Apple OS X surges in enterprise with maturing security

For seven of the past 30 years that the Mac has existed, Apple has been reinventing itself as the “post-PC” company, with its mobile operating system, iOS, and iPhones and iPads to run it. Yet Apple’s changes in the Mac’s OS X operating system and a crystallization of recent management and security features are spurring a Mac surge in an unlikely market: the enterprise.

Jan. 24 is the 30th anniversary of the Mac. Mac laptops, especially, have been gaining ground in the enterprise for several years, though Microsoft Windows still has the lion’s share by far, in the wake of the widespread enterprise adoption of iOS-based mobile devices. (BareFigures has a chart “Mac Portables vs. Desktop unit sales” showing the higher numbers and growth rate yearly for the notebooks.)

“The big difference between Apple and the Windows/Linux world is the model of a closed [OS] architecture and software environment,” says Stephen Cobb, security researcher with ESET, which offers a variety of popular endpoint anti-virus and security applications, including products for the Mac. “That’s got a lot to be said for it. You can see the benefits of exercising tight control over the hardware and software in iOS: we’re not seeing the problems we see in the Android world.”

From a security viewpoint, the evolution of OS X over the past decade has been “tightening up the walled garden,” says Cobb. At the same time, Cobb and others say, Apple has been increasing and improving its interactions with the security community, including application vendors, though some say Apple needs to be more transparent about security.

“In OS X and iOS, you do have levels of protection,” Cobb says. “But you only have Apple’s work on security. It’s very good work, but there is a theoretical concern: ‘If Apple misses something, what are we going to do?'”

OS X was introduced about 14 years ago, adopting a Unix Kernel and based on technology from NeXT, which Apple bought in 1997. The first version was for servers; the first desktop release was in 2001.

The newest version is OS X 10.9 or Mavericks, released Oct. 22, 2013, as a free update through the Mac App Store. Software updates are now automatic.

“Mavericks is significantly better,” says Benjamin Levy, principal with Solutions Consulting, a Los Angeles firm that specializes in Apple OS X and iOS deployments for enterprise customers. “The API for [user] profiles has been expanded tremendously and the [much improved] caching server is a fantastic addition. The fact that they’re giving away what used to be about $200 worth of software means that they’re setting the baseline higher, getting more people on it, and making a stronger, healthier ecosystem.”

Apple allows two classes of users to log into a Mac: standard user and administrator. “The latter is lot more difficult to control,” says Levy. But the former is now easier to control.

“The move to the Mac App Store and online updates is a big shift,” says Cobb. “You can, with admin control, still override those settings and download anything from anywhere. But if properly administered within the enterprise, you can prevent this. You can control what is deployed on each device. Which is how I think the enterprise should be able to do it, but not all employees would agree.”

This particular model is similar to that used in iOS. “If you want a consumer device to make money, it cannot have a traditional [enterprise] helpdesk model,” says Ojas Rege, vice president of strategy for MobileIron, a Mountain View, Calif., company that offers mobile device and mobility management software. “Instead, you have to have really strong architectural security, so apps cannot mess up the underlying OS. If [iOS] apps had admin rights, like the old Microsoft Windows, these modern operating systems could not succeed.”

The enterprise is now the inheritor of all these consumer-focused benefits, he says.

“I’m sitting on my company computer, and I don’t have root access,” says Cobb. “And I have stipulated apps. It’s hard to see how you can secure an enterprise computer without that kind of control. It’s the default setting now for the consumer. Even with BYOD [bring your own device], you have more assurance that the BYOD device isn’t getting apps from just anywhere.”

At the same time, Apple’s style – focused on the end user as consumer, not as employee – in effect forces IT groups to be more proactive. “There are changes in Mavericks that give control to users…and you can look at that as ‘not good management,'” Solutions Consulting’s Levy says. “But the key is that you [enterprise IT] need to implement updates — you need to set them up and direct users to your internal software update server. If you don’t manage the machine, and tell users in effect ‘use my updates,’ then they’ll be using Apple’s by default.”

Apple doesn’t offer the complex, server software infrastructures of Microsoft and other enterprise-focused independent software vendors. But it has been making it easier for Macs to fit into those infrastructures, says Corey Nachreiner, director of security strategy and research for WatchGuard, a Seattle company that offers what it calls a “next generation” firewall. He uses a Macbook Pro and an iPad.

“Their latest changes improve Macs working with Microsoft Exchange ActiveSync and Active Directory,” he says. “They’re trying to make the products that they know enterprises will use, and let Microsoft do the heavy lifting around things like authentication.” OS X Server now has what Nachreiner calls “MDM light,” to make it easier for users to register their Macs and there are more programmable interfaces that third-party security and management software vendors can use for tasks such as advanced management controls or file encryption.

A recent tutorial at TechRepublic – on integrating Macs into an enterprise Windows domain – assures readers that “Integrating Macs will initially be easier than you think!” The process of binding, or joining, a Mac to a domain is “virtually identical to joining a Windows PC to a domain, complete with checking domain credentials to verify the end user has the necessary rights to add the computer to the domain.”

Many of the OS X changes have been done by Apple on its own. It’s only relatively recently, according to these sources, that Apple has started to become more open about security, with vendors and researchers. “Apple has been quite proprietary in the past,” says Nachreiner. The shift seems to have been spurred, again, from the iOS side. “They talked at Black Hat [a well-known series of security conferences] for the first time in 2012, describing their secure boot process for iOS,” Nachreiner says.

Over the past couple of years, Apple has made a number of high profile hires of outside security experts. One is former Microsoft employee, and Vista hacker, Kristin Paget, hired in late 2012 for OS X security, not long after the Flashback malware, exploiting an unpatched  vulnerability in Java, infected a reported 600,000 Macs. It was a rude awakening for many users.  

Other hires in recent years, summarized in this BusinessInsider story, include: David Rice, in 2011, a cybersecurity expert and former NSA analyst (and author of the 2007 “Geekonomics”), as director of global security; Mwende Window Snyder, in 2010, formerly chief security officer at Mozilla; Kevin Blanchard, 2010, security engineer; Alan Ptak, in 2011, formerly with SANS Institute; and Matthew Murphy, 2007, software engineer who helped create security for the Mac App Store app review process.

ESSET’s Cobb would like to see Apple’s involvement with the larger security community broaden and deepen. “It’s a question of ‘can Apple maintain that walled garden defense adequately all by itself,'” he says. “We wouldn’t be selling a consumer [security] product for the Mac if there was not additional work to be done.”

These sources all declined to go into details about their company’s relationship with Apple.

MobileIron’s Rege says nearly all of those details are covered under non-disclosure agreements with Apple. But he did say that Apple has been very open to listening to MobileIron and other third parties: they listen, evaluate, and sometimes say yes to requests and sometimes say no. Apple does not share any of its future product or technology plans. At some point before Apple releases the “gold master” of the next iOS release, the company starts to inform third parties about relevant new features. Rege wouldn’t say when that occurs. “We’ve had enough ‘runway’ for our product to be ready to support that OS release as quickly as possible,” he says.

He also says the refrain “Apple is not focused on the enterprise” is simply false. “Apple has a really big, strong organization focused on the enterprise,” he says. “We’ve worked with that team from the beginning.” A few months ago, MobileIron “did a big event in the Apple office in New York City,” he says. “All the Apple people attending were NY-area field reps for enterprise customers.”

“It used to be Apple’s way or the highway,” says WatchGuard’s Nachreiner. “But today, if you are an enterprise IT manager, you do have the tools to deploy an Apple infrastructure as you have a PC or Linux one in the past.”