Jamf Nation Community

We have concerns for the type of applications that users would be
interested in putting on their enterprise provided equipment that we are
not already providing. Therefore, we'll likely put in place some sort of
blocking/removal of the Mac App store until we can find a valid use for it
and can manage it at the enterprise level.
--
James Fuller | Starbucks Coffee Company | Technology Application Services
| application developer II | Coffee Master
E: jafuller at starbucks.com | V: 206.318.7153 | F: 206.318.0155

Since I work in academia (K-12) the upper management administrators are somewhat authoritative, and like to have complete control over everything. Then we have federal government regulations with things like CIPA and eRate, and other government programs that grant us funds, but we have to meet their standards. Then we have the legal side of properly paying for licenses, and being accountable to provide reports or receipts of purchased software if audited.

I am all about the end user experience. The one reason we use Macs is because they have a better end user experience than a Windows box. Supporting Windows in a managed environment all you hear from employees how locked down and sucky their work computers are. I know you can argue the whole well you only need to work on a work computer argument but the OS X end user experience is just better in my opinion.

I think it will most likely be blocked in my environment because of the too many loose ends both legally and federal policy wise. Plus users aren't allowed to install their own apps anyway.

I haven't seen how the Mac app store will work other than online
On 1/3/11 2:48 PM, "Ernst, Craig S." <ERNSTCS at uwec.edu> wrote:
references.

We'll have a need to prevent folks from downloading personally purchased
apps onto company-owned machines but I also loathe removing anything that
comes with the Mac OS for fear that an update could put something right
back.

My choice would be to disable the software or block the download somehow,
preferably using MCX.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

So how do your companies manage iPhones? Can your users install an app
purchased under a personal account to a company device? I think this Mac
Store will start to try to blur the edges of what is acceptable in a
corporate environment and we'll have to adapt at a moment's notice.
--
James Fuller | Starbucks Coffee Company | Technology Application Services
| application developer II | Coffee Master
E: jafuller at starbucks.com | V: 206.318.7153 | F: 206.318.0155

Our company neither purchases nor support iPhones beyond basic Exchange
On 1/3/11 4:31 PM, "James Fuller" <JaFuller at starbucks.com> wrote:
account setup. They belong to the users. But I've been asked lately about
iOS management (probably for iPad management), so I see it coming.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

We currently do not have any campus owned iPhones, that I'm aware of. We do support iPads in that we have almost 40 campus owned. We don't use MDM with them currently. I think I've stated this before that each is registered to a sequential email alias that is pointed to the actual person who is in charge of it. When the owner changes, the alias is pointed to the new owner. All purchases are retained with the alias account. That iTunes account is a no credit card account, and all app purchases are handled through my Mac management account upon request where apps are gifted out to the alias to redeem or they get a redemption code from me out of the volume purchasing plan. They are welcome to install anything they want that's free.

We centralize purchasing for a number of reasons. To have a single point of tax redemption in batch. To make users aware of any gotchas with apps before they purchase; we load many on our demo loaner first. And the volume plan options.

I'd love to use MDM for a number of reasons, but we haven't hit a tipping point where it's necessary. The thing that likely will is for security reasons; remote wipe and tracking if stolen. Next would be app deployment.

Now there are a number of iTouches that I need to wrangle into this structure since this came about for iPads.

I usually think my job is to not necessarily restrict users from doing things, so much as protecting them from themselves, everyone else, and our other assets. We very much still give users admin to their office computers when they ask, but I can see that changing as the reality of better security is realized or required.

As far as the Mac App Store it will likely get removed and black listed so we can still attempt to keep licensing info centralized, and it will likely have the same tax issues and purchases not being tied to a personal account. The availability of credit cards for purchasing departments is our biggest enemy to catching bad software and hardware purchases before the mistake is made.

Don't get me wrong, I like the idea of the service, just like I love Steam. You never lose your software and hopefully there us a robust farm and bandwidth behind it so downloads are fast. Things just update. The user doesn't have to think. It's great for consumers.

Craig E

Our clients are enterprise (multimedia/advertising/branding/graphics) and we have very strict SLAs. The App Store will be treated like any other application request. I think it's free, but the stuff you "buy" through it will need to go through the usual procurement process (think 'truck stuck in mud'). It'll be interesting to see how this pans out, particularly on the enterprise management side. I'm going to stock up on popcorn... :)

Don

I see it as a problem to be enforced at a level above the client. Who
cares if the Mac App Store is installed if it's blocked at the
firewall/proxy?

(fairly) simple.

j

Hi James,

We did some testing for a client who wants to replace all their Blackberry devices with iPhone. The iPhone Configuration Utility makes this easy:

iPhone Configuration Utility > Configuration Profiles > select profile > Restrictions > [x] Allow installing apps

No idea if this would cover App Store stuff...but we're hoping it will.

Don

I'm hoping that Apple will also release MCX profiles for the App store to restrict or disable pieces like the iOS configuration utility mentioned.

I guess we'll all find out in a few hours. Please share as you find it!

For our staff, we've always had a policy of "Give it a try, but if you break something, we're re-imaging." For our student machines though, we'll first deny access to the app most likely, and once Apple integrates it which will likely happen in Lion, we'll have to hide or otherwise disable it on those machines. Or, maybe JAMF will integrate to it much like they have with the iOS App Store.

John

I don't think you are. I even tried renaming the app itself and of course the actual process called is still the same inside.

I think that earlier screen of the restriction had .app at the end, and you really just want 'App Store'.

I've had two call thus far.

Craig E

And I'm guessing the calls went something like…

User: Yes I'd really like that App Store
Craig: Pound sand
bzzzzzzz
User: Hello??

:)
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Coming soon to a theater near you....... Craig Ernst starring as........
On Thu, Jan 6, 2011 at 2:24 PM, Nichols, Jared - 1170 - MITLL <jared.nichols at ll.mit.edu> wrote:

B O F H

The Bastard Operator From Hell!

:-)

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Funny you should mention BOFH.

In an email to the first user I told them I really didn't want to become that, but Apple forced me to be. =)

That first user then called me back again later and said it was really convenient to find my phone number, all he had to do was launch the App Store and my message gave it to him.

The two calls have been good…also, we're still on Winter break so half of them aren't here yet.

Craig E

I always use the, "I am only just a sys admin.." excuse when people ask
me for stuff. I tell them upper management makes those decisions I just
do what I am told. That should end the conversation right then and
there.

Then I tell them to either contact help desk and put in a ticket for a
request, or email my boss. If I got paid to make decisions things would
be a bit different around here, but ultimately I am glad I do not get
paid to make decisions.

-Tom

Good morning everyone!

This isn't really related to Casper Suite, but it is very related to software distribution on the OS X platform...

The Mac App Store is officially open for business:

http://www.apple.com/mac/app-store/

Expect some questions from your clients/users. :)

Happy 2011!
Kerry

Yup, just configured my first restricted application ever...

Thought I'd never have to do that here. This should be interesting.

Craig E

I only have about 600 OS X 10.6 machines out of around 8,000 I am not too worried about it just yet, and out of those 10.6 machines maybe only 100 of them are with users that have admin rights.

The rest run 10.5.8

Patrick Bachuwa
Desktop Engineering Applications Sears Holdings Corporation
Michigan Campus
3000 W. 14 Mile Road
Royal Oak, MI 48073-1717
Phone: 248 637-0350
Patrick.Bachuwa at searshc.com


Don't enable 10.6.6 in your SUS

Dan De Rusha
I.T. SPECIALIST

SCHAWK!
T 847.296.6000 M 847.287.1337
F 847.296.9466

1600 Sherwin Avenue
Des Plaines, IL 60018 USA
schawk.com

Schawk invites Industry Thought Leaders to participate in BRANDSQUARE, a one-of-a-kind, exclusive online marketing community. Visit http://brandsquare.com.

Well in our case, we don't want people buying their own applications and
installing them on company equipment.

Patrick Bachuwa
Desktop Engineering Applications Sears Holdings Corporation
Michigan Campus
3000 W. 14 Mile Road
Royal Oak, MI 48073-1717
Phone: 248 637-0350

Unapproved Apps, Apps that could prove to be malicious in your
environment (like remote desktop apps, or apps that access the command
line, or apple script, etc), no volume purchasing available, apps may
not meet security standards, apps may not meet any policy standards.

I could keep going too...

The screen shot already sent shows what we did to restrict the application within the JSS itself.

I've found the reliability of keeping my systems pointing at my own SUS not as reliable as I would like (I'm sure JAMF will call me about that) so it is a fail safe to restrict as well. There's nothing stopping a user with admin from downloading the update from Apple's website directly either.

The restriction is for several reasons, somewhat assumptions, too, based on the iOS App Store model and our dealings with iPads.

1. Applications are likely taxed. Not cool in EDU. Hopefully the Volume Purchase Plan would help here, too.
2. We don't want users to spend (waste) money on purchasing apps we already own, like the iWork suite apps, etc.
3. The purchases are tied to an iTunes account which is not good for the longevity of the investment if paid for by the university. If that faculty used a personal iTunes account and left, we've lost it.

You know what was even funnier…a notice came through the Apple WI-EDU list this morning from our SE, and I replied to the list that I immediately restricted it, and about 5 minutes later I got a confirmation request to remove myself from the list! LOVE IT! Course…not going to remove myself. =)

I've said it before, great for consumer at home, but not for controlled environments in the current form.

I also agree with not bundling it in to the OS update, but I'm sure they had their reasons…

Craig E

I'm having the same problem with Casper setting the SUS here. I just opened
On Thu, Jan 6, 2011 at 9:49 AM, Ernst, Craig S. <ERNSTCS at uwec.edu> wrote:
a ticket with support to find out why it's no bueno. I've got at least 11
machines that have updated to 10.6.6 even though that patch is not in our
update server. Hmmm...

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

I've reported this as well. I've seen it when the user is offline and the policies to run Software Update allow for offline enforcement. So the policy runs when the user is outside our network, likely on their home network and it connects to the only available SUS which would be Apple.com. Trying to find a way to force our SUS address regardless of whether the user is on the network or not.
--
James Fuller | Starbucks Coffee Company | Technology Application Services | application developer II | Coffee Master

what about using MCX enforcement?

get a external NAT setup for the internal IP.....then when they are at home they can still update to the SUS you approve.

This would be a viable option. I had held off on doing anything with MCX
because it initially caused some issues with AD user homes mounting
properly. I now will be using it to enforce some security settings on 10.6
for requiring password from sleep or screen saver, and some other things.

It's nice when there are templates. =)

Craig E

Anything involving the network team would take months or years... Oh if
only.
I just need the internal address to be "sticky". If it fails to update,
that's ok as long as it doesn't allow for an update from apple.com.

James

My guess is that there's way more involved than just an app. Probably a bunch of new frameworks, as well as revisions to existing frameworks. Not an easy way to deploy just the store, best to put it into the next update/revision.
On Jan 6, 2011, at 9:32 AM, HUGE | Joseph Simon wrote:

Hey, I've got two confirmed bugs/issues in 10.6.5 (both involving wireless), at least one is fixed in 10.6.6, so I welcome the update ;)

On Jan 6, 2011, at 10:18 AM, James Fuller wrote: Anything involving the network team would take months or years... Oh if only. I just need the internal address to be "sticky". If it fails to update, that's ok as long as it doesn't allow for an update from apple.com. James

Understood......

I believe in the event that it can't find your set internal SUS server, it just times out.

Mass edit data in the JSS to set SUS, turn software update off on the client and let Casper handle it

softwareupdate --schedule off

Or do some scripting and run the policy off the script and have it detect it's location