About the Author

Bennett Norton | Systems Engineer

The FBI’s 2016 Privacy Red Herring – Despite What You Read in the Media, Corporations Can Unlock the iPhones They Own

RedHerringI often find myself laughing in regards to the overreactions we make in today’s world, where every opinion can be so easily spread – especially if there is any type of political current. As of late though, my laughing has subsided and I find myself much more concerned. Unfortunately for the majority of us whose opinions’ fall in the middle of the extremes, our voices are typically too quiet and often drowned out.

Hard Drive Encryption for Your Macs is Free – Why Aren’t You Leveraging its Protection?

Hard Drive Encryption Mac (1)2014 and 2015 have been monumental years when it comes to data breaches and the costs incurred by the business entity for those breaches. According to a study released by IBM and the Ponemon Institute, the average total cost of a data breach increased to $3.79 million dollars in 2015.

While Sony Pictures Entertainment, JPMorgan Chase, Target, Ashley Madison, and the U.S. government are high-profile customers, it only takes one forgotten laptop in the back of taxi cab or left in the airplane back pocket to put you in the sites of a possible attack.

Does Your Mac Patch Process Rely Solely on Hope and Prayer?

The Hope and Prayer of a Contractor

My family and I love to play pickup basketball games together in our backyard. We do however, live in Texas, and as you probably know, Texas summers are hot. Due to the heat, we decided it would be wise to install an overhead light on the basketball court so we could play hoops when the sun goes down. Since I’m not electrician, we contracted out the work in early February.

Well, it’s now the middle of August and we’re still waiting for the electrician to finish his job. Last week I was pressing the general contractor for a commitment for a specific day for the work to be done. Let’s just say his response was not exactly what I was expecting.

“He said next week for sure. Praying that happens.”

Now, I am a very religious individual and strongly believe in the power of prayer. I even believe prayer should be invoked on behalf of our businesses and livelihood.

However, I believe prayer is a tool to be used after we’ve done everything possible on our end to bring about our desired outcomes. I do not believe prayer should be a tool used as a crutch to overcome our own lack of effort and planning (James 2:20). A general contractor, in my opinion, should be able to effectively work with his team and his subcontractors to gain commitments and delivery dates without doing anything more than throwing it onto the wings of hope and prayer.

How Does this Relate?

So what does this story have anything to do with patching processes for Macs?

To that, I say, good question. In response, I’ll answer your question with a question. Are you secretly relying solely on hope and prayer that the Macs in your environment will simply be self-managed by the savvy users that employ them? After all, Mac users want to be treated differently, right?

I was on a phone call again on Friday and asked the IT administrator if they have just Windows devices employed in their environment, or if they have anything else such OS X devices and/or Linux devices that he would need to manage. His response is about as common as it gets.

“We have some Macs, the total number of which is growing, but it’s mainly just our marketing team and several of our executives. At this time, we don’t manage them.”

You don’t manage them? Wow! How often do we hear the idiom “a chain is only as strong as its weakest link?” Why do organizations invest so much time and money in their infrastructure when they’re only going to patch a percentage of the total attack vectors, leaving the remaining portion to chance…or was that to hope and prayer?

The Vulnerability Data

Common Vulnerabilities and Exposures is reporting that OS X has 178 new security vulnerabilities published in 2015 alone. To compare, that’s more than 2013 and 2014 combined and we still have a third of the year to go – this data only includes vulnerabilities released up until the first week of July. It doesn’t account for the latest zero-day vulnerabilities being reported this week here andhere. Furthermore, of the 178 vulnerabilities, 25 of them allow the attacker to gain additional privileges on the compromised system. To put that into perspective, 25 new privilege vulnerabilities is greater than all previously reported exploits of the same type over the last eight years combined!


Hoping and praying an attack doesn’t surface, through the management process of “look the other way”, is incredibly risky and could potentially cost you millions. Infosec Institute is reporting that in 2013 “the average annualized cost of cybercrime incurred per organization was $11.56 million, with a range of $1.3 million to $58 million.”

So What Do I Do?

Sounds like it’s time to quit relying on just hope and prayer and to put forth some action. So where do you start? First and foremost, obtain a tool that allows you to scan your managed machines against a known vulnerability list that you can control, and ensure your machines scan on a frequent basis and then centrally report up their results.

Just knowing where you stand against the 178 new vulnerabilities is a great start. It will also give you the information you need to make intelligent business decisions.

Notice that I mentioned you will now have the data to make intelligent business decisions. Blindly patching all 178 vulnerabilities without properly testing them, while better than completely ignoring them altogether, is not moving forward intelligently. If you were to blindly patch everything, there’s a good chance you could break a critical business process which in turn could potentially affect your organization to the tune of millions of dollars as well. So be careful and use caution.

Many security pundits will encourage you to test and evaluate new patches in phases. Apple doesn’t have a “Patch Tuesday” so you’ll need to be constantly vigilant about when Apple releases new security updates. Hopefully the tool you use to scan your machines can notify you of new content. If not, keep on an eye on Apple’s Security Updates page found here.

I personally like to break down my patch process into five distinct phases:

  • The lab test phase
  • The smaller, more controlled initial test pilot phase
  • The larger, greater reach secondary pilot phase
  • The mass rollout phase
  • The exception handling phase

The size of your organization and the resources available may force you to adapt, and that’s alright. It’s the checks and balances part that is critical.

The Lab Test Phase

Inside the lab test phase, you should have replica environments for the different types of configurations you have deployed in your environment. Keep them up to date with reality. Make sure when you update your critical business applications in production that you also update your test lab machines. Almost as important, make sure you downgrade the business critical applications to the current release version when testing new security content. Don’t think just because the Apple security update works with version 2.2.x of your business app that it will also work with version 2.1.x.

In order to advance out of the lab test phase, ensure that your exit criteria has been defined and that it meets your success metrics. These metrics may be as simple as defining a machine has been patched, it still can be logged into and that the critical business applications can still be opened. You may also decide to get much more granular, that’s up to you and your organization’s tolerance for risk. What’s important is that a set of defined exit criteria has been established. You can’t be successful if you don’t know what success looks like. Once you have success, document the status of your exit criteria with times and dates and move on.

In regards to timing, when new content comes out, you should be immediately testing against your lab machines.

The Smaller, More Controlled Initial Test Pilot Phase

Once you’ve validated the content against your lab machines and have met your successful exit criteria, move on to a focused pilot group. This is stating the obvious but members of this pilot group need to be using machines that match the type of devices deployed to your entire corporation. That may mean you’re going to need to find dozens of different types of users to match finance, engineering, marketing, etc. Understanding your different user types is critical. Furthermore, these individuals need to be flexible and must be willing to communicate when things don’t work. Build feedback channels into your process that are easy to use. If something breaks, the pilot test group user should know exactly how to contact you with the information you desire.

The next obvious step is to notify the pilot group that patches are coming so they know to be alert and aware.

Just like with the lab test phase, define your exit criteria and document it. Not everyone in your pilot group is going to be available 100 percent of the time. You may have to settle with a 100 percent approval rating from your test group, or up to seven business days. Define what success is, establish the process, and once you can quantify whether you’ve hit your metrics, move on. If you can’t meet your success metrics due to issues, single out the offender and proceed with the rest while you move the offender into the exception handling process.

Ideally, you should be able to wrap up this phase within three to 10 business days from the initial content publication date.

The Larger, Greater Reach Secondary Pilot Phase

The larger pilot phase is nearly identical to the first, only this time increasing the amount of participants. Maybe you move from 2 percent of your machines to five to 10 percent of your machines. Due to the greater number of participants, you may need to be more lax in your exit criteria. You may decide that if 75 percent of your participants approve, or if seven business days have transpired, you have sufficient information to move on. When things break, people complain. When it comes to patch, no news is often good news, that’s why we can put time down as a successful metric. It’s not perfect, there are always those applications that are run on a periodic basis, but it’s a start. Just document were you stand and move on.

Again, just make sure the proper notification is going out to your pilot group so they know to be aware and provide them with dates they need to respond by. Ensure the proper channels are in place so the pilot users can communicate the good and the bad.

This phase should put you two to three weeks out from the content’s publication date. Remember, time is not on your side. The key is to be disciplined, yet focused on getting the content released.

The Mass Rollout Phase

Here comes the fun part, let’s roll out the patch updates to the rest of the organization. While no process will prevent every potential bad outcome, enter into the mass rollout phase with confidence. It won’t hurt to hope and pray at this point either, but at least you’ve done your part.

The key to this portion is to capture the feedback and learn. If a certain individual or group is adversely affected, understand how he/she/them differ from your pilot test groups. Consider adding in this individual or a member from the group into your pilot phase for future testing. The outspoken, high-energy individuals are usually willing to participate in such programs, so bring them in.

Make sure you’re using your patch tool to track the progress. You should be able to hit a pretty high success criteria within days of release.

Where I see most companies struggle here is with off-network devices. Ideally your patch tool should be able to handle the delivery of a patch regardless of where it sits, whether on or off the network. If it doesn’t, you may want to re-evaluate your tool. Machines are always going to be offline or off network, sometimes for days, weeks, months or even indefinitely. Build your process around the exceptions and you’ll be successful.

The Exception Handling Phase

Use this phase to deal with all of the one-off scenarios. It may be a single system that causes you grief. It may be a patch that will not apply. It may be hardware that fails months after patches have been applied, making you vulnerable to items you thought you had patched months ago.

Every scenario is going to be unique and require a different set of steps to troubleshoot. Figure out what you can and then re-insert it back into your patch workflow when it’s ready to be re-evaluated. For me, what’s important, is to document, learn and use what you can to enhance your established patch process so that with each iteration it gets better and better.


Using your patch tool, you should be able track the trends and understand how quickly you can turn around a patch. What may take 35 days can be gradually improved to 30 days, then into the 20s, the 10s and maybe even into single digits. The size of an organization will have such an impact on turn around that comparing against others is not as important as comparing against yourself.

Now, after implemented your newly minted and customized patch process, continue to hope and pray what you’ve done is enough. Zero-day threats will always be with us, having 100 percent prevention is nigh impossible. But having done all that you can do and covering what is in your control, you can now use that prayer and hope  to overcome what is outside your control.

How to Install Microsoft Office 2016 for Mac Using LANDESK Management Suite

Goodbye 2011 and hello 2016!  After five long years, Microsoft has finally replaced its outdated and very un-Macish Office 2011 product with an ultra-sleek and modern Office 2016 for Mac. Re-written from the ground up, Microsoft is promising an “unmistakably Office” experience; something we Mac users have not previously enjoyed without compromising the Mac experience itself.

The one major caveat for the Office 2016 for Mac release…you must be an Office 365 subscriber, or you must be a student to get access to the product today. If you don’t fall into one of those two categories, you’re going to need to hold tight. While the full details are not yet known, such as the exact release date or price, the one-time product purchase option will have you waiting until September sometime. If you don’t feel you can wait that long, head over to office.com/mac and become a subscriber today.

Where’s the moat around my OS X castle?

Bodiam castleWe all want to feel secure and protected, right? Kings, queens and other powerful individuals from ages past, built moats to protect their investments and the people they cared for. Today, while we may not all be kings or queens, we still have the desire to protect ourselves and our personal property.

If you’re a Mac user with the belief that your OS X moat is impenetrable, protecting you from all foreign potential conquerors, it’s time to perk up and use a bit of caution.

According to Pedro Vilaca, a well-known security expert for OS X, the moat around your personal world housed on your Mac has a major flaw. In Pedro’s blog titled, The Empire Strikes Back Apple – how your Mac firmware security is completely broken, he discusses that by simply putting your machine to sleep, an attacker can compromise the device; gaining root access to the firmware.
So where did your moat around our OS X castle go?

Balancing Power, Responsibility, and Control

As we push down functionality to the end user portal, consumers will have more and more flexibility, while we give IT more control around that experience. Our goal, we hope, is a comfort and balance between chaos and freedom for both IT and the end user.

At LANDesk we’ve been doing a lot of research and analysis on defining what a proper end user portal should look like.  We’ve been in contact with a number of IT administrators asking them what their thoughts are on balancing the power, responsibility, and control with their end users.  The dichotomy of feedback has been expected, yet was still quite astonishing.

As with any shift in mindset, the consumerization of IT has taken a strong hold in some IT organizations, while others seem to be minimally affected.  Some customers stated it would be a good idea to have a portal that suggested potentially new apps to its users that would assist them in their jobs. After all, if the employee has a better set of tools to get their job done, the employee satisfaction rises and the company itself becomes more efficient and effective.

However, managing apps that can have a behavioral “flavor of the month” from the end user perspective can be very problematic.  The reality is, IT gains its scalability through control and limitation of options.  Creating licensing agreements, purchase orders, software asset tracking processes, deployment packages, gold images with the appropriate business applications, as well as and many of the other requisite tasks, are all simplified when limited in scope.  Complete end user flexibility can generate complete chaos in the IT department.

Thus we see the dichotomy and the need for a balance between IT and the end user.  The next few years will prove quite interesting to watch.  Currently we’re in the middle of IT consumerization with devices being used at work.  Data and applications are ramping up – just look at the proliferation of DropBox in corporate America.

At LANDesk, we are seeing the trends.  We’ve offered user based pricing to help IT being to bridge the balance of controls.  As we push down functionality to the end user portal, consumers will have more and more flexibility, while we give IT more control around that experience.  Our goal, we hope, is a comfort and balance between chaos and freedom for both IT and the end user.

Are You Ignoring the Apple Elephant in the Room?

Managing your Mac devices can help your department reduce cost, increase productivity and gain control of end user environments.

A couple of months ago, I found myself in the San Jose International Airport. As I waited for my plane, I noticed that nearly everyone in the terminal was using a Mac laptop or an iOS device. (And I mean it when I say nearly everyone.)  While it was interesting thing to notice, San Jose is practically in Apple’s backyard so I dismissed it as an effort to support the local employer.

Several weeks later, while waiting for my plane to arrive at the Charles de Gaulle International Airport in Paris, France, I started noticing the devices used by others waiting in the terminal. Much to my surprise, nearly all of the devices in use were either Mac laptops or iOS devices.  Since Paris isn’t in Apple’s backyard and thus the usage trend became ever more intriguing. It’s obvious that times are changing and according to Apple’s 2012 fiscal numbers, they’re changing in big ways.

Last month Apple’s 2012 fiscal report showed they sold more than 125 million iPhones, 58 million iPads, 18 million Macs and 35 million iPods with more than $156 billion in total sales and over $44 billion in profit.

Just in case you’re not great at math, I’ll add it up for you: 125 million iPhones + 58 million iPads + 18 million Macs = 1 very large elephant (of the Apple variety) sitting in the IT office.  Thus the $156 billion dollar question becomes: “Are you ignoring the elephant in the room?”

If you are, it’s time to review LANDesk’s management portfolio again. Built within LANDesk’s renowned integrated console is power to manage those millions of iPhones, iPads and Mac devices wandering around your office.  Managing your Mac devices can help your department reduce cost, increase productivity and gain control of end user environments. With the number of Mac devices in use, you can’t afford not to do it.

LANDesk is at Gartner ITXPO

LANDesk is at Gartner ITxpo.  Come find us at MP9 to talk about LANDesk’s latest releases for Management Suite, Security Suite, Mobility Manager and Service Desk.  We’ll have experts on staff to discuss zero touch AMT provisioning to zero-call software request resolution and everything in between.

LANDesk’s Jesse Frye (@jessefryeutah) and Ian Aitchison (@ianaitchison) will also be hosting a solution provider session Wednesday afternoon at 3:15 in Dolphin-Southern II.  They’ll be speaking on increasing organizational productivity through “user oriented management.”

For updates on the show or our latest product releases, follow us on @LANDesk on twitter or like us on the LANDesk Facebook page.

To be Thin, Slim, and Lean

To be thin, slim and lean. People, young and not so young, spend an enormous effort to obtain those traits.  Strangely enough, so do some computer devices. Who would have thought?

Thin devices are somewhat veneer objects that look pretty but are only acting as the interaction point between the user and the other backend machine doing the work.

In the computing world, the words thin, slim, lean, fat, and thick are terminology words used to describe where the processing work is taking place.  Thin devices are somewhat veneer objects that look pretty but are only acting as the interaction point between the user and the other backend machine doing the work.  Thick devices actually do the processing and all the work locally as well as interact with the end user.

Originally, one of the main selling points with thin client devices was the inexpensive cost of the hardware.  Thin client devices are designed specifically for workers that didn’t need the horsepower of their bigger brother and sister devices, of which cost three to four times more.  What an economic deal, right?  If a thin client device breaks, administrators can have two to three spares for the cost of one of those bigger brother machines.  What CTO wouldn’t sign up for that?

Well, the cost of a device itself is definitely a different discussion than that of the total cost of ownership for a device.  Ironically, one of the greatest benefits of thin client devices also proves to be one of the greatest challenges.

Embedded operating systems, the OSs that run on thin client devices, offer unique write filter overlays that prevent data from being committed to the device without going through the appropriate process. As such, write filters provide corporations a large degree of security safety by purging everything upon a reboot—including viruses, and application or OS corruption that may occur during normal use—returning the machine back to an original state defined by the administrator.  Just reboot and magically all your problems go away.

Unfortunately, this protection provided by the operating system write filter introduces a unique IT challenge and changes the total cost of ownership on that device.  Although the client is thin and the main processing takes place on a backend server OS, the thin client device itself still needs to receive OS and application updates and maybe even new applications altogether.

To reduce the total cost of ownership on a thin client device, negating the need to have yet another tool to manage just thin clients as well as all the hardware, administrator training, and process creation that comes with yet another tool, LANDesk and HP have teamed up to bring thin client management directly into LANDesk Management Suite 9.5.

When LANDesk Management Suite 9.5 releases in Q4 of 2012, it will contain support for HP Thin Client devices running Microsoft Windows Embedded Standard 7 Enterprise, Microsoft Windows Embedded Standard 09 Enterprise, and HP’s ThinPro Ubuntu derivative OS.

Leveraging the same LANDesk policy workflows and a unique write filter management system built into the LANDesk agent, administrators will be able to capture and deploy images, patch the operating system, distribute software and perform remote control operations to their thin client devices.*

Stay tuned for more information about LANDesk Management Suite 9.5 release.

* HP ThinPro will only support an agent install at time of the LDMS 9.5 release.  Further enhancements to software distribution, patch and remote control will be coming in future enhancements.

One Way to Enhance End-User Security Without Compromising End-User Productivity

In life we are always making trade-offs.  We analyze the benefits and weigh them against the negatives and decide whether or not to proceed.  Sometimes the decisions we’re making are small and less significant, like, “Should I eat that delicious slice of red velvet cheesecake from the Cheesecake Factory?”  Other times, however, the decision requires more investment and time before knowing if the result is worth it.

Life’s black and white decisions are generally easier for to analyze, make a decision, and then move forward.  It’s the decisions that wander into the gray zone that require us to slow down and think things through before moving forward.

IT professionals often find themselves contemplating the age-old debate of how to provide end-user security without compromising end-user productivity.

To arm IT professionals with the tools needed to provide a more secure network without having to invest time and effort beyond perceived benefits, LANDesk has teamed up with Hewlett-Packard to help IT administrators centrally secure their HP notebooks, desktops, and workstations.  In June, LANDesk released an enhancement pack that allows IT administrators to more efficiently manage their HP machines.

Using LANDesk’s integrated console, an IT administrator can now remotely update the BIOS using patch content automatically supplied by LANDesk’s content servers and apply any drivers needed to plug security holes. To enhance performance, admin can set and apply strong BIOS passwords, enable and take ownership of the machines’ Trusted Platform Modules (TPM), and set alerts to be properly notified of the status of your HP machines—all of which can be done in a one-to-many fashion.

Having the ability to remotely set a BIOS password and subsequently take ownership of the TPM chip eliminates hours of manual labor.  As such, the end result changes the IT professionals’ discussions around convenience vs. security.  Rather than debating whether to implement great tools that take advantage of TPM, like Microsoft’s BitLocker drive encryption utility, the discussion becomes more black and white.  The gray area around the effort to implement has been greatly reduced through LANDesk and HP’s central manageability innovation.

So next time you’re debating the enhancing-end-user-security-without-compromising-their-productivity debate comes up, remember that the issues isn’t as gray as it used to be.