4 things to consider when allowing Macs into your business

Mac Malice

Mac MaliceMacs are starting to make serious headway into corporate networks, but they’re bringing some challenges with them.

You want to get the best from your users by allowing them the tools and devices they prefer to do the job, but you need to weigh up the costs to the business in doing that.

We take a look at four things you’ll need to deal with if you’re considering bringing Macs into your corporate network:

1. Manageability

One of the biggest issues with allowing Macs into your corporate environment is that your sysadmins don’t have the same visibility with them as they do with Windows systems.

Macs just don’t have the same culture and software that’s been built up around Windows that has decades of massive corporate deployments under its belt and, as a consequence, it’s more difficult to centrally manage Macs.

For example, rolling out a patch to every one of your users’ machines just isn’t as easy with a fleet of corporate Macs as it would be with Windows machines.

The culture part is important too – the fact is that there are many, many more Windows admins than there are Mac admins, so there’s more choice when it comes to recruitment.

The skill sets and tools needed to manage Macs is less well established and a lot of companies who are just getting to grips with corporate Mac deployments will need sysadmins who can handle both. In reality that probably means they’ll have Windows admins who have picked some Mac stuff up along the way.

Your Macs need to be just as secure as your Windows machines and that means you need to deliver the same standard of support. Even if your employees use Macs on a BYOD (Bring Your Own Device) basis, you still need to know enough to stop them being a risk to your corporate assets.

A single serious outbreak or breach on your corporate network can cost huge amounts of time and money so if you are serious about deploying Macs then it’s worth spending time to find the best software, and training staff up to the standards you need.

2. A false sense of security

Some users have a false sense of security when it comes to Macs so, just in case it needs repeating one more time, tell your users that Macs get viruses too.

And, of course, Macs and the software that runs on them are just as likely as any other piece of software to harbour vulnerabilities like FREAK and Shellshock.

Remind your users that Macs are not protected by an invisible force field, and that in addition to getting their own viruses they can be an infection vector for Windows computers – carrying viruses into your corporate network for your Windows machines to catch.

A false sense of security isn’t just misguided; it’s dangerous because it stands in the way of users doing the things that IT can’t do for them such as choosing good passwords and being suspicious about links in emails.

Everyone inside your company that uses a computer has a role to play in keeping that company safe, and nobody’s computer is inherently safe no matter if it’s running Linux, Windows or OS X.

The only way to shift that false sense of security is by meeting it head on with user education. Changing people’s perceptions can be difficult and it can take a long time so be prepared to say the same things over and over again…

3. Theft

Apple hardware is expensive and desirable which can make it a more tempting target for thieves.

Once a laptop (any laptop) is in the hands of a criminal it doesn’t matter how good the password is unless the machine is using full disk encryption.

If the hard drive is encrypted, then the data on it is nothing more than the computer equivalent of shredded cabbage. You may have lost a laptop but you haven’t lost control of the data on it, and that can be many times more valuable.

Without full disk encryption, a thief can simply mount the disk from a stolen computer on a Linux machine and bypass the password completely.

Centrally managed encryption is built into Windows but while all Macs come with FileVault full disk encryption, you’ll need to find third party software that can manage it across your network.

4. The cloud

When configuring a user’s new Mac, one of the first things you’ll probably ask them to do is to enter in their AppleID and password.

If that user already has an iCloud account, that could easily lead to corporate data ending up on iCloud, protected by a password that was created without a thought for your corporate password policy.

If users set their Mac to automatically back up to the cloud, they may not even be aware that they’re storing important company data there and, as we saw with the celebrity photo hacks in 2014, iCloud is no more protected by a magical force field than any other Apple product.

Keep reminding your users about the importance of strong, unique passwords and ask them to use two-step verification on their iCloud account if they have one.

The bottom line

Macs are inside the corporate network and they’re not leaving any time soon. The skills and tools needed to manage them are out there and improving but they’re not as readily available as they are for Windows, yet.

Sophos can help, by the way – at Naked Security we normally avoid product endorsements in our news articles but it would be plain odd if we didn’t mention that we can help you manage full disk encryption and anti-virus across your Macs.

7 deadly IT sins

Mac Malice‘ is one of Sophos’s 7 Deadly IT sins. You can read more about that and the 6 other sins here.