Slashdot Mirror
Apple's iOS 9 Breaks VPNs
An anonymous reader writes with a report from The Stack that researchers have discovered a crucial security problem in the latest version of iOS 9: it breaks VPN connections to corporate servers. According to the linked piece, "The flaw was first detected in the iOS 9 beta, and has not been fixed in the released version. Neither has the bug been removed in the current iOS 9.1 beta." The workaround might not be what you want to hear, either, if you've happily upgraded to the latest version: it's to downgrade to iOS 8.4.1.
All the C-levels will be disconnected so we can get work done.
And here I thought Apple was a true business player.
What bothers me most about things like this is trying to relate it back to what is supposed to have changed in the latest versions. I can't think of anything in iOS 9 that should have touched code like this, which makes me wonder about the state of source control.
Happy to be wrong, but Apple have had a few regression-type bugs before which again make me think their branching/merging strategies may not quite be up to snuff. Would like to be wrong though - anyone know of a changed area in iOS 9 that would have necessitated playing with something like this?
Makes you wonder why:
1. Cell manufacturers are moving to devices that cannot be truly turned off by removing the battery.
2. Android after 4.4 broke persistent VPN support.
3. Now iOS 9 breaks VPN support.
Coincidence? Who might prefer to have a citizenry carrying locator beacons that cannot be turned off and where encrypting all data communication has been disabled?
Everyone knows that Macs just work, more Micro$oft FUD.
Yes, please use Android.
Whoops: https://code.google.com/p/andr...
BlackBerry wins again. Boom
They have a LOT to do. We have had to switch our clients over to a chip and pin AD login from a regular local account. There is no easy way to do this, We can't apply the new security to the old accounts directly, or so I am told, so we have had to make another account and then "port" the old account data into the new one. Time machine broken, because it is protected by UID, no matching UID no backup, period. Keychain wonkiness, everything you know can go wrong with a keychain, has. Dropbox broken, easily fixed, but still... The best part, when 10.11 comes out no one can update because it will break al the chip and pin stuff and users won't be able to login. We have had to send 2 FAQ's on dealing with the asininity of all of this, and we are still stumbling across issues. One of my co-workers is tasked with something to do with programmers and root, that does not like these new accounts. No, I am not helping with that crap. BTW, when this happened with windows, they just pushed a package that did all the wizardry, which was simply installing a card reader driver, and a script that made sure that if there was a matching local account UID that it inherited that account.
That brings me to the next issue, patch management, or rather the lack of it. When 10.11 comes out we have to hope everyone listens, because otherwise we're playing fun account movement games after downgrading them back to 10.10. users cannot install printers now, we have people bringing their printers in to work, so that we can install them. We have to patch everyone manually as there is no way to manage them with what we have.
IT has been an absolute mess, and the boss, who is normally ok with letting a small thing slide without a ticket, is demanding that every interaction related to this, even 15 seconds, have a ticket so that he can show the massive time costs of this nonsense.
"Science is the power of man"
Problem is DNS during split tunneling, which isn't the same as "breaks VPN."
I guess the editors are either click-baiting, are technically illiterate, or both.
Didn't see any problems with VPNs during the betas, nor with final release. This is with connections to Junos Pulse, StrongSwan/xl2tpd, and racoon VPNs.
Maybe the reason it wasn't "fixed" is it isn't an issue in the first place.
I don't know what kind of crack I was on, but I suspect it was decaf.
Don't install .0 versions of operating systems on production systems. At least, not until they've been tested and shown to work.
Workaround is to reinstall that VPN software on your iOS device.
Jesus Christ. If you're going to come up with conspiracy theories, at least try to provide some small degree of evidence. It doesn't even have to be convincing. Just some shred of evidence, rather than nothing at all!
It's because consumers demand thinner, cheaper devices. That means that the use of physical space must be optimized, even down to tenths of a millimeter, and the cost reduced to a bare minimum. Non-removable batteries take up less space, and are cheaper. Therefore they are used instead of removable batteries.
This was merely a bug in a complex piece of software. You'd know how easy it can be to introduce these kinds of bugs, and how easy it is to accidentally overlook them, if you had ever worked with the Linux networking stack's code, or the code to VPN systems.
Again, merely a bug in a complex piece of software.
You come off as a complete kook when you make allegations, but then fail to provide any evidence at all to back up these allegations.
And Slashdot editors: please don't mod up baseless allegations! The parent comment is at 4, Insightful currently, and it does not deserve that rating. I don't expect much from you guys, but let's aim for not modding up total shit like parent comment, ok?
You can't downgrade if you didn't have a backup already.
IOS 9 broke other things as well. IOS 9 won't connect to hidden SSID WIFI networks either. I can verify this issue. There are some other grumblings of WPA / WPA2 connection issues for some as well.
Even some popular apps, like Words with Friends in my case don't work in IOS9.
As a long time IT professional (since the late 80s), I never quite understood the anti-Apple sentiment the IT industry, and "techy" sites such as the community here at Slashdot, often displayed. Amazingly, the old Apple "It Just Works" mantra was largely true. There are major exceptions, such as the entire 7.5 era, but overall, they were genuinely easy to use and reliable. That's all the in past. The new Apple is what MS used to be; full of moronic people designing moronic a UI (or 2) wrapped around moronic bugs. The past 5 years or so have seen Apple software go from some of the most friendly, easy-to-use, intuitive and reliable products in the world to one of the worst. If I was starting in IT today I wouldn't touch this Apple shit with a 20-foot pole. The new Apple slogan? "Apple: Computers by Morons, for Morons..."
Apple should go for the enterprise, just because it is easier to get one C-level person to buy 10,000 iMacs than it is to get 10,000 consumers to buy one iMac.
Apple does an odd dance with the enterprise. They take steps back like killing the XServe, having no machines rack mountable without a third party mounting bracket system (Sonnet's RackMac is pretty innovative), and let their filesystems languish [1]. They used to have the ability to physically remove the camera and mics from iMacs and other equipment, but as far as I know, that is gone now. Then Apple does stuff like making deals with Cisco and better ActiveSync compatibility.
Long term, the enterprise is going to be a lot more stable than consumer whims. Microsoft had a bloody quarter a couple years ago, but made it up by hiking the price on Windows Server and other enterprise items, so they showed a net profit.
It wouldn't take much out of Apple's $400 billion. First, an enterprise model line of Macs, similar to an iMac, except with the ability to easily remove the camera, and some form of vPro/iLO like system so machines can be reimaged via remote. Similar with laptops. Toss the iSight camera, add remote kill functionality like LoJack for Laptops, and a facility for remote management. Of course, a server Mac (XServe) would be useful as well for the data center.
Maybe Apple could even jump a step ahead of what is in the market. Make a rack enclosure and blade setup that is dense like a HP Moonshot, but have it for VDI. Add remote application viewing/control like Citrix, and that will make a home in many companies.
For OS X, it would not require that much. OS X would require better AD integration (so one doesn't need OpenDirectory), or maybe even Apple should toss it altogether, license AD from MS, and build that into OS X. Both Apple and MS would profit greatly by a deal like this.
Backend application wise, getting Exchange, SQL Server, and other applications onto Macs, with Apple being the one stop shop for support, would also be a coup. In the past, businesses paid great amounts to IBM so they just needed one number to call if something went pointy-end up. If Apple could provide that "any problem, one number" experience, businesses would beat a path to their door.
The end result is that a business could go to Apple, get a complete solution, hardware, OS, and application, just like consumers can do with Mac hardware, Pages, and OS X. Long term, this would be a steady way to earn revenue, no matter how crappy other parts of the economy wind up.
If Apple seriously wanted in the enterprise sector, businesses would flock to them, just as an alternative to what is out there.
[1]: HFS+ is showing its age and needs to be replaced. ZFS would be the ideal replacement. Yes, one can use OSXFuse, but having it native would be very handy.
Apple seems to be doing just fine selling 10,000 iMacs to 10,000 consumers.
They don't need any fancy hardware to crack into the enterprise market. What they have is slick and shiny, and CxO's would buy it if it worked. But it doesn't. They need either AD or something like it (system-wide support for LDAP, perhaps?) They need something to manage group policies. They need to lighten up the OSX license and allow for virtual machines running on non-Apple hardware. (Nobody is going to buy eleventeen shit-tons of iMacs when they can just fire up a VM and use terminals.)
Until they do these things (at an absolute minimum!), they're a toy-computer manufacturer only. Enterprises will treat them the way they treat people using their family SUV to haul loads for construction work: quaint, but mostly useless.
Meanwhile, everyone is learning how to make Apple's "secret sauce" and their advantage is fading quickly. Enterprise sales will continue to go to Dell, HP, and Microsoft, and eventually they'll "catch up" to Apple's latest layer of gloss. Then the enterprise customers can have their shiny and it'll actually work too!
I gave up on Apple long ago.
They did want to be in the enterprise and hence the XServe being created. They realized they just weren't aligned with the industry and the prospects were grim for return on investment for trying to change that. So they stopped doing things that required them to spend money when the returns may likely never happen.
However when Cisco and IBM want to fall all over themselves to 'partner' with Apple, Apple will take the free endorsement. Note that both the Cisco and IBM deals cost Apple approximately nothing, they just had to smile and nod and endorse it, and in exchange IBM and Cisco spend all the money/do all the work to enable iOS devices for their respective applications and even promise some of their salespeople will push the Apple story. There's no point in turning down those overtures, even if they won't work or have low chance of working, all the risk is carried by IBM and Cisco. Potential upside is Apple suddenly is a viable mainstream enterprise vendor, downside is that Cisco and/or IBM wasted their time and money, but Apple lost nothing.
So it's not so inconsistent. They'll gladly take money from enterprises, but they don't believe it's worth spending money to try at this juncture.
Both Apple and MS would profit greatly by a deal like this.
Nope, MS would only lose out. MS has business captive today, and doing what you describe would just weaken their stranglehold. Note that a great deal of what enterprises do with 'Active Directory' goes way beyond the stuff that non-MS platforms support when they integrate, and much of that other stuff does not trivially map to anything but MS's particular vision of describing capabilities. The capabilities may be there across the board, but they are just organized so differently, it would be some investment to try to be apples-to-apples in an unambiguous way.
If Apple could provide that "any problem, one number" experience, businesses would beat a path to their door.
Except that they wouldn't be that one number. It would be MS and Apple. On the OS, sure vendors provide front line support all the time. When you move up MS stack... You are going to be calling MS if you have a problem. Note that IBM is the only IT company to really have unambiguous success at the game you describe (e.g. POWER chips with AIX on top with DB2 and an unholy mess of stuff on top of it, or the mainframe ecosystem), and even then there's been significant signs of trouble there. For examples of other attempts in the industry, HP is a very notable example of trying *really* hard to get to that IBM story, but no sign of them getting anywhere near IBM's level. HP gets plenty of revenue in other ways, but not specifically in the all-in-one.
If Apple seriously wanted in the enterprise sector, businesses would flock to them, just as an alternative to what is out there.
And the problem is that they wouldn't. Businesses don't change unless they are forced to. Even then they want the change to be as slight as reasonably possible. The motivator for change is either unbelievably high risk with current environment or very well defined cost savings. There isn't any particularly strong sign of risk where Apple improves compared to status quo. For cost, passionate arguments can be had about TCO, but those are very subjective arguments that vary greatly circumstance to circumstance. In practice, businesses make decisions on concrete metrics like acquisition cost and recurring license fees. On that front, Apple doesn't have much room to be compelling and also have the margin to which they are accustomed.
Enterprise is a big uphill battle that really isn't as appealing as many would imagine. Support costs are sky high, clients have a great deal more leverage than individual consumers to drive negotiation off of 'list' pricing, and generally have decades of accumulated infrastructure and best practices to work inside. For vendors entrenched in the space or pro
XML is like violence. If it doesn't solve the problem, use more.
Switched from Android to iOS because Google won't fix their Bluetooth stack. I'll have to try my VPN on Friday and see if iOS 9 broke it. If so, I'll have to have two phones just so I can use two of the most important OS features that have been around for years but nobody can seem to get right (all at once, within one device, that is).
The original argument was saying enterprise was great because a single person represents 10,000 instead of those same 10,000 being represented by 10,000 people. The counter argument is that Apple excels precisely at getting consumers to decide on their platform in an individual fashion, so they have no reason to be attracted to such a prospect.
XML is like violence. If it doesn't solve the problem, use more.
Therein lies the crux of the problem for Apple. The way in is basically to do a lot more work enabling concepts like group policies and also 'lighten up licenses' so that effectively people can get use of their work for less money. There isn't an obvious way forward for Apple.
They can hope that players will upend the industry for them in a way that aligns to their sensibilities, but bending their sensibilities to try to capture the way IT works as-is would be a losing proposition.
XML is like violence. If it doesn't solve the problem, use more.
Yes, please use Android.
Whoops: https://code.google.com/p/andr...
Hahahahahahaha!!!!!! That's GREAT!!!!
Ah yes the apple fanboi has to come in and correct the numbers because we can't have anyone thinking Apple didn't sell millions of computers. This has to be corrected ASAP or we are disparaging apple, amiright?
What you failed to read was the GP post where the poster said it was better to sell 10000 to one person.
Thats where the 10,000 number came from. No one was actually trying to say that that was all they sold.
Why is this modded down? You guys normally love pointing out when Apple copies Android!
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
I thought Apple made it so you couldn't downgrade iOS (as a way to stop people from downgrading to a version that can be jailbroken)
It hasn't caused any problems with my OpenVPN based service. So sad that the corporate guys' software isn't working as well.
You're just jealous 'cuz the voices talk to *me*
Both VPNs to work and to commercial VPNs seem to be working fine both in OS/X beta, and the production one. The only long time complaint I have it to be mandatory to install policies to have connect on demand/always on functionalities.
I have noticed spotty issues using disconnect auto VPN configurations. This was bulletproof on iOS 8 but I have had to completely disable it since it 50/50 works
Post-iOS9 install I noticed ExpressVPN doesn't work at all either. At least I only need it for youtube/gmail ish, poor business-users, f'd. This is a pretty serious bug, quite shocked that it was known and let pass into retail release......indicator of slip in quality perhaps? Kinda like macbook 12" forcing users to a single usb-c port, in other words, forcing users into buying an adapter, far before C becomes standard? What's going on here.
For anyone still using WindowsXP with iTunes 11.5.5 and an iPhone with iOS 8.4. If you upgrade your phone to iOS 8.4.1 which came out last week, they do not tell you that you also must up grade to iTunes 12.1. Unfortunately, iTunes 12.1 is not supported on WindowsXP.