Apple Simply 'Gets' Removable Media

By building the ability to control access to removable media into Workgroup Manager, Apple improves security down to the client level.

WEBINAR: On-demand webcast

Next-Generation Applications Require the Power and Performance of Next-Generation Workstations REGISTER >

Lately, I've been seeing a spate of articles and products designed to deal with the problem of removable media and drives. Now, this isn't a new problem. There have been removable media for decades, and the security involved with those devices has always been tricky.

It's also not just a strict security issue. Things like SOX, HIPAA, and GLBA make the management of removable media, and access to it critical. However, there are a couple factors that contribute to this new awareness.

First, removable media is now cheap and small. Face it, when your choice was a hard drive in a case that weighed 10 pounds and sounded like a jet engine, you weren't sneaking that in anywhere. But now, I can get a 1GB USB Thumb Drive for under $25, and a 16GB version for $500.

Maybe 1GB or even 512MB doesn't seem like much now that we have 750GB hard drives, but this is a rather tiny thing, that is easily hidden.

Look at an iPod Shuffle, and tell me how hard it is to hide. Some of them aren't obvious in shape. I have a 512MB version that's a pen. Literally. Looks like a big pen. Very nice to write with, good weight, good balance, and enough space to hold a lot of Word and other critical files. If you saw it in my shirt, you'd not give it a second thought.

Secondly, these things are not just small, they're fast. USB 2.0 in burst mode is eating all the bandwidth it can. You can do a lot of copying at that rate, and it won't be real obvious what you're doing.

So we have small, fast media, that's cheap and easily available. The final part of this sudden increase in it is ease of use.

Now, on the Mac side, we've had this for decades. We've had alternate removable boot drives, removable drives, and they were pretty easy to use. At worse, you needed a driver.

But even with SCSI, it was plug and play, (and check your ID and terminator). Up until Windows 98, and really, Windows XP, doing that kind of thing effortlessly, or even close to it, was pretty rare. These days? Plug it in and it just works. This is great for users, a rather large southern pain for sysadmins.

Luckily, on the Mac side, if you are using Apple's Workgroup Manager utility to manage your Macs, (aka Managed Client for os X, or MCX) and your users, along with Open Directory, or some other directory system, this problem is pretty simple to take care of. As it turns out, Apple built the ability to control access to removable media into Workgroup Manager, and this lets you push the desired settings out to your clients.

One note here: To take advantage of MCX, you pretty much have to be in an Open Directory situation, or you have to have the MCX schema extensions added to your directory service.

You're also going to need to have at least one Mac with the Mac OS X Server Admin software running on it. This can be any Mac on your network, but it's got to be a Mac. (Although some of this may be doable through Centrify's Active Directory plugins and software for Active Directory, but I've not had a chance to look at that solution yet)

This is accomplished via Workgroup Manager's managed preferences, which are roughly analogous to Active Directory's Group Policies. Managed prefs can be applied to groups of computers, (computer lists in Workgroup Manager parlance), (handy for public use), a group of users, or an individual user.

Manage By Group Preferences

In general, try to avoid user-level preferences, they can make things overly complicated. I tend to prefer managing by group, it's more flexible. Just be careful you don't have conflicting preferences between groups with common users. That could be bad.

In the preferences tab, there's an option for "Media Access". Selecting this allows you to set the usage rules for optical disk media, internal disks and external disks. (External disks are "everything that's not an internal or optical disk") You can (dis)allow CDs and CD-ROMs, DVDs, and Recordable Discs. You can, if you allow them, require authentication to use them. This is handy for tracking the use of such things.

With Internal/External drives, you get the same settings, with one addition. You can set them to be usable as read-only media. So even if you allow people to hook up various kinds of external drives, you can require an authentication step before they can be used, and then lock them down to be Read-Only.

Now, this isn't foolproof. If you are familiar with how Macs, Mac OS X, and MCX works, you can eventually bypass this. But that's going to require extra work, and some time sitting in front of the machine. With some extra steps like not handing out administrator - level access and setting the Open Firmware password, you can make bypassing this rather tedious and time - consuming.

So yes, you do have to start thinking about managing external media and drives, but at least Apple gives you the basic tools to do so. Not bad at all.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.