How do you like them Apples?
I admit, back in 2005, I was the one in our office that decided to ‘Think Different’ and be ‘the annoying guy with the Mac.’ It wasn’t about computer snobbery (honest), for me, ‘Different’ meant cutting through the daily PC treacle, getting stuff done. No viruses or malware, lightning fast start-up times, rock solid reliability, no pre-loaded bloat-ware and no late night quarterly Windows re-installs.
A decade of mass-consumerisation later (with a proliferation of iClouds and Garage Bands etc), MacOS lost its sleekness. The Mac OS user experience had become not a whole lot that ‘Different’ from that of a PC. When Windows 10 arrived, I was relieved to go back to ‘Bill’s best OS yet.
Today, at FastTrack Software, I am regularly supporting customers that run Mac OS. It’s no longer the case of there being ‘just one annoying guy’ either. There are now departments full of them.
That said, Macs are still very much in the minority. Your typical ‘Windows educated IT staff still views the workplace Mac with a general sense of ‘dis-location, with a tinge of envy'. Users of the sleek silver slithers may feel like they work on their own little islands, but for the IT staff managing them, these islands are no paradise, more like purgatory!
Security auditors: they don’t do ‘different’
The problem is though, today, when it comes to network security, it’s no longer OK to say "Let’s just leave the Macs" anymore.
Whether you or running Windows or Mac, there are still standards of security frameworks to comply with such as UK Government ‘Cyber Essentials or ISO 27001. Security conscious organisationsations know that to pass audit, everyone needs to adhere to ‘The principle of least privilege’.
Newsflash! There is no special opt-out for the Mac User! In terms of security compliance, it is most definitely NOT a case of ‘Thinking Different'. Just like us PC users, the Mac user no longer gets the luxury of Local Admin. Unbox that directive, Mac-heads!!!!
TeamViewer on Mac OS Mojave: you do... I view!On that intro-backdrop, let's jump to the inspiration for this blog.
Today I made what was supposed to be a straight forward pre-sales call.
The customer was running Mac OS 10.14 Mojave, and wanted a bit of a 'share and learn'. For these tasks, I like to use TeamViewer's extremely handy ‘Quick Support’ system.
- Customer goes to our Quick Support URL
- Downloads a file
- Clicks on the file
- Grants control
- .. and done!
This has always been a bullet proof, plugin free, remote control solution. It never fails. Quick support indeed.
I got ready to take the customer through some of the Mac functionality of our Admin By Request
Privileged Access Management software, and after TeamViewer Quick Support session opened, I suddenly realised after clicking the mouse furiously… I had… no control. Arrgh!
Unlike other screen sharing apps, with TeamViewer you don’t need to ask the other side to give you control of mouse and keyboard after session start. Once you get allowed in, you get full control. So there was I, helpless to help. I could ‘view’ but i could not ‘do’.
After trying various disconnection / re-connection / rebooting shenanigans, and with the customer still hanging, I did what all good pros do and resorted to a quick Google. And did I recoil in horror after reading the top hit!?!
It turns out that, due to a fantastic new security feature in Mojave, TeamViewer QuickSupport isn’t that quick anymore. To get remote control working now, you first need to edit Security Preferences > Privacy and tick a box. Sounds easy enough, right?
But here’s the killer. To do this, your user needs…. Local Admin! The very thing you are likely to need when remoting in to do something for your user!
How fortunate for me, that this customer demo was all about how to use and observe the benefits of our Admin By Request Local Admin elevation solution!? My suitably impressed trial user used Admin By Request to self-elevate, fix TeamViewer, and soon I was not just in, but on. Talk about the perfect use case for a demo of Admin By Request right there!
When the session ended, I actually had a bit of a moment. A wave of sympathy washed over me. A metaphorical breaker, crashing in on a tide of pain surfed by the many remote desktop responders out there.
For Macs not set up right for TeamViewer (as in my case), how many unsuspecting I.T. support desk staff would get a ticket to ‘do some simple remote admin stuff’ on a Mac, only to find that on starting that session task, they could only view, not do?
They would surely be faced with the horrible choice of bestowing the Local Admin password to the user (assuming you/they knew it), or…. making a ‘local desktop’ visit.
With manually applied Local Admin lock down, and without a Privileged Access Management solution, this would be a huge problem (but as a reader of this blog, not for you!)
Admin proof your Apples (without it going Pear shaped)
Asking your IT Manager to fix your Privileged Access Management compliance headache may seem more than enough of a challenge, without adding ‘…and make sure you do the Macs too’ as a kicker of a footnote.
You’ll soon be picking off that long standing Local Admin project like low hanging fruit. Apples and all!