In putting together the various features of Mountain Lion, Apple may end up encouraging business and enterprise customers to actually make their Macs less secure instead of ratcheting up security as some key Mountain Lion capabilities are intended to do.
There are a handful of technologies involved, but they center around iCloud and Apple’s requirement that apps sold in the Mac App Store support Apple’s application sandboxing technique.
Let’s start with sandboxing. Apple alerted developers last year that it was implementing a new security system for Mac apps. That system, known as sandboxing, is intended to prevent malicious apps from being able to damage OS X system components and other applications. To achieve that, apps are confined to a digital sandbox that includes the data and resources that they need to function. They can’t generally access anything outside of that sandbox like system components or services and they restricted in terms of their ability to interact with any other apps.
Keeping apps in their sandbox limits the impact that they can have on system and user data. That’s a solid, if heavy-handed, way to limit the damage that a virus or malware can inflict on an individual Mac and additional Macs, PCs, and other devices on a home or office network. It also helps keep poorly written apps from have wide-scale negative impacts on reliability and performance.
Sandboxed apps are allowed some exceptions known as entitlements. If developers plan to use those exceptions, they need to justify to Apple why they feel additional access is required. Apple also acknowledged that re-engineering existing apps to meet its sandbox requirements could be difficult and labor-intensive and informed developers that they could request temporary entitlements while they worked to make apps compliant.
For most IT professionals, the idea of sandboxing has definite appeal. After all, many IT departments try to lock down Macs and PCs to prevent the spread of malware, unauthorized access, and potential damage inflicted by users (intentional or unintentional).
The way that Apple has chosen to enforce sandboxing is by making it a requirement for any apps sold through the Mac App Store. Since its launch, the Mac App Store has become the first place that many Mac users head when looking for software. Being shut out of that marketplace could impact the money that a developer can earn creating Mac software.
Apple’s sandboxing approach and the requirement that developers adhere to it if they want to sell through the Mac App Store has not been without controversy. Many longtime Mac developers have complained about the features that they would have to cut from their apps to comply with sandboxing. Apple repeatedly extended the deadline for compliance until the beginning of last month when the requirement officially took effect.
Another factor when it comes to requiring sandboxing is that only apps that are sold through the Mac App Store (and therefore comply with the sandboxing rules) will be allowed to access files and other data stored in a user’s iCloud account. With iCloud being a major feature of Mountain Lion and iOS, the ability to access a user’s iCloud account and its cloud-based file store is a big advantage for developers.
For businesses, however, access to iCloud, like many other personal cloud services, raises a security concern. iCloud makes it extremely easy to move business documents and files off of a company-owned computer or device.
Since iCloud is designed to sync anything and everything to any device that a person uses, the process can easily sync confidential business information from a computer in the office to iCloud and then to all manner of personal devices – iPads and iPod touches used by the kids, an iMac at home, a personally-owned and unmanaged iPhone. More importantly, IT may never know that this has transpired.
That means that a lost or stolen device, even a personal device not used for work, could be the source of a serious data breach. That’s not even mentioning the idea that an employee might be deliberately sharing sensitive material outside the company.
This issue isn’t entirely new. It began as a concern last year when Apple introduced iCloud as part of iOS 5. That functionality can be easily disabled using any mobile management solution on the market including free tools like Apple Configurator. Based on all available information, the same can’t be said for Macs running Mountain Lion. There simply isn’t a management option that turns off iCloud sync and storage access at this point.
One option that isn’t entirely foolproof is to deny users access to the iCloud System Preferences pane. That will make it challenging, though not impossible, for users to set up iCloud on a workplace Mac. The restriction doesn’t prevent iCloud access, it just stops a user from being able to open the iCloud preference pane. If a Mac isn’t enrolled for management initially or if an IT department is relying on users to enroll their Macs (business-owned or personal) using Profile Manager’s self-service web portal, a user could setup iCloud before access to that pane is blocked effectively. Power users may even be able to configure iCloud without using the preference pane.
Another approach that administrators can take to limit the spread of work documents beyond the office is to disallow any apps that allow users to save content to their iCloud storage rather than to the local file system on a Mac or a network share.
Investigating any possible application that might offer access to iCloud would be a very daunting task. Apple has, albeit inadvertently, made it very easy for IT professionals to rule out a massive selection of apps that might take advantage of iCloud. Simply disallow any Mac App Store apps. If users express a need for an app that’s only available in the Mac App Store, IT pros can spot check it to see if iCloud access might pose a concern, but overall disallowing access to the Mac App Store and its contents is a pretty effective way to prevent app-based access to iCloud.
Avoiding the Mac App Store isn’t even a major challenge. Apple hasn’t brought its iOS App Store volume purchase program to the Mac App Store. That means that if a company or schools needs to purchase software, traditional site or volume licensing through an established vendor is a much simpler and more effective option.
It does mean, however, that organizations will be effective bypassing the first layer of protection that Apple offers with Mountain Lion’s Gatekeeper feature. That’s worth noting. Even though Gatekeeper is much more appropriate to consumer use rather than enterprise or education use where broader Mac management and user restrictions are often in place, Apple has set up a situation in which IT departments may need to weigh the costs between of two different security challenges and determine which poses the greater risk. That is, quite frankly, a strange situation indeed.