In this environment do you have a "Mac SE" and a "Windows SE", or does the same person manage both? Seems to be adding quite a bit to one's plate.
-----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Monday, October 17, 2011 9:07 AM To: NT System Admin Issues Subject: RE: Macs and vunerabilities Thanks for all this information Matt, it's greatly appreciated!! -----Original Message----- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, October 17, 2011 8:57 AM To: NT System Admin Issues Subject: RE: Macs and vunerabilities You are correct, many of these things you cannot do from a Active Directory. There may be a few tricks you can use to force some of these (login scripts, remote ssh, etc.) but I'm sure you're more interested in something a little more centralized. If you want the Apple solution, check out Open Directory and Apple Remote Desktop. Open Directory is a component of Mac OS X Server, and it is Apple's attempt at a directory service ala Active Directory, but for Macs. If you do go this route, I recommend joining the Macs to both your Active Directory and the Open directory at the same time. Have your user's login using their AD credentials, while the Macs get their settings from OD. This is what's know in the mac IT circles as the "Golden Triangle". Apple Remote Desktop is, at first glance, your basic remote desktop app. But, it's also your software deployment suite and your software inventory. (As an aside, I wish there was an equivalent to Apple Remote Desktop for windows PCs. Perhaps there is, but not without a per-client cost.) Have a .pkg that needs to be installed? Install it silently on every computer you can see online. Need it installed on offline computers? Set up ARD to do it automatically when it sees the Macs are seen on the network. These solutions are fairly inexpensive, thanks to the aggressive price drops by apple. You need a Mac running Lion (Costs depend on weather you have this already and could be $0), the Lion Server update from apple ($49.99) and optionally Apple Remote Desktop ($79.99, unlimited clients). If you don't want to go with the Apple provided solution, there are other methods of making this work. Check out Puppet from Puppet Labs and ADmitMac from Thursby. --- Now that that's said, we here have not moved to Mac OS X Lion (10.7). As of their most recent patch, it appears they have finally resolved some of their active directory integration issues. We as a district are moving away from Macs, simply because of their initial costs are difficult to bear. Supporting a Mac's software is easy. Supporting the hardware can be a nightmare. I hope some of this information is useful to you. --Matt Ross Ephrata School District ----- Original Message ----- From: David Lum [mailto:david....@nwea.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Mon, 17 Oct 2011 08:16:43 -0700 Subject: RE: Macs and vunerabilities > My concern is all the above. As currently implemented, Mac's on our > network are no different than users home Windows laptops being allowed > to directly connect to our network. I can't imagine anyone here would > say "go ahead and hook your home laptop directly to my LAN and don't > bother joining to the domain". > > I can't audit what's on them for software license compliance reporting > I can't apply GPO's (autoconfigure wireless, browser > settings/favorites, > etc) > I can't remotely deploy software (via GPO or SMS) I can't enforce > anti-virus I can't patch Flash, Java, etc > > Dave > > -----Original Message----- > From: Matthew W. Ross [mailto:mr...@ephrataschools.org] > Sent: Monday, October 17, 2011 8:07 AM > To: NT System Admin Issues > Subject: RE: Macs and vunerabilities > > David, from what direction are your concerns coming from? > > Are you concerned how to patch the macs? > Are you concerned about antivirus? > Are you concerned about controlling what the Macs are allowed to do? > > I'm just trying to understand, and perhaps help. > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: David Lum > [mailto:david....@nwea.org] > To: NT System Admin Issues > [mailto:ntsysadmin@lyris.sunbelt-software.com] > Sent: Thu, 13 Oct 2011 > 15:01:20 -0700 > Subject: RE: Macs and vunerabilities > > > > Well, we're getting a Mac invasion here and there is zero apparent > > concern for managing these things or worrying about vulnerabilities. > > To get to AD resources they're standing up Win7 VM's but doing as > > much work as possible on the native MacOS. > > > > They can get to the Internet, file shares, printers, e-mail, etc on > > native Mac but I just have alarms going off in my head "unmanaged > > machines with no idea what intellectual property is on them". > > > > Dave > > > > From: kz2...@googlemail.com [mailto:kz2...@googlemail.com] > > Sent: Thursday, October 13, 2011 2:49 PM > > To: NT System Admin Issues > > Subject: Re: Macs and vunerabilities > > > > I remember the big "mac virus" recently was socially engineered - > > but that's definitely the mac's biggest vulnerability. Given that > > mac users generally believe they are invulnerable, its an arguably > > bigger vector than the same one on a Windows system. > > > > Sent from my POS BlackBerry wireless device, which may wipe itself > > at any moment > > > > ________________________________ > > From: David Lum <david....@nwea.org<mailto:david....@nwea.org>> > > Date: Thu, 13 Oct 2011 21:45:39 +0000 > > To: NT System Admin > > Issues<ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris > > .s > > unbelt-software.com>> > > ReplyTo: "NT System Admin Issues" > > <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbe > > lt > > -software.com>> > > Subject: Macs and vunerabilities > > > > Does anyone have a link to an article or two that shows > > vulnerabilities that have actually been exploited? Preferably not a > > random > blog post... > > David Lum > > Systems Engineer // NWEATM > > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to > > listmana...@lyris.sunbeltsoftware.com<mailto:listmanager@lyris.sunbe > > lt > > software.com> > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to > > listmana...@lyris.sunbeltsoftware.com<mailto:listmanager@lyris.sunbe > > lt > > software.com> > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin