On June 13th I posted about the misteps Apple made regarding iPhone Application Delivery for the enterprise. It got several comments to the tune that I was jumping the gun.
I began reading through the iPhone Enteprise Deployment Guide. Some interesting thoughts here noted in this document that I pulled out while I skimmed through. It says in Chapter 1: “It [iTunes] is also required for downloading and installing software updates for devices and installing your enterprise applications.”
Later on in the same chapter it adds: “If you are planning to deploy enterprise iPhone and iPod touch applications, you install the applications on your devices using iPhone Configuration Utility for Mac OS X or
iTunes for Mac and Windows. Once you deploy an application to user’s devices, updating those applications will be easier if each user has iTunes installed on their Mac or PC.”
One positive that I pulled out from the document is that Apple is documenting some registry changes that can be used to help “lock-down” iTunes and limit functionality such as automatic updates and discovery of AppleTV devices. However, it seems that it does not go on to completely prevent Library sharing using Bonjour/mDNS.
Chapter 5 is all about application deployment. Apple seems to confuse the procedure a bit by first saying: “Your users use iTunes to install applications on their devices. Securely distribute the
application to your users and then have them follow these steps” and then saying “You can use iPhone Configuration Utility for Mac OS X to install applications on connected devices.”
There is a web version for Mac or Windows of this latter utility, but it is limited only to creating config files for mail settings, application certificates, etc., while the Mac desktop version (Windows version not available) additionally allowed the viewing of log files and application installs. These tools are primary used for device configuration by an administrator, not by an end-user.
Hopefully Apple will expand the web version of the iPhone Configuration Utility to provide application delivery such that iTunes can be bypassed OR provides more details on how to lock iTunes down further.
One of the commenters asked what my security concern with iTunes was. GNUCITIZEN did a nice write-up on this some time ago, so I figured its best to link to those:
The lines are still too long for me…but i’ll get there eventually. I am also looking to buy an MBA, but after the last price drop I smell a new version (bigger drive? more memory?) coming. Maybe its wishful thinking.
I came across an issue with Windows Vista recently at a client that had been dogging me for quite some time.
Fortunately, most of the client’s PCs here in New York run Windows XP, but one of the principles wanted a Tablet PC and I figured that Vista’s Tablet integration was much better than the specialized Windows XP Tablet Edition.
Although the client admin rights on his own laptop, each time he tried to install an application, the typical UAC dialog box would come up. The installation would continue and then would quit with an error trying to access the H: drive.
Well, the only H: drive that the client had was his network home directory. Why would the installer need access to that drive? The client had that drive mapped so it should have worked right?
The workaround for the past few months was to log in as a secondary local account on the computer in order to install applications. Of course this was a pain, but it minimized my time on the computer and at the client’s site so it was a win/win for both of us. Finally one day I was determined to figure out what was going on.
I couldn’t find anything in the registry, so I ran the Command Prompt as Administrator by Right-Clicking the Command Prompt shortcut and selecting “Run As Administrator.” This explicitly tells the computer that you’re running as full admin without the UAC stuff going off. However, this
“Run as Administrator” acts like a new account. The install still failed, but while looking around in this environment through the command prompt, I found the drive letter H: was not mapped. After mapping the drive letter, the install worked.
Ok, so now I know why it the install fails. When the privilege escalation takes place, the profile no longer has access to that H: drive. But why does it need the H: drive? It turns out the client was redirecting his My Documents to his home drive using a Drive Path setup (H:\My Documents) rather than UNC (\\server\homeshare\username\My Documents). By changing the redirection to use UNC paths, the problems went away for all installations.
Weird oddity, but interesting none-the-less. I’m wondering how this affects other installations particularly environment variable changes or registry changes.
After watching the WWDC stuff this week I came to a realization that perhaps Apple did, but doesn’t care. In working in IT Infrastructure for 12 years for a mid-tier financial firm.
From the Palm to the Blackberry, desktop syncing software was used early on to keep devices up to date. When RIM went to a full wireless sync, this was a boon to IT administrators because not only was syncing done wirelessly, but so was application distribution and policy enforcement.
So why did Apple decide, after building a wireless application delivery infrastructure for consumers to utilize iTunes for iPhone application sync in the Enterprise?
iTunes, like other consumer media application, is largely banned in the enterprise. The reasons are many including the fact its not a business applications, uses mDNS (bonjour) which has been exploited, issues with QuickTime, etc. Besides, any additional software increases the attack surface for an end-user.
So I see this a problem for those Enterprises that will embrace the iPhone as an application delivery platform. Apple could have easily built an mini-AppStore application that could be sold or provided to Enterprises for application delivery or utilized the emailing feature that they have for developers. Or they can provide templates for managing the iTunes installations to pair down features via Group Policy (similar to what Skype has done).
My recommendation to my smaller clients will be related to the risk level they are willing to take. Many will want to use iPhones and do not need the application delivery. But for those that want to use applications on the iPhone will need to determine if iTunes will be a necessary risk they are willing to take.
For me, I’m looking for a way to turn my iPhone into a virtual iPod Touch (i.e. kill the phone service). Why? Well, one of my kids decided that sunscreen might help protect my phone from the sun and it seeped underneath the LCD.
Which gives me a good reason to get the 3G iPhone…I am a fanboy aren’t I? nuts….
![[del.icio.us]](http://flossyourmind.com/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://flossyourmind.com/wp-content/plugins/bookmarkify/digg.png)
![[Google]](http://flossyourmind.com/wp-content/plugins/bookmarkify/google.png)
![[StumbleUpon]](http://flossyourmind.com/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Windows Live]](http://flossyourmind.com/wp-content/plugins/bookmarkify/windowslive.png)
![[Yahoo!]](http://flossyourmind.com/wp-content/plugins/bookmarkify/yahoo.png)
![[Email]](http://flossyourmind.com/wp-content/plugins/bookmarkify/email.png)
