Questions

ITunes installation in a controlled corporate environment

Tags:
+
0 Votes
Locked

ITunes installation in a controlled corporate environment

damian
I'd like to find out if I'm being a total Nurf about this or not...

I work in the broadcast environment, and an external company has written a product and needs itunes installed in order to download podcast of shows broacast on a clinet station.

I've pretty much told 'em to leave us alone as there ain't no way I'm allow ITunes/Quicktime onto our machines.

Reasons:-

1)ITunes could lead to excessive use of bandwidth with limited controls for managing it due to streaming on port 80. (4mb/s ADSL with a 30GB cap)

2)All users are run as plain old users as none require power or admin access to machines (easily done with office / adobe reader / Flash / Java and some other utilities that use MSI installs with admin options to control updates) iTunes makes it difficult to maintain desktop security as updates cannot be automated under a plain old user account needing admin intervention for every PC (60 of them)

3)I have no true history of the safety of itunes/quicktime in a corporate environment and this exposes us to undue risk $50m ayear company but we're an agency paying most of this over to clients.

4)iTunes has not admin interface (group policies) where I can control how dangerous (or not) a user may be on the net with the Apple store, etc...

5)As a company in advertising we deal with a number of top companies in the country, from time-to-time proprietry competitive information crosses our path, is it not dangerous to install this software where as the Admin I am not 100% in control of how or what the software updater downloads and how the software is used?

So based on this am I being Hyper Nazi or do I have a case here?

Look I have an open dislike of Apple and many of their products so I know I quite biased, that aside, I don't believe an external company should be forcing us to make changes to network policies that have kept us in check for years, itunes is certainly not revolutionary nor is it to me (in any sense) a business product.

I'm more than willing to do a long term eval and determine the appropriatness in our environment, but they wrote this without consulting us and want to to put it on by Monday!

Even flames acceppted, as long as it's constructive.

D
  • +
    0 Votes
    daniel_fischer

    Hi Damian,

    How?s your work around Itunes going?

    I?m working in an IT Services Engineering department and we?re facing the request to provide Itunes to our corporate customers. Unlike your situation, we don?t have that pressure. In our company we have a lot of Sofware that ?s not under full administrative control (GPO).

    But you?re absolutely right. If we face a security issue that needs to be controlled, there?s no way to gain control by adm. We?re relying on our security perimeter and technology. AV or Firewall, things like that.

    But closing down port 80 when it comes to an attack, doesn?t seem to be the appropriate way.

    But how do you deal with "uncontrollable" software in general ? We have a model in which we appoint sw responsible application owners who care for their apps and corresponding updates and configurations.

    My idea for Itunes is: Create a custom ADM files. I?m not specialized in creating ADM files, but does someone know if one can create an ADM file to control ITUNES? This could be a way, couldn?t it?

    Regards,
    Daniel

    +
    0 Votes
    The 'G-Man.'

    There is not one software install at all on your systems that can;t be controlled by a group policy or central admin console?

    +
    0 Votes
    louis.slabbert

    Seems quite easy,
    does include MSI's
    Can restrict and even only allow authorised iPods/iPhones...

    http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

    +
    0 Votes
    OH Smeg

    Allowing I Tunes onto the system is a recipe for disaster and punches a massive uncontrollable hole in any Security Protocols that are in place that are not possible to plug and keep I Tunes working.

    I'm assuming that this crowd is using I Tunes because it's cheaper for them to deploy and swap Data with but on a Window platform it makes Absolutely No Sense to implement and it's not much better on a BSD Type Platform. No Matter what Apple may like to say about the security of their OSX/Modified Free BSD Platform.

    I do work for some places that specialize in High End Video Productions and they wouldn't consider using I Tunes to drive a I Pod if it had to be loaded onto their corporate systems let alone the systems used to generate the Video that they make their money from making.

    There are numerous other Video Formats that could be used here without the Security Implications that are introduced by I Tunes and it's associated software Quick Time.

    Just recently one I Pod owner whet to update his copy of I Tunes and was greeted by a 650 MEG download. Not bad for an application that Apple claims fits into 66 MEG. I'm not actually sure what happened there as they only complained to me about the size of the download which would have pushed them into at least 500 Meg at 15 cents per meg in excess usage charges. And from what I can see that 600 + Meg wasn't coming from Apple either.

    They stopped that download because of cost but if that wasn't an issue here I'm not exactly sure just how much time I would have had to spend fixing up the infections that they got from that download.

    Col

    +
    1 Votes
    Ace Explorer

    Watch out for iTunes licensing in any company environment. I'm hearing from our asset manager that the free download version of iTunes is not allowed in any non-home use and could subject business to massive licensing violations and fines from the Business Software Alliance. Apple recently joined the BSA and may be eyeing the huge revenue stream they can get from "violator" companies. So be careful with iTunes - read the end user licensing agreement and make a decision before you allow it in your company.

  • +
    0 Votes
    daniel_fischer

    Hi Damian,

    How?s your work around Itunes going?

    I?m working in an IT Services Engineering department and we?re facing the request to provide Itunes to our corporate customers. Unlike your situation, we don?t have that pressure. In our company we have a lot of Sofware that ?s not under full administrative control (GPO).

    But you?re absolutely right. If we face a security issue that needs to be controlled, there?s no way to gain control by adm. We?re relying on our security perimeter and technology. AV or Firewall, things like that.

    But closing down port 80 when it comes to an attack, doesn?t seem to be the appropriate way.

    But how do you deal with "uncontrollable" software in general ? We have a model in which we appoint sw responsible application owners who care for their apps and corresponding updates and configurations.

    My idea for Itunes is: Create a custom ADM files. I?m not specialized in creating ADM files, but does someone know if one can create an ADM file to control ITUNES? This could be a way, couldn?t it?

    Regards,
    Daniel

    +
    0 Votes
    The 'G-Man.'

    There is not one software install at all on your systems that can;t be controlled by a group policy or central admin console?

    +
    0 Votes
    louis.slabbert

    Seems quite easy,
    does include MSI's
    Can restrict and even only allow authorised iPods/iPhones...

    http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

    +
    0 Votes
    OH Smeg

    Allowing I Tunes onto the system is a recipe for disaster and punches a massive uncontrollable hole in any Security Protocols that are in place that are not possible to plug and keep I Tunes working.

    I'm assuming that this crowd is using I Tunes because it's cheaper for them to deploy and swap Data with but on a Window platform it makes Absolutely No Sense to implement and it's not much better on a BSD Type Platform. No Matter what Apple may like to say about the security of their OSX/Modified Free BSD Platform.

    I do work for some places that specialize in High End Video Productions and they wouldn't consider using I Tunes to drive a I Pod if it had to be loaded onto their corporate systems let alone the systems used to generate the Video that they make their money from making.

    There are numerous other Video Formats that could be used here without the Security Implications that are introduced by I Tunes and it's associated software Quick Time.

    Just recently one I Pod owner whet to update his copy of I Tunes and was greeted by a 650 MEG download. Not bad for an application that Apple claims fits into 66 MEG. I'm not actually sure what happened there as they only complained to me about the size of the download which would have pushed them into at least 500 Meg at 15 cents per meg in excess usage charges. And from what I can see that 600 + Meg wasn't coming from Apple either.

    They stopped that download because of cost but if that wasn't an issue here I'm not exactly sure just how much time I would have had to spend fixing up the infections that they got from that download.

    Col

    +
    1 Votes
    Ace Explorer

    Watch out for iTunes licensing in any company environment. I'm hearing from our asset manager that the free download version of iTunes is not allowed in any non-home use and could subject business to massive licensing violations and fines from the Business Software Alliance. Apple recently joined the BSA and may be eyeing the huge revenue stream they can get from "violator" companies. So be careful with iTunes - read the end user licensing agreement and make a decision before you allow it in your company.