Companies struggle as Safari pops up on networks

Discussion in 'MacBytes.com News Discussion' started by MacBytes, Apr 6, 2008.

  1. macrumors bot

    Joined:
    Jul 5, 2003
    #1
  2. macrumors 6502

    Joined:
    Nov 8, 2006
    Location:
    Earth.
    #2

    Hum, Why is the admin allowing users to install software then? Where I work, only users with windows admin rights can install software, us normal users can not do so.
     
  3. macrumors 6502

    Joined:
    Jun 11, 2007
    Location:
    The Netherlands, Europe
    #3
    Hmm the dumb thing is that that is a bank, and Safari got installed trough Software Update, means they have iTunes installed (or Quicktime). Now what the hell do these programs do on bank computers?

    Fools:D
     
  4. macrumors 604

    clayj

    Joined:
    Jan 14, 2005
    Location:
    visiting from downstream
    #4
    I guess you guys are missing the point that there is a huge difference between installing an application like iTunes or Quicktime, which has a very specific purpose, and a web browser like Safari, which provides a much larger amount of functionality.

    As someone who has to work on user machines on a daily basis, I can tell you that many companies do allow their employees to install almost anything they want from an application perspective. But they usually demand that their users use a particular web browser, if for no other reason than to simplify supportability issues.

    It was a mistake for Apple to bundle Safari in with the Apple Software Update. A lot more IT admins are going to start blocking iTunes and Quicktime from being used, if for no other reason than to prevent users from accidentally upgrading their web browser to Safari.
     
  5. macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #5
    Another question one might ask is why do these IT people consider Safari a security risk when they are already using the most vulnerable browser on the market.
     
  6. macrumors G4

    Eraserhead

    Joined:
    Nov 3, 2005
    Location:
    UK
    #6
    It seems very foolish to allow users to install just any application they want. They shouldn't have had the privileges to install Safari to be honest.
     
  7. macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #7
    After blaming everybody else, admit apple is making bad PR mistakes.

    No need for me to remind you guys, just because windows have been troubled by too many malwares, windows users are VERY sensitive to these type of things.

    Not to mention the quick discover of 2 security holes (still unpatched?) of windows version of safari.

    Windows side is a cruel world, people aren't that forgiven.
     
  8. macrumors 68020

    sparkleytone

    Joined:
    Oct 28, 2001
    Location:
    Greensboro, NC
    #8
    So they can continue to use whatever browser is required. From everything I have read, the Safari installation does not change the default browser setting.
     
  9. macrumors G4

    Eraserhead

    Joined:
    Nov 3, 2005
    Location:
    UK
    #9
    Maybe, this certainly isn't the way forward from a business perspective. But I still think its pretty bad the user in a company is allowed to install their own apps anyway, especially if they aren't updates, as that can easily lead to spyware. I wouldn't use a bank who allowed their employees to install new applications without permission from IT.
     
  10. macrumors 65816

    steveza

    Joined:
    Feb 20, 2008
    Location:
    UK
    #10
    A major feature of Windows security is the ability to control user machines with policies. The problem with Safari compared to IE is that it doesn't apply Windows policies and therefore creates a security risk. For example I would use policies to force users to connect to to the Internet via a proxy server that filters and monitors web usage. If they had Safari they could change their settings to avoid this restriction.

    However as stated by others in this thread I would also prevent users from installing stuff like iTunes in the first place.
     
  11. Sly
    macrumors 6502

    Sly

    Joined:
    Nov 30, 2003
    Location:
    Airstrip One
    #11
    So if these users have iTunes installed then it probably means they are using it with their iPods too. Hmm portable hard drive - Bank computer system, no security threat there then :confused:
     
  12. macrumors 68000

    BongoBanger

    Joined:
    Feb 5, 2008
    #12
    We had people who installed iTunes on their PCs. I said 'had' because most of them were fired.
     
  13. macrumors 6502a

    cohibadad

    Joined:
    Jul 21, 2007
    #13
    Clevin is big on getting everyone to admit something. Admit Apple is making bad PR mistakes. Admit the MBA was hacked. I'll admit some people are morons and there is no pleasing everyone so why even try. I'll also admit that most IT departments are so bonded to Microsoft that any deviation drives them to conniption fits.
     
  14. macrumors regular

    Joined:
    Jun 15, 2007
    #14
    I'm sorry but only an A$$ clown of an IT admin would allow anyone at a bank download/install anything. If I were a customer at that bank I think I would be moving my money someplace else. What would a bank have Itunes on their computers for anyway. No your tellers don't need to be listening to music, not that way anyway, thats what a radio is for. Shoot I work in a hospital and you can't believe how locked down things are.

    Rj
     
  15. macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #15
    Its more civil, as I always do, discuss a topic within limit of that very topic. Targeting the topic, rather than targeting the person. If you want to jumbo everything to analyze me, sorry, I don't do personal attacks. enjoy yourself.
     
  16. Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    Whakatane, New Zealand
    #16
    I haven't installed Safari for Windows through Software Update but I have installed it manually. One of the questions it asks is "Do you want to install Bonjour?" and it's enabled by default. Are you still asked when using Software Update? If not, does it automatically get installed? I'd be paranoid if Software Update is automatically installing software which is bound to increase network traffic.

    As for offering Safari in the first place, I believe that while it's good to have a one-click installation, it should be opt-in rather than opt-out. Apple should also have a centrally-controlled policy option that allows administrators to disable Software Update.
     
  17. macrumors member

    Joined:
    Jan 28, 2008
    Location:
    MA
    #17
    Apple can't be FAULTED, per se...

    Having worked for a software company I'll advocate slightly for Apple in this case. It seems pretty clear that they made a business decision to try to expose more people (ie, the bazillions of iTunes users) to a new-ish product (Safari for Win) by showing the option to install it during a regularly-scheduled software update. I see no sin in this. The user can simply uncheck the box and not install Safari. Obviously many Windows users were unfamiliar with Safari and/or didn't know if it was a necessary component of iTunes and/or just plain click "Ok" to the software update anytime it pops up. Also understandable; but I contend that it remains the user's responsibility to control what is and isn't installed on their computer (or that, by proxy, the IT department of that user's company). If you choose not to read the description of what it is you are installing, or if your company doesn't dis-allow installing a specific app (like Safari) then you can't really hold a company (like Apple) responsible for making it possible to install that software.

    Apple has not forced anyone to install Safari, nor have they sneakily allowed it to install without the user's knowledge. The only thing they might have done to make the process more "idiot-proof" would be to add some sort of pop-up reading "Are you SURE you want to install Safari?" And it's entirely possible that such a pop-up was considered, but then deemed overkill. If this is REALLY such a problem (and I suspect it's not) I suppose Apple could add such a pop-up validator for the next release, but while it would appease those "burned" by the Safari install it will also annoy the heck out of others :rolleyes:
    So it comes back to the age-old truth: you're damned if you do and damned if you don't :D
     
  18. macrumors 6502a

    cohibadad

    Joined:
    Jul 21, 2007
    #18
    There are indepth discussions about this otherwhere on this forum. I chose to install Safari on all my Windows boxes before it was available on Software Update so I can't confirm this: apparently if you uncheck the box it will repeatedly remind you to install Safari unless you do something else to disable the reminder. I think if it was a simple uncheck most would be satisfied but having it harrass you until you reflexively install Safari to make it go away crosses a line.
     
  19. macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #19
    I haven't heard that. I don't think it badgers you until you install. If it does that's pretty crazy!

    I think the complaint people have is simply that you have to uncheck the box at all. The box should be unchecked by default.

    It may grate on some people to call any Apple mistake "small," but this does seem like one of the small ones! Still worth learning a lesson for the future though.
     
  20. macrumors 603

    solvs

    Joined:
    Jun 25, 2002
    Location:
    LaLaLand, CA
    #20
    With the most recent update, it asks but you can tell it not to ask anymore.

    And yeah, you have to have admin rights, so I'm also wondering why anyone who isn't locking down their users PCs is complaining if it's such a security risk (ignoring the giant security risk that is still IE, which I also suspect many are still using IE 6).
     
  21. macrumors 68040

    Joined:
    Jan 15, 2008
    Location:
    Holocene Epoch
    #21
    Uh, the solution to that is to only allow proxy connections through the internet. This is simple to implement. Then the only way out (with IE, Firefox, Safari, etc.) is through the proxy. If you didn't then even IE users with admin privileges could bypass the proxy with regedit.

    I'm with the previous poster, the real spyware risk is with IE not Firefox or Safari.
     
  22. macrumors regular

    Joined:
    May 2, 2002
    Location:
    Arizona
    #22
    If you are attempting to enforce network access path rules via an operating system then you should be fired. You control network access in the network.
    As the previous poster mentioned, you disable direct access to the web and force all traffic through a proxy server. There's no client or server setup, you enable transparent forwarding of all web traffic through a proxy.
    There's no way admins, execs or hackers can get around it. You can't install another application and get around the proxy either.
     
  23. macrumors member

    Joined:
    Feb 27, 2008
    #23
    Everyone's picking on poor Cody. As someone who works in the IT department of a credit union, I have to step in here. Our host system (the banking software we use) REQUIRES users to have admin privileges in order for our branches to connect to our host server using a proprietary VPN system. It's not an ideal situation but the software works great, the vendor is reputable and has a long list of clients, and really, it's not that big of a deal. We remove all removable storage drives, disable USB ports through the BIOS and then password protect it, strip out files from emails, lock down internet access, etc. So even though users have permission to install software, it's almost impossible to get installation files onto the computer to install in the first place. But for smaller IT departments with less resources, this could be a serious problem.

    For comparison, consider that Cody's bank has eight branches in three cities and the credit union I work for has twenty-four branches in eight cities. We're three times the size of them and including myself, there are five people in my IT department and two of them are developers. Considering that it took him, "the better part of a week" to remove Safari from a mere 30 computers, I wouldn't be suprised if Cody was the ONLY IT employee working at Soy Capital Bank and Trust, and I imagine he barely has the time or the resources to keep his computers up and running, let alone lock them down.

    Point being, you have to take things into perspective. Just because he uses the word "Bank" doesn't mean he works for Bank of America with hundreds of IT employees and money flowing out of their ears. If you work for a company whose computers are locked down, good for you. Not everyone can afford IT employees who even know how to do that and the ones who can don't always listen to their IT employees. It took me four years to convince my board of directors that a proxy server was worth the money...
     
  24. macrumors 68000

    BongoBanger

    Joined:
    Feb 5, 2008
    #24
    The only people at fault here are the system admins. As has been mentioned, downloading executable files should be blocked from any corporate network. This isn't Apple's fault because iTunes shouldn't be on these PCs in the first place.
     
  25. macrumors 603

    solvs

    Joined:
    Jun 25, 2002
    Location:
    LaLaLand, CA
    #25
    If that's the case, especially if they have end users who have admin rights who aren't in IT, then they need more IT employees. They're worried Safari might be a risk. Meanwhile, if they're using IE6, it's a little disingenuous to be so worried, no? Especially if they tell the employees not to install things like QT/iTunes, and/or specifically tell them to not use Safari. Which they should if they don't want them to be using it. Also, if it gets installed and the user never uses it, there's no security threat. And IE and FF also have security threats, why the lack of concern there?
     

Share This Page