Security Basics mailing list archives
Re: iTunes for iPhone in an Enterprise
From: Francois Lachance <digitallachance () gmail com>
Date: Sat, 27 Nov 2010 01:59:50 -0600
So nobody sees an issue with the number of security related bugs in iOS, or the fact that at one time you could be jailbroken just by browsing a web site, or by the fact that you have no way to control what apps your users can install? At least with a BlackBerry BES I can control any aspect of the devices centrally. I don't think that's possible on the iPhone, at least not without a third-party add-on. It seems like every update released by Apple for the iPhone contained at least one security vulnerability fix. Not so for the BlackBerries. There has been a few vulnerabilities on the BES (all related to the PDF rendering), and all that was required was to upgrade one server, not every devices. I am not saying that there are no bugs in BlackBerry devices, but so far, none that have had a security implication. Am I being paranoid here? Please someone set me straight if I'm wrong here. Thanks, Francois On Tue, Nov 23, 2010 at 5:31 PM, Florian Rommel <frommel () gmail com> wrote:
Actually with the release of iOS 4.2 and a little bit of tinkering we have our iPhones more secure than most of our HTCs, Windows mobiles or even device managed Nokias. Exchange remote wipe and MobileME find my phone service are very nice additions. However, we follow the same principle. IT has an iTunes Machine, everyone else has nothing and cannot do anything. We had a few incidents where people connected their iphones to their home PC and wiped them to hook them up to their iTunes in order to jailbreak or app install. This caused several disciplinary actions up to a dismissal in one country. Since then it has been nice and smooth. I don't see what the fuzz is about anymore. With passcode wipe and remote wipes and lock settings it's all ok on our end... So far that is.. //f On Nov 24, 2010, at 12:01 AM, Teena Horne wrote:J. Teddy, Just wondering, what is the need for iTunes to be available in the corporate environment just because you use iPhones? In our environment we support windows mobile, androids, or iPhones. No one here has iTunes installed on any business PC for their iPhones and don't need it. One machine has it so I can activate the iPhones when we first get them. Adrian, I certainly agree with your assessment of the iphone for a corporate environment, but I was shot down for keeping them out on account of the exchange server can remote wipe the phone. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adrian J Milanoski Sent: Saturday, November 20, 2010 12:56 AM To: J Teddy Cc: security-basics () securityfocus com Subject: Re: iTunes for iPhone in an Enterprise Hi, Sorry to burst your bubble about your iPhone in the corporate world but I personnally not even attempt he iPhone/iTunes in the corporate world. It was never designed for that. Personally I have and use an iPhone it's great as a 'personal' phone and no more. Having the ability to deploy and manage the secuirty aspects of things is much more important then applications. Blackberries have dominated that market and allows you to do and manage everything centerally with a BES server. Both Apple and RIM took different routes with their business, personal and enterprise. Honestly I don't mean to be negative about this but, if your talking this to an enterprise you got to think about Confidentiality, Integrity, and Availability. I have herd of companies wanting to deploy iPhones, but I don't think anything came of it do to these restrictions. I would be interested in if anyone else has. Thanks, Adrian _________________ Sent from my iPhone On 2010-11-17, at 7:54 PM, J Teddy <jteddylists () gmail com> wrote:Yes, my organisation is a little slow of the mark, and we are now looking at deploying iPhones. Currently it appears management is not comfortable with users having iTunes installed on individuals machines. I am not sure what these concerns are. Apparently other organisations have solved this issue with using kiosks, and this is the golden bullet that CIO's are talking about in their circles. A kiosk is simply just an internal computer that can be used by any employee, and has iTunes installed. If my understanding of iTunes is correct, I had some concerns and wish for your advise, help, and to understand what you did in this instance of managing iTunes. My concern is If all corporate users are to share a single instance of iTunes on a public kiosk computer they will all be required to share an iTunes account. This will involve all users knowing the username (an e-mail address) and password to the account. The downfall in this scenario is if a user wishes to purchase content through iTunes the same content will be shared among all the users. Further investigation needs to be taken if this breaches Apple's acceptable use policy. There may also be implications if the user stores their credit card information for the iTunes account. A logical solution would be to assign an iTunes account to all users on the kiosk. Unfortunately this can cause similar complications to the above. All the purchased or downloaded content will be on the iTunes library which other users will also be able to transfer to their device (re. investigate acceptable use policy). If an upgrade to a purchased application is released and a user other than the original purchaser wishes to upgrade the application they will be required to enter in the iTunes account username and password of the original purchaser. Individuals will also rely on iTunes to create backups for their device. These backups must be encrypted, or another user could restore their device using another users backup, revealing private information stored on their device. If you know anything about the legal side, it would be great to reference straight from Apple Policy, as I need to find something in writing. I have only found the below at this point in time. * Your Account ** As a registered user of the Service, you may establish an account ("Account"). Don't reveal your Account information to anyone else. Y ou are solely responsible for maintaining the confidentiality and security of your Account and for all activities that occur on or through your Account" Thank you all for taking the time out to read my mail, and kudos for those who help. Mr. Lacanian --- --------------------------------------------------------------------- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42f727d1 --- --------------------------------------------------------------------------------------------------------------------------------------------- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- iTunes for iPhone in an Enterprise J Teddy (Nov 18)
- Re: iTunes for iPhone in an Enterprise Todd Haverkos (Nov 19)
- Message not available
- Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 26)
- Message not available
- Message not available
- Message not available
- Re: iTunes for iPhone in an Enterprise J Teddy (Nov 26)
- Message not available
- <Possible follow-ups>
- Re: iTunes for iPhone in an Enterprise Adrian J Milanoski (Nov 26)
- Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 26)
- Re: iTunes for iPhone in an Enterprise Saif El Sherei (Nov 30)
- Re: iTunes for iPhone in an Enterprise Francois Lachance (Nov 30)
- Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 30)