Mountain Lion’s New Security Update Feature – Good For Users, A Potential Headache for IT

By

Will Mountain Lion's new security system be a hit or a miss for schools and businesses?
Will Mountain Lion's new security system be a hit or a miss for schools and businesses?

Following the Flashback malware scare this spring, Apple is stepping up its focus on security and malware protection in Mountain Lion. The release notes for the latest Mountain Lion developer preview include references to a “new Mountain Lion Security Updates system” that checks for security updates on a daily basis, uses a more secure connection when communicating with Apple’s update servers, and can install required updates automatically when a Mac is restarted.

Based on the release notes for the system, Apple is making the security update process automatic and has designed it to  runs as a system process rather than a user task. Presumably that means it will function without a user logged in or while non-admin users are logged in. All in all, that’s similar to Microsoft’s Windows update feature and a good thing for users.

That doesn’t mean that this setup will be great fit for businesses, schools, and other organizations with large Mac populations.

There are some major issues that Apple will need to address effectively when it comes to this new security system:

  • Bandwidth issues – If all the Macs check Apple’s update servers simultaneously and download moderately large updates, it will put a strain on an organization’s internal network (wired and/or wireless) and Internet connection.
  • Update testing – It’s not common that an Apple update creates problems, but it has been known to happen. Apple actually suggests businesses adopt a testing and cooling off period for software updates to ensure that any problems with them are addressed before the updates are rolled out to every Mac in an organization. With a system designed to be completely automatic, it’s possible that some Macs would install untested updates and suffer problems as a result.
  • Patch management – In addition to ensuring updates are tested before deployment, it’s important for IT departments to know which updates are installed on which systems. That ensures that every Mac is updated appropriately. Again a completely automated system could throw a wrench into that process.
  • Impact on shut down and restart – One of the frustrations of Windows update for users is that it can be difficult to predict how long installing updates at shut down or restart. A process that you expect to take a minute or two can take far longer. In your home, that can be irritating. In business environments, it can mean lost productivity, a significant impact on employee performance, and lost money and opportunities.

These issues apply to any software update system and Apple has offered businesses a couple of options in the past.

One of those options is OS X Server’s Software Update Service, which creates a local mirror of Apple’s update servers that local Macs can use. That deals with the bandwidth issues and, since IT can control which updates are made available, it handles the update testing concern.

The other longtime option is to disable Software Update on Macs in a business or school and to perform updates manually or using network deployment tools. That resolves essentially all of these issues and it’s a method that works well with Apple’s own Apple Remote Desktop and the NetInstall feature in OS X Server as well as with third-party tools like JAMF Casper Suite, StarDeploy, and the open source munki.

On the other hand, Apple is telling developers that if setup manually, the new system will automatically install updates after three days. That leaves a handful of serious questions about managing this new security system.

How much management Apple will offer IT over the security update process? What technologies will be required to manage the process? Will it require OS X Server and Software Update Service? Will it require a full-on Mac management suite like Centrify’s DirectControl for Mac? Will Apple offer management using configuration profiles  (a technology that Apple brought from iOS management Mac management
in Lion and is beefing up in Mountain Lion)?

Ultimately, it’s hard to believe that Apple won’t address the issue. It’s more a question of how and to what extent the company will support enterprise needs for management of this new security system.