon there… although the client installed properly, once it started it asks for an update but then fails to find the files it looks for on the web. Not sure if thats just me though.
Yesterday I was having a conversation with someone about the iPhone configuration utility and heard a comment asking why the iPhone allows settings to be emailed to the device. What they meant was that if your device is un-configured it wouldn’t have any email accounts to receive the settings - a chicken and egg kinda thing.
The simple answer is for ongoing maintenance of the config. Sure it’ll be easier to deploy an initial setup using other means - the web for example. But if you already have iPhones out in the field email should be a good delivery method for applying changes.
One thing to consider there though is training your users not to install configuration profiles that are marked as un-trusted, or that they are not expecting. After all, anyone can download the config utilities and email out profiles.
I just found this pretty good video on the apple site describing - at a high level - Mac integration with Active Directory.
http://seminars.apple.com/seminarsonline/activedir/apple/
For someone from a Windows background (like me) it’s worth a look. It’s also interesting to see the difference in style between the Apple and MS. Given the brand personas of the two companies you’d expect the styles to be reversed, with the more friendly informal stuff coming from Cupertino rather than Redmond. But, you can’t fault the content.
I got a Mac today. Ok… it’s works rather than mine, but you know what I mean! :)
I’ve always been a PC kinda guy. Not for any particular reason, I’ve just never needed to use a Mac, PC’s and Windows have always done the job. Recently however a few things have made me look more closely at Mac’s. Some of it is personal interest (I am a geek after all), but my immediate need is for work.
Although we’ve got a few Mac users dotted around, we don’t really support Mac’s in a big way. We’re essentially a PC house, based around Windows and Active Directory. Over the next few years though it’s pretty clear that we’ll need to adopt and support multiple platforms - at least on the client.
So… I ordered a Mac. It’s only a plain old Macbook, but it’s all I should really need for now. First impressions? I really like it.
In fact, the first impression you have of Mac is bound to be great because of the beautiful packaging. Apple really know how to make feel good about spending your money. Quite why the PC vendors haven’t caught onto this over the years is beyond me.
One thing that impressed me was the out-of-box-experiance, that’s in the desktop deployment sense, the initial setup and config. As one of the first things to be configured is the networking, the OOBE was able to go onto the net to get the latest up to date setup. Or at least I assume it does as I was asked to join Mobile Me, and I’m pretty sure this Mac was built long before it’s release last week.
With regards to the hardware itself, it’s as pretty as a Mac should be. Nice and shiny white. The keyboard is fantastic - much nicer than the ones on my Lenovo or old HP laptops. Although having said that I’m still getting used to the different layout and shortcuts (no del key?!?) but I’m sure all that will come in time.
Tomorrow I’ll start looking at how I go about integrating this new toy into our MS environment. From what I’ve read and planned, basic integration won’t be too tricky, but I want to do it myself to be sure. Then I’ll start looking at the basic applications. First on my list will be Office 2008, like it or loath it businesses run on Office, especially exchange. I’ll also need to take a good look at AV/Malware tools and print drivers etc. Should be fun :)
Oh… and I’m already missing Live Writer. What a great little app MS have there.
Apple have just released the new configuration utilities for the new iPhones. As I covered a few weeks ago, these will allow enterprises to develop specific configuration files for iPhones within their infrastructures. It’s a very welcome move, like many businesses I’ve certainly seen a number of business requests for iPhones and the prospect of managing another platform could have been quite daunting.
iPhone Web Configuration Utility for Mac
iPhone Web Configuration Utility for Windows
iPhone Configuration Utility 1.0 Mac OS X
Each of these tools will allow you to create xml configuration files that can be either emailed to the devices or opened from the web browser. The Configuration Utility 1.0 however can also track and install provisioning profiles and authorized applications, and capture device information including console logs.
Yesterday I got a HTC Touch Diamond to play with for a few days. I’ve been wanting to see one in the flesh for a while, partly because I need a new phone, and partly because we’re a Windows Mobile house here and with the 3G iPhone looming we’re thinking hard about future direction.
The Diamond… well it’s a sight to behold. The phone itself is tiny, with sharp styling and is very lightweight. One comment I heard yesterday was that it makes any phone you sit it next to look 10 years old. I like the look of it a lot. The rear surface (as you’ve probably seen in photos) isn’t flat, it has slightly raised jagged pattern that makes it look like it’s been cut from stone, or well… diamond.
The small size of the device poses some interesting question. Previously WM Smartphones used to be the smaller option, sacrificing the touch screen for a smaller footprint. Now however, this full WM device with all the GPS and stuff is small enough that it doesn’t matter. I’m not sure what future the Smartphone OS has if devices are now this small.
Powering the thing up, the first think I noticed was the quality of the screen, off hand I’m not sure what the resolution is, but I’ve seen desktop LCD monitors with worse picture quality, it’s very very good. This allows the interface to use small, sharp fonts without them being hard to see or use.
The main ‘home screen’ interface is miles ahead of any other Windows Mobile phone I’ve used (and that’s quite a few!). At the bottom there’s a scroll bar of buttons for the main functions (contacts, photos, music, settings etc) that is easy to use and and quite intu itive once you realise it’s there. You just move your finger across the screen until you reach what you want, for example photos, the bulk of the screen is used to show previews that you can then scroll through. It’s all great looking and reasonably well thought out.
In fact, in terms of the user interface I’d say the worst thing was the underlying Windows OS. Once you find a function or task that isn’t covered by the HTC installed user interface, the jolt of going back to the old Windows Mobile interface is quite shocking. I’ve always got on quite well with WM before, but the Diamond really does highlight that MS need to start concentrating on the ‘Mobile’ part of their OS not the ‘Windows’ part. The normal windows like GUI just doesn’t cut it in the mobile space anymore.
Would I buy one? Not sure… If there wasn’t a 3G iPhone just days away then yes, without a doubt. As it is I’ll wait and see.
Following it’s announcement on Monday I think its fair to say that the 3G iPhone has stirred up quite a bit of interest with people. And rightly so I believe.
In preparation for the inevitable requests from people out in our business I thought I would do a little digging into what Enterprise support Apple have built in this time round.
With the original iPhone business users were pretty much ignored. There was no real support for businesses, even to the point were (in the UK at least) you had to be an individual to buy one - it was available on personal contracts only, there were no businesses tariffs at all.
Here’s a few notes on what I found in case it’s useful:
Exchange Support
Apple have licensed Exchange ActiveSync from Microsoft so can connect directly to exchange for push email, calendars and contacts. Providing you already have Exchange (2003 or 2007) adding iPhone support should be trivial. From the device perspective it shouldn’t be any different to setting up a Windows Smartphone.
In addition to messaging support, the iPhone now also supports ActiveSync security policies for:
- Remote wipe
- Password Enforcement
- Forcing password complexity
- Forcing alphanumeric passwords
- Specifying password length
- Defining inactivity times before the phone ‘locks’
These are increasingly important to business, especially with the current media attention on data loss and privacy.
Device Configuration
To help reduce the support overhead of deploying smartphones companies (us included) often make arrangements to have company specific settings applied by some for of automated process. This is so that end users can be up and running as soon as possible when, and hopefully ensure everything is set up correctly avoiding extra support calls etc.
For the iPhone 2.0 software apple has built in support for remote deployment of configuration using either email or a website.
You use an iPhone Configuration Utility to build up a preferred config, and then export that setup as an XML config file. That file can then be:
- hosted on a website that users can browse to
- Emailed to the user as an attachment
In both cases the end user will need to open or run the attachment/file. During the installation they will be prompted for any additional information needed such as passwords.
it would have been nice to have seen some support for over-the-air config like Windows Smartphones, but its a pretty good solution nonetheless.
Within the configuration utility you can configure:
- Exchange settings (server, domain, account etc)
- Wireless settings (network, authentication etc)
- VPN Settings (server, account, passwords, groups, proxies etc)
- Password policy (complexity, attempts, length, age, timeout (etc)
- Email settings (POP, IMAP, servers, accounts etc)
- Certificates (Deploy PKCS1 and PKCS12 certs)
- Policy and Restrictions (Control 3rd party apps, iTunes, content etc)
The device also allows these settings to be signed so that you can be sure they are from your company and not a rouge source. This might be particularly important.
Virtual Private Networks
iPhone 2.0 now has built in support most of the common VPN protocols:
- PPTP
- L2TP/IPSec
- Cisco IPSec
and authentication methods:
- MS-CHAPv2 (standard passwords)
- RSA SecureID
- CRYPTOCard
- Certificates (PKCS1 and PKCS12)
- Shared Secret
The settings for both can be deployed using the Configuration Utility described above.
Wireless
The iPhone now supports the following wireless security protocols:
- WEP
- WPA Personal
- WPA Enterprise
- WPA2 Personal
- WPA2 Enterprise
It also supports the following 802.1x authentication protocols:
- EAP-TLS
- EAP-TTLS
- EAP-FAST
- PEAPv0 (EAP-MSCHAPv2)
- PEAPv1 (EAP-GTC)
- LEAP
All of these can be setup with an configuration profile and applied using the Configuration utility over email or the web.
IMAP Mail
For organisations not using Exchange the iPhone provides support for IMAP so should be able to access more or less any email system that allows it. Within this is support for encryption and X.509 root certificates.
There also appears to be some support for enterprise application distribution, but I’ve not found too much info about that yet so will probably add some more info on this later.
Overall I think apple has done a good job here. It’s hard to say for sure without having an iPhone to test with, but for now it looks like it supports most of the things we currently look to do with our Windows Smartphones. Perhaps its not quite as much as we’d look to do if implementing something like Mobile Device Manager or B2M’s mProdigy, and I’d like to see support for data encryption, but it’s a great start an should make the lives of Enterprise IT departments quite a bit easier. They might not become preferred device’ within companies, but there’s certainly no major reasons why they shouldn’t exist happily within the Enterprise any more.
The big question for me at the moment is how O2 will see them to business customers and what costs will be involved - especially for customers with existing contracts and data agreements.
Apologies for this post, I’m writing it to collect together my own thoughts so it’ll probably be even more disjointed than usual!
So… we’re more or less a Microsoft shop here. We run a standardised Windows XP desktop supported by Active Directory, Systems Management Server (SMS) and a host of Windows based application services. This is all managed by a pretty skilled operations team and support by a decent service desk and desktop support organisation. In summary pretty much all the technology and skill is Windows/PC focused.
We’re now seeing an increasing demand for Mac desktops and laptops, especially from the design community. I need to work out what the impact of adopting a multi-platform desktop fleet will be both technically and from a service management perspective.
I no particular order I reckon I’ll need to consider the following to some degree or another. It’s probably worth noting here that some of this may have obvious solutions, but I’ve no really experience of Macs - looking forward to learning though!
Software Delivery
Any computer is pretty much useless unless you have applications to run on it, so this is a fairly important point. At the moment we have fairly robust software delivery and asset management. End users request an application through a web ’shop’ and the software gets delivered through SMS onto their computer.
How will this work with Mac’s? We don’t really want to go back to a word where we’re handing out CD’s - the asset management of that is too hard. So from a technology perspective we’ll need some way delivering the applications.
That will include amendments to our shop front so that people can select between PC and Mac versions of Applications, and also the actual delivery solution. Given that for now the Mac user base is likely to be much smaller than the PC base, it would seem to make sense to try and use SMS rather than adopt a new system - we already know and use SMS. it looks like there are a few solutions out there to achieve this.
Applying Policy
There are certain company policies and configuration that we have to apply to our corporate desktops - proxy server settings for example. Within the Windows world we use AD Group Policy to achieve this. How do I go about doing this with Mac’s? Again, there appear to be tools out there which help.
Patching
This is where my ignorance of Mac’s starts to show… :) Now I understand that Apple runs a Software Update service, and that from the client you can select which updates to install, which to hide etc. What I’m not sure about at the moment is whether there is a WSUS equivalent that will allow an organisation to administratively select and schedule updates from a central point. It’s possible the software delivery solution will deal with this, but for now I’m not sure.
Desktop Support
Speaking to friends at other companies that support Mac’s it would seem that although Mac’s require less overall support than a PC, the hardware does tend to fail more regularly. Whether this is true I’ll wait and see (flame suite on none the less…).
In either case there’s a skills gap here as we don’t currently have any Mac support skills in-house. Potentially this might mean we could bring someone in to help, at least in the short-medium term to get us over the initial learning curve. It’s something we would need to address fairly early on in order to provide a decent level of service.
With hardware support the likes of HP and Lenovo have hoards of guys just waiting to warranty repair faulty kit. The impression I get so far is that the same isn’t likely to be true with Apple. Potentially that means we’ll have to have Mac’s in stock and on-site to replace faulty units quickly whilst repairs are organised out of band.
SharePoint Compatibility
We use SharePoint to deliver our intranet and provide the usual team and project workspaces, so compatibility with this and the workflow and applications built on it is pretty important. This will probably drive which browsers we provide, but may also have lower level implications.
Exchange Compatibility
As with the SharePoint item above, corporate email is provided through Exchange so compatibility is critical. I’ve not looked into this yet, but I’m guessing there will be some fairly well established solutions available.
Remote Access
Within our PC platform, remote access is provided though a Cisco based VPN solution. Although some services are also available of web based interfaces, compatibility with this VPN solution will be important for mobile and remote users.
Looking through the Cisco site it looks like there is a client available so hopefully this shouldn’t be a problem.
Authentication
All authentication is provided though Active Directory. All users have accounts within AD, and where ever possible applications use Windows integrated authentication for sign-on. To provide an integrated service to the Mac users i think its important that this can be maintained as far as possible - nothing worse than log on prompts interrupting your work!
There’s lots of decent information on this on the Apple site, so pending me reading through it all I’m not too worried about getting this working.