Erik Eckel argues for a corporate policy to maintain Gatekeeper restrictions on users that lock down certain options.
Apple's new Gatekeeper feature, planned for release with OS X Mountain Lion, adds an effective security control that leverages existing Mac App Store distribution and vetting initiatives to prevent malware infections. Enterprise organizations, however, must establish and implement policy to ensure the default Gatekeeper setting ("Allow applications downloaded from Mac App Store and identified developers") or the even more restrictive "Allow applications downloaded from Mac App Store" remain unchanged by end users.
A surprising number of organizations overlook the importance of end user administration and policy enforcement. Many invest significant effort researching technical choices, selecting products and deploying solutions to empower end users But many enterprises also forget to lay appropriate groundwork, set expectations, or even restrict users from making unauthorized changes.
Often it's the human resources department that comes to the rescue, insisting that information technology departments develop written policies to ensure users understand the behaviors that constitute acceptable use. It's for this reason that most organizations that have implemented Internet and email usage policies possess such a policy.
Enterprise Mac administrators must face another unpleasant truth. Mac organizations have long taken excessive pride celebrating the creative and free spirited nature that's become synonymous with the Mac platform. The Mac's very non-corporate culture is one of the very elements that have drawn so many to the software. The mindset culminated with the slogan: Think Different.
But as the platform continues gaining market share, PC sales struggle, and media buzz continues growing, OS X becomes a natural target for malware. Mac admins must rethink the carefree attitude that's plagued many Mac networks. The time has come to become more corporate and begin locking users down.
Implement policy to police compliance
Policies are never popular, but they're a necessary evil. As much as Mac admins might wish to believe their systems and users immune from corporate administration tasks typically associated with Windows enterprises, the time has arrived for forcing policy on Mac users.
It remains to be seen whether Profile Manager and account management tools can force Gatekeeper security preferences on users in the final release of Mountain Lion. But enterprise administrators will be best served preventing users from changing the Gatekeeper security preferences.
As a supplement to automatic lockdowns, organizations should implement written policies, too. These policies should ensure end users understand why Gatekeeper controls are in place, the dangers of circumventing them, and the ramifications to occur should a user compromise the network doing so.
Gatekeeper can go a long way toward securing enterprise organizations. But larger corporations must implement policy (automated and written) to enforce compliance. Locking down which apps can be installed, and preventing Mac users from inadvertently installing malware on corporate networks, can protect Mac systems and prevent the hordes of malware infections that plague Windows networks from gaining a foothold within Mac organizations.