2012 Penn State MacAdmins Conference

Don’t let the theft of the Paternoville sign fool ya’, State College is as safe as ever. That is, until a bunch of Mac guys descend on the Nittany Lion Shrine. Yes, it’s that time of the year again when Mac guys from around the world (and yes, all of the speakers are male) descend upon Pennsylvania State University from throughout the Big 10 and beyond to discuss the Penn State mascot, the Nittany Lion. Actually, it’s a mountain lion, so we can’t discuss it quite yet at that point, but we can talk about a slightly bigger cat: Lion.

Lion deployment, scripted tools, Munki, InstaDMG, Puppet, migrations, “postPC,” PSU Blast, Dual Boot, NetBoot, reboot (just threw that in there because it sounded like it fit, but I’m sure much rebooting will be done anyway) and even iOS. Oh, and don’t forget lecture capture, launchd, monitoring, scripting, Boot Camp via BitTorrent (wait, what?), Damn Logs, Subversion (long live git), IPv6 (long live IPv4), DeployStudio (long live the French), Reposado (long live the mouse), Luggage, Casper (long live Minnesota!), ARD (long live the friggin’ App Store), troubleshooting, FileVault (long live Howard Hughes’ legacy), Tivoli (long live that 1984 video), Munki (crap, I already said that) and even iPad (which runs iOS I think). Overall, the lineup is superb and looking at it, I am honored to be giving a session on Lion Server amidst all the cool stuff going on around me. I’m very impressed with the number and level of speakers and very excited to be a part of it. I’m also excited to be participating with Allister Banks, a cohort from 318, who will be giving talks on InstaDMG and Munki. Overall, it is sure to be a great conference and I look forward to hopefully seeing you all there if I don’t get arrested at the airport for wearing University of Minnesota socks. Speaking of the Big 10. Did you know there are 12 teams in the Big 10? Did you know the Big East now has teams in Idaho and California? Did you know that the Big 12 has 10 teams? Did you know that the Pac 12 has 4 teams in 3 states that don’t touch the Pacific ocean? What does all this mean? No, it does not mean that we will discuss basic arithmetic and geography at the conference; however, we might show off some apps that can help the math professors at the member institutions of these higher education conferences teach these basic subjects a bit better. Disclaimer: I went to the University of Georgia and am required by having done so to poke fun at other conferences whenever it is possible. Having said that: how many Georgia programmers does it take to change a light bulb? … … They can’t, it’s a hardware problem! OK, terrible joke. So here’s a picture of the Georgia mascot chomping down on an opposing (Auburn) player. Seems like I’m going through football season withdrawals all of a sudden… Point of all this, go to the conference. It’s sure to be a hoot, and I’m sure there will be plenty of talk about football, er, I mean Mountain Lions, er, wait, I mean Mac OS X and iOS!

iOS Device Sales Outpace All Macs Ever (in 2011 alone)

In search of the American Dream? Apple has sold approximately 122 million Macs over the course of 28 years. They have sold 55 million iPads since those were released in April 2010 (in less than 2 years) and sold 156 million iOS Devices for 2011 alone, bringing the total of iOS devices to 316 million. The handset market is set to increase by around 33 percent and there’s really no telling where the tablet market is set to go over the course of the next few years. What does all of this mean? It means that iOS is continuing to increase in visibility, that App Store sales will continue to rise and that integration into mainstream business will continue. The traffic for mobile device data is set to increase 8 times over the course of the next four years, Cisco and other companies are starting to jump into the mobility space with product offerings and Windows 8 is supposedly going to make a big splash on release. The Apple App Store is about to hit 25,000,000,000 downloads. That’s a lot of zeros. And that’s a lot of Angry Birds, 99 cent fart jokes and useful business apps that are driving innovation. Mobility as a term is on every CIOs mind at at the tip of their tongue. Giants such as IBM and HP are starting to jump into the MDM space that has previously been occupied by companies like JAMF Software and AirWatch. I witnessed something similar to this twice before. The first was the final and complete domination of all things IT by Windows at the beginning of my career. Back when I was swapping out 32 floppies to install Windows 95, a vicious process that will make even the sanest person nasty with hallucinations, I had the chance to go to COMDEX a couple of times. The first year I went, it seemed like a lot of people interested in hacking things together. The second year, it was all corporate headhunters, looking to seize the IT revolution occurring inside their businesses by placing golden handcuffs on the best and the brightest in the industry. And of the companies presenting, well, they mostly got acquired by large companies with big names and their products diluted. A complete turnoff, this led me down the path of open source and security. After COMDEX, I went to DefCon and Black Hat for a number of years. I used to love watching the random weirdness that these otherwise completely reclusive people would throw together. There were capture the flag events (that is, finding the flag on someone else’s box), people went out into the desert to shoot guns and of course, dumpster diving competitions. There still are all of these things actually. And DefCon itself has managed to very much stay true to that form. But the companies that used to have booths at Black Hat have now mostly been acquired by companies like IBM and HP. These corporate denizens only want to complete a portfolio or gain access to “synergistic” products. Mergers put great little companies with people that really care about their products as small parts of Symantec. And the top talent at those organizations usually leave once they realize they’re not in the least bit impactful and they move on to other companies. They’re replaced by people who’ve achieved the title of Vice President at a competitor, whether that person deserves it or not. In some cases they thrive, but in far more cases, the products flounder, end up getting renamed, repositioned and either sold off to another company for the brand recognition or simply fade into the distance. In each of these there has been a moment. A moment where I said, you know, something substantial has changed here. There are a few things happening that make me leery about the Mac/iOS IT space, and a few things to look for.
  • The first is recruiters. Whenever a college football team wins a national title, their coaching staff is gutted. I’ve been noticing recruiters all over the place trying to pick up top Mac talent. But this isn’t the ACN here or there or the graphics department in a company, it’s corporate head hunters after IT or business unit talent. I spoke to at least 6 or 7 at Macworld/MacIT. The things to look out for here are strategy. Do they have one, do they want one, or do they just want to hire someone to make the CIO happy?
  • The second is the big boys. IBM and HP have both announced MDM products. Dell continues to make KACE and I have heard rumors from other large companies that they’re looking to get into the space as well. The thing to look for here is acquisition.
  • The third is consolidation. Many of the MDM vendors are privately held. A company like IBM, HP, Symantec, Dell, etc can throw enough money at most of these companies to bring them into their fold. Once there, the companies would have an almost unlimited sales and marketing purse, but be careful of a drop in innovation and engineering effort is often had to counteract those slick sales efforts. I would also expect the people who really drove the products, you know, the ones to get the big paydays, will also be the ones taking an extended vacation (wouldn’t you?). Today there are something like 21 products for MDM (I count RobotCloud and Casper as one). I anticipate the next two years will see a good number of those acquired. It’s easy to assume Symantec has an MDM provider on their shopping list, considering their keep-up-with-the-jones thing with McAfee, who’s already jumped into the market. I would expect none of the MDM providers that run on Apple hardware only to be acquired (if you’re after a big payday, run on *nix or Windows). Look out for the disillusioned ones that don’t get the big payouts from these companies after putting in 100 hour weeks for years…
  • The fourth is more sales people. Anyone at Macworld this year would have noticed scantily clad lasses selling software to fix your iTunes. But when larger companies start getting involved in things such as this, I would expect slicker, more professional sales people, more booths (more money after all) and less nerds. The big problem here is a diluted message of technical excellence and a bigger messages of interconnectedness to other systems. Someone still needs to build the middleware though.
  • The next thing I expect to see is those recruiters go after people at mobile companies. The same way the bastards scavenged the carcass of every security company in the earlier part of the 2000s, and the same way that Auburn’s, Alabama’s and LSU’s assistant coaching staffs got hit after each of their recent national titles, I would fully expect top brass at all mobile companies to start trading places, or getting acquired by other companies. These will range from going to work for competitors, to going to work for resellers to going to work for other industries that want that level of innovation. The architect of Apple Retail now works where?
  • The consumerization of the technology is going to be driving many of the best and brightest into larger IT. This will mostly mean taking those puppet, cfengine and custom python hackeration skills to another platform. It’s regrettable, but I could easily see it happen to the top tier of people, as we’ve seen it happen a few times already. But sticking with the platform and finding the niches that allow for working with these devices is likely still a good way to go, or at least, staying close. Keep in mind, you’ll be the senior fellows of the platform if you’ve already been around for a few years…
But here’s the thing about all of this. It doesn’t have to be bad. If we all keep our eyes wide open about what’s going on around us the continued influx of massive amounts of money isn’t going to be a bad thing. Basically, our opportunities will explode over the next few years. If we learn our lessons from the dot com era, from COMDEX, from the rise of info sec, then we’ll stay off the coke, not buy really fast cars and remain engaged. I hope not to look at this as I’ve looked at other revolutions in the past. While he wasn’t much of a computer geek, Hunter S. Thompson put it into words best:
And that, I think, was the handle—that sense of inevitable victory over the forces of Old and Evil. Not in any mean or military sense; we didn’t need that. Our energy would simply prevail. There was no point in fighting—on our side or theirs. We had all the momentum; we were riding the crest of a high and beautiful wave.… So now, less than five years later, you can go up on a steep hill in Las Vegas and look West, and with the right kind of eyes you can almost see the high-water mark—that place where the wave finally broke and rolled back.

Link Baiting 101

I almost called this article “Aliens Can Listen To Calls on Your iPhone” or “How To Hack Into Every iPhone Ever (Even When They’re Powered Off)”. But then I thought that maybe it would be a bit too much. I’ve been a little melodramatic at times, but that’s when I was younger and needed the rupees. But TechTarget isn’t young (although I don’t know if they need the rupees). I’d like to point out two recent articles of theirs: I remember reading an article awhile back claiming that the first virus for the iPhone had hit. This was a pretty big site (not TechTarget btw), but they had jumped on Apple and jumped quick, for a lack of good security on the iOS platform. Why? Because Apple’s huge, popular and a frickin’ easy target. But every security researcher knows that if they can hack an iPad or an iPhone that they’re going to be famous. Still, only one has managed to do anything remotely close to cool and you had to download his app, which got him banned, for the “exploit” to work (the “exploit” was actually javascript taxies). Security researchers do most everything they do for fame. Therefore, if there were going to be serious flaws with iOS, they’d have come up by now. Let’s look at these headlines and vs the content of the articles. The first, Apple iOS Security Attacks A Matter Of When, Not If, IT Pros Say. The title isn’t actually that bad, (although I don’t know that the IT Pros quoted are worthy of punditry). It’s the headers within the article that set me off a little. “A false sense of iOS security” was the first: Here they said that iOS users are going to run something if it comes out because there haven’t been any vulnerabilities to iOS. Counter argument would be that since a vulnerability *will* (or would) be on CNN, MSNBC, NPR, every web site, every magazine and possibly a PSA on flights, I think they’ll figure it out pretty quick… The next header, “Responding to iOS security attacks” goes on to explain that (to summarize) iOS virus protection blows. OK, we should develop more FUD-based apps to check for viruses of data that those apps would actually have no access to due to sandbox controls. The next header, “Entry points for iOS security attacks” tells us that someone will exploit HTML5 or post an app with a Trojan or Logic Bomb on the App Store in order to destroy your iPhone as if it were a planet slated for demolition. Each app can only communicate with resources outside of that app using an API Apple allows, an API that doesn’t cause combustion of the phone. If the app goes through the app store then that has to be a public, not private API. It is possible that someone could run a fuzzer against every possible variable exposed by every possible method and come up with a way to do something interesting, like cause the phone to reboot. But that kind of thing is going to be true of every platform and isn’t worthy of the pretense that it’s security consulting. I can dig on the possibility of that kind of vulnerability, but the author then indicates that Apple’s security is 7th worse in the IT industry with a 12% growth in vulnerabilities. Thus an insinuation that people are actually exploiting holes in iOS rather than Google monitoring iPhone user data a bit more than they should… The second headline is much better though: How an iOS virus can infect the enterprise and what to do about it. Reading it, my first impression was that there was an iOS virus; you know, one written for iOS. But no, they’re talking about a virus that someone sends through your corporate Exchange server that is then copied to your Windows XP computer through the magical XP Virus Stream (like Photo Stream but more specific features for XP) and executes the virus that wipes your computer. I like it. I can dig that virus, but regrettably that virus doesn’t exist. And apparently no good anti-virus exists, according to the article. Why not? Because Apple has overly secured the OS and anti-virus has to be invoked manually. Over-security is what makes iOS so great for phones. I’m one of those people that likes to hack stuff. And iOS isn’t for hacking around in unless you have jailbroken the device. That’s why my phone always works and I’m able to actually get stuff done on a consistent basis. There are certainly things Apple could do better. But iOS security is a hard one to point the finger at. I would like to see security researchers more warmly welcomed and for the Apple community to see those researchers as people who are building a stronger product rather than the enemy. I would like to see some technical features added or centralized control over features added. It isn’t just Apple. It’s any company big enough to care about. The tech sites are mostly what I look at, and every time there’s something they think they can hop on with Google or any of the other big names in the tech industry they hop right on that to drive readers, whether well founded or not. Not all tech sites/magazines mind you, just some. And when the company is famous enough (Google, Apple, Microsoft) for mainstream media to care about, all the better… At the end of the day though, the way to get action is to file a feature request with vendors, not to make up crazy headlines aimed at selling FUD as a means of getting someone to go to your website…

5 Free Network Troubleshooting Tools for iPhone and iPod Touch (and iPad of course)

There are a number of ways to troubleshoot network connections on (or using) an iOS device. These can be common troubleshooting steps that you might run from the command line or a third party app on a desktop computer or they could be specific to testing the network environment for an iOS device. Some of these apps are even free. Ping Lite One of the most common tasks that most administrators routinely do to test both DNS resolution and connectivity is pinging something. Ping Lite comes with a function to show your IP, a ping tool, a tool to ping the subnet, the ability to run trace routes and for good measure a little telnet love as well. Not bad for the fat price of nothing. Developed by MochaSoft, Ping Lite is a must for anyone who does any kind of network troubleshooting, unless you’re paying good money for a more robust tool! NSLookup Ping Lite is a great tool for isolating whether you’re having connectivity problems to an IP address. However, if Exchange’s auto discover isn’t working or some other Bonjour Browser One of my favorite tools for finding things on the network, Bonjour is a multicast tool and what many of the features meant to be used in a home where zero configuration networking is important Speed Test I think that one of the more common tasks in troubleshooting network connections is to determine whether Internet speed is satisfactory. Satisfactory is a relative term. Both relative to the expected performance and relative to the perception of users. For example, the bandwidth that a user is getting on a device may exceed the expected performance based on the speed provided by the DSL, cable modem or other WAN connection provided. However, that speed may be less than what the user’s would like (one can never have enough bandwidth!). ezShare ezShare is a nice little tool that lets administrators log into shares of various types. The cool thing about this little tool is that you can connect via SSH, FTP, WebDAV, S3, Google Docs, Box.net, SMB/CIFS, or NFS. This allows you to test WebDAV from a different tool if you’re having a problem opening WebDAV connections from within Pages, test the speed of downloading a document from a FTP site, check Google Docs or Box.net connectivity and even see if that file server is available when users call in with problems connecting to SMB/CIFS shares on Windows servers. Bonus App: AirPort Utility If you have an Apple AirPort acting as a WAP or the gateway to your office/home then this little app is awesome. Apple has eased the setup process for their Wireless Access Points to the point that you can set the entire thing up, change settings and even troubleshoot the odd connectivity issue without ever touching a desktop computer. AirPort Utility is also a great way to test whether you can connect to shares hosted by devices and update passwords on the fly.

Free MacWorld Exhibit Code and iFan Pass Savings

As usual, there are a lot of great events going on at MacWorld | iWorld. If you’re interested in joining us in a couple of weeks in San Francisco for what I’m sure will be a great conference, then you can use my speaker codes to do so. To do so, during the registration process enter a PRIORITY CODE of: BNB35106 This will give 100 FREE Exhibit Only Passes OR $15.00 OFF an iFan Pass. This code is unique to me, so other speakers have codes as well. The code will stop offering free exhibit passes once the 100th person registers for this. The $15.00 savings off an iFan pass will continue through the show. I hope to see you there!

MacSysAdmin Videos Available

I really had a great time at MacSysAdmin 2011 in Gothenburg, Sweden. The videos of the sessions are now available at http://documentation.macsysadmin.se. The Swedes, Danes, Norwegians and even the Finns are great hosts. And getting to meet people from so many countries in one spot is always fun. Tycho and his cohorts at Apoio just do such a great job planning and thinking every detail through. Since my demos were a fail (note: you need Internet access to restore iOS devices), I’ll be publishing an article that outlines each of my demos that weren’t able to be delivered at some point in the near future. Also, congrats to all the other speakers. I can’t think of a single session that wasn’t a pleasure to sit through!

Review of My iOS in the Enterprise Book

There is a nice review of my iOS in the Enterprise book up on MacDirectory. It is available at: http://www.macdirectory.com/component/option,com_reviews/task,viewDetail/review_id,504 Overall the review was good. I understand not liking the font choice for the book. Luckily this type of thing isn’t something we authors have a choice about, so I take it as an overall good review!

Securing iOS Based Devices Paper

The CIRCL (Computer Incident Response Center Luxembourg) has cited my Enterprise iOS book in a paper title Security of iOS Based Devices. It’s only a few pages so a pretty quick read. But what is interesting about it is that in the second edition of the book I’ve already started to replace the Applications chapter (which I wasn’t really happy with in the first place) with a chapter on securing the devices. These days, with a two year old around, I’ve been thinking about adding something on physical security, but I think that might just be superfluous (and ever changing)…  Also, in preparation for 2nd edition, I would like to add case studies. So if your organization or company is doing cool stuff with iOS based goodness (and more importantly you can get sign-off to talk about it publicly), please let me know! Oh, and for those waiting, the paper on bare metal imaging iOS is almost done. Just waiting for my new 64 port USB hub to show up so I can test flashing 64 at once! 🙂

The Mac OS X App Store & Managed Environments

The Mac OS X App Store was released earlier this month as a part of the Mac OS X 10.6.6 update. The App Store, with over 1,000 applications (including a couple of server tools), allowing people to download and install applications on Mac OS X computers without needing to understand how to click through the screens of a standard package installer, drag applications from disk images into the /Applications folder or basically how to do practically anything except for click and provide a valid credit card number. As with the App Store that debuted with the iPhone, the App Store for Mac OS X is clearly aimed at residential customers, but being that these computers are used in enterprises around the world, the impact to managed environments cannot be discounted. I decided to do plenty of testing and reading before I wrote this up, so hopefully you’ll find it helpful, if not very timely. The first and probably most important aspect of the App Store to most who are charged with managing large numbers of Mac OS X computers is that only administrative users can install software from the App Store. This little fact makes the App Store itself a non-issue for most enterprises, who do not make typical users administrative users. Because only administrative accounts can download and install applications, there is little risk created from leaving the App Store on client computers. Applications installed from the App Store can only be deployed into the /Applications directory. These applications are owned by System, with read-only access given to the wheel group and everyone else. No ACLs are used, so while a single user purchases the software any user on the system can open it. If you copy the software to another computer then you will be prompted to authorize it using the same Apple ID that was used to purchase it. When an administrative user purchases an application, they are not prompted for a system password, only an App Store password, which uses the same Apple ID used for the iTunes Store and the iOS App Store. Application updates are handled using the familiar Updates screen borrowed from the iOS App Store, which includes the nifty Update All option. As far as controlling the user’s experience with the App Store, there are a few options. Administrators can remove the App Store application bundle (which can be replaced any time) from /Applications. Administrators can also black list the application using managed preferences/parental controls. A Dock item is added by default and can be removed as well. Removing both the Dock item and the Application bundle will then remove the App Store menu item from the Apple menu. You can also block the hosts at apple.com, which includes itunes.apple.com, ax.itunes.apple.com, ax.init.itunes.apple.com, albert.apple.com, metrics.sky.com and possibly gs.apple.com. These will communicate over ports 80 and 443, according to the operation being used. There is also a launch daemon at /System/Library/LaunchAgents/com.apple.storeagent.plist that should be unloaded and likely removed if you’re going to outright disable the App Store. However, the only real way I would personally disable is using a managed preference. There is also a property list file for the App Store that can be used to manage the application in Workgroup Manager in ~/Library/Preferences/com.apple.storeagent.plist. However, there isn’t much that can be done here at this time. Because applications are tied to users, when a user moves computers you will want to backup and restore the applications for the user. To do so, here’s the captain obvious article for ya’: http://support.apple.com/kb/HT4482. The App Store is not a replacement for a good patch management system. Software distribution cannot be managed centrally using the App Store and Software Update Server in Mac OS X Server does not currently cache applications from the App Store. Trying to think of a way to shoehorn the App Store into a software distribution system such as JAMF’s Casper Suite, Absolute Manage or FileWave is just asking for a world of pain, so let’s pretend that we never brought it up. If your organization isn’t able to license one of the aforementioned products, check out Star Deploy from http://www.stardeploy.com/StarDeploy/Home.html or munki from http://code.google.com/p/munki. Finally, I think that Apple’s done a great job with the App Store for a version 1 release. I think that my wife loves it and that over time if Apple chooses to do more with it then great; otherwise, all of the options we’ve been using, from the installer command on, are still at our disposal.

iPad + Box.net = Win

Box.net is a cloud-based file sharing service that I used extensively in my last book. Similar to dropbox.com, Box.net allowed my publishers and I to automate our workflow with regard to the publishing process, but more importantly, I was actually able to do much of the review and exchange of files from the iPad, which was really nice given that the book was on iOS. I’ve been working with a few companies over the past few weeks on coming up with various strategies for cloud interoperability, and Box.net has come up a few times in this regard. Looks like I’m not the only one!