Mac App Store

Well in our case, we don't want people buying their own applications and
installing them on company equipment.

Patrick Bachuwa
Desktop Engineering Applications Sears Holdings Corporation
Michigan Campus
3000 W. 14 Mile Road
Royal Oak, MI 48073-1717
Phone: 248 637-0350

You probably don't want to open up personally-owned software on corporate
computers ­ it's a compliance nightmare.

I agree, just dealing with what ends up in iTunes can be a lot of fun also.

Unapproved Apps, Apps that could prove to be malicious in your
environment (like remote desktop apps, or apps that access the command
line, or apple script, etc), no volume purchasing available, apps may
not meet security standards, apps may not meet any policy standards.

I could keep going too...

The screen shot already sent shows what we did to restrict the application within the JSS itself.

I've found the reliability of keeping my systems pointing at my own SUS not as reliable as I would like (I'm sure JAMF will call me about that) so it is a fail safe to restrict as well. There's nothing stopping a user with admin from downloading the update from Apple's website directly either.

The restriction is for several reasons, somewhat assumptions, too, based on the iOS App Store model and our dealings with iPads.

1. Applications are likely taxed. Not cool in EDU. Hopefully the Volume Purchase Plan would help here, too.
2. We don't want users to spend (waste) money on purchasing apps we already own, like the iWork suite apps, etc.
3. The purchases are tied to an iTunes account which is not good for the longevity of the investment if paid for by the university. If that faculty used a personal iTunes account and left, we've lost it.

You know what was even funnier…a notice came through the Apple WI-EDU list this morning from our SE, and I replied to the list that I immediately restricted it, and about 5 minutes later I got a confirmation request to remove myself from the list! LOVE IT! Course…not going to remove myself. =)

I've said it before, great for consumer at home, but not for controlled environments in the current form.

I also agree with not bundling it in to the OS update, but I'm sure they had their reasons…

Craig E

I don't block the store, but I don't have to support their peripherals, I do NOT want to support all these goofy apps they may install on their machine. I also support a school so life is a little different here.

Karl H. Hehr
Technology/Curriculum Director
South Hamilton CSD
www.s-hamilton.k12.ia.us
515.827.5418 (W)
515.708.3379(C)
515.827.5368 (F)

Luddite by Degrees
1) Anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works.
2) Anything that's invented between when you're 15 and 35 is new and exciting and revolutionary and you can probably get a career in it.
3) Anything invented after you're 35 is again the natural order of things --- Douglas Adams

I'm having the same problem with Casper setting the SUS here. I just opened
On Thu, Jan 6, 2011 at 9:49 AM, Ernst, Craig S. <ERNSTCS at uwec.edu> wrote:
a ticket with support to find out why it's no bueno. I've got at least 11
machines that have updated to 10.6.6 even though that patch is not in our
update server. Hmmm...

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

I've reported this as well. I've seen it when the user is offline and the policies to run Software Update allow for offline enforcement. So the policy runs when the user is outside our network, likely on their home network and it connects to the only available SUS which would be Apple.com. Trying to find a way to force our SUS address regardless of whether the user is on the network or not.
--
James Fuller | Starbucks Coffee Company | Technology Application Services | application developer II | Coffee Master

what about using MCX enforcement?

get a external NAT setup for the internal IP.....then when they are at home they can still update to the SUS you approve.

This would be a viable option. I had held off on doing anything with MCX
because it initially caused some issues with AD user homes mounting
properly. I now will be using it to enforce some security settings on 10.6
for requiring password from sleep or screen saver, and some other things.

It's nice when there are templates. =)

Craig E

Anything involving the network team would take months or years... Oh if
only.
I just need the internal address to be "sticky". If it fails to update,
that's ok as long as it doesn't allow for an update from apple.com.

James

My guess is that there's way more involved than just an app. Probably a bunch of new frameworks, as well as revisions to existing frameworks. Not an easy way to deploy just the store, best to put it into the next update/revision.
On Jan 6, 2011, at 9:32 AM, HUGE | Joseph Simon wrote:

Hey, I've got two confirmed bugs/issues in 10.6.5 (both involving wireless), at least one is fixed in 10.6.6, so I welcome the update ;)

On Jan 6, 2011, at 10:18 AM, James Fuller wrote: Anything involving the network team would take months or years... Oh if only. I just need the internal address to be "sticky". If it fails to update, that's ok as long as it doesn't allow for an update from apple.com. James

Understood......

I believe in the event that it can't find your set internal SUS server, it just times out.

Mass edit data in the JSS to set SUS, turn software update off on the client and let Casper handle it

softwareupdate --schedule off

Or do some scripting and run the policy off the script and have it detect it's location

That's the behavior we see,.. we do not allow our users to launch ASUS (blocked via mcx)..

But they can run the softwareupdate command from self service.. this seems to work..

Regards,
Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |  Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

How soon do you guys think we could come up with a way to use the Mac App Store to redirect to Casper Self Service?

--
James Fuller | Starbucks Coffee Company | Technology Application Services | application developer II | Coffee Master

You are right that it's more than an app. If you haven't noticed yet,
they also put an item in the Apple menu. And I'm sure there are other
frameworks, such as opening a link from Safari to App Store. The hack to
disable Apple menu items doesn't seem to work either, the App Store
isn't even listed. Unless it's just a quirk with my computer.

http://hints.macworld.com/article.php?story050426093415728

Same reason why I try to dissuade my users from using non-personal machines
to manage their iOS devices - when they leave the company they'll have to
deal with moving their apps/content (ie, ask IT), or they'll have to
re-download everything somewhere else... Headaches either way.

-p

Also, why deal with secondary liability if your users start pirating MAS
purchases?

http://www.tuaw.com/2011/01/06/lack-of-receipt-checking-could-enable-mac-app
-store-piracy/

<http://list.jamfsoftware.com/pipermail/casper/attachments/20110106/535efad6/>>
a

Well, not is has been hacked. Probably a day zero exploit or something
since it happened so quickly, but you can now easily pirate apps on the
app store

http://gizmodo.com/5727080/mac-app-store-cracked-for-piracy

I was under the impression that they were not going to be making this method public until February.

Kerry

The gizmodo article mentions an automated program that will be released in
February but not sure what kind of claim that is to break into someone’s
house next week and letting everyone know.

The exploit concerns _CodeSignature, _MASReceipt and CodeResources. I am
going to guess that Apple may employ future code sigs based on psuedo random
generated value that also tags the app with the machine or the applestore
ID. That’s a guess. I hope they act fast on this.