Slashdot Mirror
Apple's iOS 9 Breaks VPNs
An anonymous reader writes with a report from The Stack that researchers have discovered a crucial security problem in the latest version of iOS 9: it breaks VPN connections to corporate servers. According to the linked piece, "The flaw was first detected in the iOS 9 beta, and has not been fixed in the released version. Neither has the bug been removed in the current iOS 9.1 beta." The workaround might not be what you want to hear, either, if you've happily upgraded to the latest version: it's to downgrade to iOS 8.4.1.
All the C-levels will be disconnected so we can get work done.
And here I thought Apple was a true business player.
What bothers me most about things like this is trying to relate it back to what is supposed to have changed in the latest versions. I can't think of anything in iOS 9 that should have touched code like this, which makes me wonder about the state of source control.
Happy to be wrong, but Apple have had a few regression-type bugs before which again make me think their branching/merging strategies may not quite be up to snuff. Would like to be wrong though - anyone know of a changed area in iOS 9 that would have necessitated playing with something like this?
Makes you wonder why:
1. Cell manufacturers are moving to devices that cannot be truly turned off by removing the battery.
2. Android after 4.4 broke persistent VPN support.
3. Now iOS 9 breaks VPN support.
Coincidence? Who might prefer to have a citizenry carrying locator beacons that cannot be turned off and where encrypting all data communication has been disabled?
Everyone knows that Macs just work, more Micro$oft FUD.
They have a LOT to do. We have had to switch our clients over to a chip and pin AD login from a regular local account. There is no easy way to do this, We can't apply the new security to the old accounts directly, or so I am told, so we have had to make another account and then "port" the old account data into the new one. Time machine broken, because it is protected by UID, no matching UID no backup, period. Keychain wonkiness, everything you know can go wrong with a keychain, has. Dropbox broken, easily fixed, but still... The best part, when 10.11 comes out no one can update because it will break al the chip and pin stuff and users won't be able to login. We have had to send 2 FAQ's on dealing with the asininity of all of this, and we are still stumbling across issues. One of my co-workers is tasked with something to do with programmers and root, that does not like these new accounts. No, I am not helping with that crap. BTW, when this happened with windows, they just pushed a package that did all the wizardry, which was simply installing a card reader driver, and a script that made sure that if there was a matching local account UID that it inherited that account.
That brings me to the next issue, patch management, or rather the lack of it. When 10.11 comes out we have to hope everyone listens, because otherwise we're playing fun account movement games after downgrading them back to 10.10. users cannot install printers now, we have people bringing their printers in to work, so that we can install them. We have to patch everyone manually as there is no way to manage them with what we have.
IT has been an absolute mess, and the boss, who is normally ok with letting a small thing slide without a ticket, is demanding that every interaction related to this, even 15 seconds, have a ticket so that he can show the massive time costs of this nonsense.
"Science is the power of man"
Problem is DNS during split tunneling, which isn't the same as "breaks VPN."
I guess the editors are either click-baiting, are technically illiterate, or both.
You can't downgrade if you didn't have a backup already.
IOS 9 broke other things as well. IOS 9 won't connect to hidden SSID WIFI networks either. I can verify this issue. There are some other grumblings of WPA / WPA2 connection issues for some as well.
Even some popular apps, like Words with Friends in my case don't work in IOS9.
They did want to be in the enterprise and hence the XServe being created. They realized they just weren't aligned with the industry and the prospects were grim for return on investment for trying to change that. So they stopped doing things that required them to spend money when the returns may likely never happen.
However when Cisco and IBM want to fall all over themselves to 'partner' with Apple, Apple will take the free endorsement. Note that both the Cisco and IBM deals cost Apple approximately nothing, they just had to smile and nod and endorse it, and in exchange IBM and Cisco spend all the money/do all the work to enable iOS devices for their respective applications and even promise some of their salespeople will push the Apple story. There's no point in turning down those overtures, even if they won't work or have low chance of working, all the risk is carried by IBM and Cisco. Potential upside is Apple suddenly is a viable mainstream enterprise vendor, downside is that Cisco and/or IBM wasted their time and money, but Apple lost nothing.
So it's not so inconsistent. They'll gladly take money from enterprises, but they don't believe it's worth spending money to try at this juncture.
Both Apple and MS would profit greatly by a deal like this.
Nope, MS would only lose out. MS has business captive today, and doing what you describe would just weaken their stranglehold. Note that a great deal of what enterprises do with 'Active Directory' goes way beyond the stuff that non-MS platforms support when they integrate, and much of that other stuff does not trivially map to anything but MS's particular vision of describing capabilities. The capabilities may be there across the board, but they are just organized so differently, it would be some investment to try to be apples-to-apples in an unambiguous way.
If Apple could provide that "any problem, one number" experience, businesses would beat a path to their door.
Except that they wouldn't be that one number. It would be MS and Apple. On the OS, sure vendors provide front line support all the time. When you move up MS stack... You are going to be calling MS if you have a problem. Note that IBM is the only IT company to really have unambiguous success at the game you describe (e.g. POWER chips with AIX on top with DB2 and an unholy mess of stuff on top of it, or the mainframe ecosystem), and even then there's been significant signs of trouble there. For examples of other attempts in the industry, HP is a very notable example of trying *really* hard to get to that IBM story, but no sign of them getting anywhere near IBM's level. HP gets plenty of revenue in other ways, but not specifically in the all-in-one.
If Apple seriously wanted in the enterprise sector, businesses would flock to them, just as an alternative to what is out there.
And the problem is that they wouldn't. Businesses don't change unless they are forced to. Even then they want the change to be as slight as reasonably possible. The motivator for change is either unbelievably high risk with current environment or very well defined cost savings. There isn't any particularly strong sign of risk where Apple improves compared to status quo. For cost, passionate arguments can be had about TCO, but those are very subjective arguments that vary greatly circumstance to circumstance. In practice, businesses make decisions on concrete metrics like acquisition cost and recurring license fees. On that front, Apple doesn't have much room to be compelling and also have the margin to which they are accustomed.
Enterprise is a big uphill battle that really isn't as appealing as many would imagine. Support costs are sky high, clients have a great deal more leverage than individual consumers to drive negotiation off of 'list' pricing, and generally have decades of accumulated infrastructure and best practices to work inside. For vendors entrenched in the space or pro
XML is like violence. If it doesn't solve the problem, use more.
Therein lies the crux of the problem for Apple. The way in is basically to do a lot more work enabling concepts like group policies and also 'lighten up licenses' so that effectively people can get use of their work for less money. There isn't an obvious way forward for Apple.
They can hope that players will upend the industry for them in a way that aligns to their sensibilities, but bending their sensibilities to try to capture the way IT works as-is would be a losing proposition.
XML is like violence. If it doesn't solve the problem, use more.
HFS has been upgraded to improve. On-the-fly compression, built-in backup/versioning and whole-disk-encryption being some of the more visible things lately. Antivirus has been built-in to OS X since I think 10.5 and two-factor authentication has also been possible since I think 10.3.
As far as repairs, the 'hard drive' is still replaceable but it's not a SATA thing it's a PCI card and there are several aftermarket options.
Custom electronics and digital signage for your business: www.evcircuits.com