Today saw the roll-out of the free upgrade to Apple‘s operating system for its line of desktop computers; five experts spoke to CBR about what the updates would mean for enterprises.
1. SIP integration is a win for security
Thomas Reed, Director of Mac Offerings, Malwarebytes, said:
‘The main change is the addition of System Integrity Protection (SIP). This protects a number of different parts of the system from modification, even by the all-powerful root user. (For this reason, SIP is often referred to as "rootless mode," although this is a misnomer, as the root user still exists.)
"This helps to secure the system against some of the more difficult to detect ways that malware could infect a system, which is good from a security point of view. There are a number of adware programs actively infecting Macs right now that will not be able to infect El Capitan, due to SIP, without modifications.
"However, it also means that some utilities that relied on such modifications for their functionality will need to be updated or replaced for compatibility with El Capitan. This may cause some problems for enterprise IT."
Content from our partners
2. The new OS is good news for managers – but careful planning is needed
Charles Edge, Product Manager, JAMF Software, said:
"Apple has ensured that El Capitan brings a raft of enterprise friendly management features, such as continued support for the Device Enrolment Program, which makes it a very attractive, easy to automate, and secure platform for the enterprise.
"Users at organisations will also delight in the upgrades Apple provides to practically all of the applications that come with OS X, as well as increased searchability by expanding Spotlight to not only search hard drives, but also to search Internet and other media.
"A device and roll out strategy and plan will be essential so that IT managers have access to an accurate inventory for all managed Macs running on the new platform, giving them full visibility on how company data is being used or accessed.
"The IT department will be expected to seamlessly roll out the new upgrade simultaneously to all employees and scale as the company grows, but also support employees to be self-sufficient when installing new apps on to their individual Macs."
3. Don’t rush into anything
Sergio Galindo, general manager of IT security and software vulnerability specialist GFI Software, said:
"Users and companies need to be mindful that a new version of MacOS will bring with it issues of application compatibility. There is no guarantee that existing apps will work, and it is unlikely that everyone has readied updates to correct El Capitan issues.
"Automated patch management will help significantly with rounding up patches and updates, so that when companies do migrate, it is as smooth a process as possible.
"Testing before deploying is paramount, and being a later adopter is the safest bet. Users need to be told clearly why they should not self-initiate the update, and moreover, why they should not upgrade to new iCloud services.
"The latest iteration of iCloud services require El Capitan and iOS 9 to be installed on all the user’s devices. This causes issues in environments where legacy machines are used and where others have not upgraded at the same time."
4. Mac users still need to learn Windows lessons
Andrew Avanessian, VP at Avecto said:
"For years many Apple users have watched as the Windows community is hit by large numbers of exploits and attacks. Whereas Windows users are used to seeing attacks that bypass features such as user account control (UAC) and circumvent Windows defences, Mac users are totally unprepared.
"With Gatekeeper being simply bypassed, it is time for organisations to consider layering extra defences on top such as privilege management and application control in order to mitigate attacks and prevent unwanted content from executing. Whilst Macs have come a long way in the past 20 years the security offerings have stood still – even the major vendors offer little more than basic antivirus.
"Users should be given the least privilege necessary to perform their job, so remove those admin accounts and only allow necessary tasks to run with admin rights.
"Then, control what should and shouldn’t run on OS X you can allow all the corporate software to run and prevent unknown applications and threats being introduced. "
5. Apple needs to make security a bigger talking point
Ian Trump, Security Lead at LOGICnow, said:
"Apple has clearly followed Microsoft’s lead in moving some – but not a lot – of the enterprise security features in the latest Mac OS, El Capitan. The question that everyone should be asking themselves is, is Apple finally admitting Macs can get malware infections?
"In my opinion no, although according to a number of security researchers, Apple could be doing a lot more to safeguard Mac OS users.
"It would be great to see Apple give an admission and recommendation to use malware defences – just like the PC platform – because if the good guys are looking at the poor security of OS X, you can be assured the bad guys are too."
