Mountain Lion’s New Security Update Feature – Good For Users, A Potential Headache for IT

Mountain Lion’s New Security Update Feature – Good For Users, A Potential Headache for IT

Will Mountain Lion’s new security system be a hit or a miss for schools and businesses?

Following the Flashback malware scare this spring, Apple is stepping up its focus on security and malware protection in Mountain Lion. The release notes for the latest Mountain Lion developer preview include references to a “new Mountain Lion Security Updates system” that checks for security updates on a daily basis, uses a more secure connection when communicating with Apple’s update servers, and can install required updates automatically when a Mac is restarted.

Based on the release notes for the system, Apple is making the security update process automatic and has designed it to  runs as a system process rather than a user task. Presumably that means it will function without a user logged in or while non-admin users are logged in. All in all, that’s similar to Microsoft’s Windows update feature and a good thing for users.

That doesn’t mean that this setup will be great fit for businesses, schools, and other organizations with large Mac populations.

There are some major issues that Apple will need to address effectively when it comes to this new security system:

  • Bandwidth issues – If all the Macs check Apple’s update servers simultaneously and download moderately large updates, it will put a strain on an organization’s internal network (wired and/or wireless) and Internet connection.
  • Update testing – It’s not common that an Apple update creates problems, but it has been known to happen. Apple actually suggests businesses adopt a testing and cooling off period for software updates to ensure that any problems with them are addressed before the updates are rolled out to every Mac in an organization. With a system designed to be completely automatic, it’s possible that some Macs would install untested updates and suffer problems as a result.
  • Patch management – In addition to ensuring updates are tested before deployment, it’s important for IT departments to know which updates are installed on which systems. That ensures that every Mac is updated appropriately. Again a completely automated system could throw a wrench into that process.
  • Impact on shut down and restart – One of the frustrations of Windows update for users is that it can be difficult to predict how long installing updates at shut down or restart. A process that you expect to take a minute or two can take far longer. In your home, that can be irritating. In business environments, it can mean lost productivity, a significant impact on employee performance, and lost money and opportunities.

These issues apply to any software update system and Apple has offered businesses a couple of options in the past.

One of those options is OS X Server’s Software Update Service, which creates a local mirror of Apple’s update servers that local Macs can use. That deals with the bandwidth issues and, since IT can control which updates are made available, it handles the update testing concern.

The other longtime option is to disable Software Update on Macs in a business or school and to perform updates manually or using network deployment tools. That resolves essentially all of these issues and it’s a method that works well with Apple’s own Apple Remote Desktop and the NetInstall feature in OS X Server as well as with third-party tools like JAMF Casper Suite, StarDeploy, and the open source munki.

On the other hand, Apple is telling developers that if setup manually, the new system will automatically install updates after three days. That leaves a handful of serious questions about managing this new security system.

How much management Apple will offer IT over the security update process? What technologies will be required to manage the process? Will it require OS X Server and Software Update Service? Will it require a full-on Mac management suite like Centrify’s DirectControl for Mac? Will Apple offer management using configuration profiles  (a technology that Apple brought from iOS management Mac management
in Lion and is beefing up in Mountain Lion)?

Ultimately, it’s hard to believe that Apple won’t address the issue. It’s more a question of how and to what extent the company will support enterprise needs for management of this new security system.

  • mr_bee

    The idea that the IT department has to know of and approve every update to every piece of software is just an old fashioned hangover from the days when software updates were horrible and no one had a backup.

    Unless you are in a high security industry or literally working on rockets to the moon, this requirement shouldn’t really even exist anymore. IT should be more concerned about backups and protecting the companies data than telling the users what software they can or cannot install.

  • joewaylo

    Most of them would rather disable this security feature in favor of their own. They prefer over-extensive testing to ensure their computers won’t be bricked by these updates. If McAfee provides a Mac firewall/virus solution, this would take over the firewall feature for them.

  • awis

    Users can disable the automatic updates in preferences. So, not so bad.

  • Aaron

    The idea that the IT department has to know of and approve every update to every piece of software is just an old fashioned hangover from the days when software updates were horrible and no one had a backup.

    Unless you are in a high security industry or literally working on rockets to the moon, this requirement shouldn’t really even exist anymore. IT should be more concerned about backups and protecting the companies data than telling the users what software they can or cannot install.

    I couldn’t disagree more. As an Apple Certified Consultant with 10+ years experience working with small businesses, I regularly see Apple Software Updates that bork systems. There is no way for Apple to test every combination of hardware and software before rolling out updates. One example: the 10.6.7 update introduced huge problems with OpenType and PostScript fonts. This issue was not resolved by Apple for over a month. Source: https://discussions.apple.com/thread/2792142?threadID=2792142&start=0&tstart=0

    I agree that good backups are important, but rolling back from 10.6.7 to 10.6.6 required a full erase and restore of any computer affected. By preventing our ASU servers from rolling out 10.6.7, we were able to prevent hundreds of our clients from being affected by this issue which rendered machines unusable for some tasks.

    As far as preventing my users from installing software, I prefer to keep peer-to-peer file sharing applications like bittorrent, or pirated or otherwise unlicensed software off of machines under my care. This keeps our internet bandwidth available for business, protects my clients from law suits, and keeps our systems running stable.

  • Disturbed2169

    I am sorry mr_bee, but you seriously are misinformed and mistaken. I can count at least 7 times so far that Apple released an update that broke systems. Ranging from a quicktime updates to security updates, to full blown OS updates. I remember working at NASA and having my users trained to just apply all patches (Dumb I know, but the government is strict on security). Well that patch hosed the ethernet drivers. ALL macs lost network connectivity and were down while I fixed the issue. We are talking about experiments that were hosed, projects with the FAA were delayed, etc.. Fast forward a few years to working at Stanford supporting the Magazine and Design departments..a quicktime patch caused mass Kernel panics. Shall i even mention the 10.7.3 patch?? I can go on and on.. IT definitely needs to know what is being patched and test accordingly. If you had an IT background, you would know that.

  • MrPeabody

    Said it before and will say it again. Apple clearly and obviously moved away from any real enterprise solutions. Is Apple going to complain if its products get used in this realm? Of course not. But just because that happens in no way means that Apple actually develops any top-to-bottom, end-to-end business products, or hardware/software infrastructures that in any way could be considered enterprise-class. Once upon a time Apple dabbled in real enterprise systems, but they changed their minds. So, why the continued feigning of dismay and surprise when Apple does or doesn’t do something that makes managing lots of Macs/iOS devices more productive, or even just convenient? Hmmm? Really. A few open minded and sharp IT pros can “make” Apple’s products work in these kinds of environments, but Apple does little to nothing help its products in these scenarios. Face it.

About the author

Ryan FaasRyan Faas is a technology journalist and consultant living in upstate New York who has written extensively about Apple, business and enterprise IT, and the mobile industry. In addition to writing for Cult of Mac, he is a contributor to Computerworld, InformIT, and Peachpit Press. In a previous existence he was a healthcare IT director as well as a systems and network administrator. Follow Ryan on Twitter and Google +

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in news | Tagged: , , , , , , , , , , |