If, like me, your job involves managing large numbers of Macs, yesterday’s announcement of the upcoming Mac App Store probably raises questions. Here’s a few I have.
In the Mac App Store demo on Wednesday’s Apple Event, the presenter bought and installed Pages without being asked for an admin password. Presumably that will be the experience when using the Mac App Store. So how does that work? A couple of possibilities:
- The App Store runs with special privileges, and can install apps for the user without needing admin credentials.
- Mac App Store applications are installed somewhere the user has rights to modify without elevating privileges — like their own home directory.
Parts of the new Mac App Store Guidelines have leaked on the web, and there’s evidence that the second possibility is the “right” one:
Apps must be self-contained, single application installation bundles, and cannot install code or resources in shared locations. Apps that download or install additional code or resources to add functionality or change their primary purpose will be rejected.
By requiring that all Mac App Store apps be self-contained bundles, it makes it possible to “install” such an app simply by copying it anywhere the user has write access. This could be in the user’s home, or possibly a new location created when the new Mac App Store debuts. Time will tell. This also means that “uninstalling” such an app is simple as well — just delete the app bundle.
If the download/install location is within the user’s home directory, that implies some other issues:
- Apps downloaded and installed by one user of a machine will not be usable by another user of the same machine.
- Users with network home directories may run into quota issues, or find their apps don’t behave perfectly when run from their network home
- If your organization backs up user data and/or transfers it from a user’s old machine to a new one, you now have a whole new class of “data” to worry about.
If the Mac App Store installs apps in a globally writable space outside any user’s home — something like /Users/Shared/Apps/, some of the above issues no longer apply, but new issues might raise their head:
- Can a user delete an app purchased, downloaded, and installed by another user?
- Can a user update an app installed by another user?
- If you migrate local user data from a user’s old machine to a new one, this will be a new location to be worried about.
So let’s assume that non-privileged users will be able to buy, download, and install apps using the Mac App Store. Will you as an administrator have any control over this?
It seems likely that you could exercise draconian control simply by not installing the Mac App Store application when it becomes available, or removing it on machines on which it is pre-installed. But we can hope for more fine-grained control via MCX.
Hopefully, more answers will be available in the next 90 days…
Managing OS X 
[…] Mac App Store raises some interesting questions, notably those mentioned by Greg over on his Managing OS X blog. It’s a great way to simply manage a whole range of applications. I’m in two minds […]
Well the school I work for I use MCX to only allow application by folder path, this is because we don’t want students dropping a copy of Halo on their desktop and running it.
I can only assume we will most likely not allow the app store to run on our student machines. Only time will tell.
I was wondering if there will be an enterprise version of the app store in the future
What, in your mind, would such a thing be like? What would it do, and how would it be used?
I think I would rather see an enterprise portal that would be hosted on Apple’s end but that would contain apps purchased by the enterprise. Using your enterprise’s portal, users within your enterprise could then download and install applications owned by your enterprise. This would enable an easy distribution and tracking model for volume licensing of Mac App store purchases.
I think it would be a boon for Apple, since they are already hosting the apps anyway. The portals would, for the most part, be a filter.
There are ways to achieve what you describe, to a degree, right now with some of the management suites available. Some products, like Casper Suite and LANDesk offer functions called “Self Service” portals that allow end users who are not admins to install approved applications, plug-ins, updaters, etc. on their computers. Of course, this has to be managed by an IT person, and secondly, so it doesn’t follow the hosted by Apple model you mention, but its a step in that direction. Also, it really only works if you have a volume license of the software.
I’ve read that unlike tracks purchased through the iTunes store, folks purchasing apps via the Mac App store will be able to re-download apps that they have previously purchased. If that is indeed the case, it might be a situation where can you put the onus on the user to re-download their apps following a system migration.
I for one can’t wait until the Mac App STore opens on Jan. 6. I have the new macBook Air and I am sure it’s going to have so many coop iPad like apps that it will take portable computeing to a whole new level.
Any answers yet to the excellent questions raised above?
I am looking for answers too. While the Mac App store is an exciting new development, it poses an immediate threat to Mac Admins who want to control their deployments. What policy to adopt. How to go about implementing that policy. I have to wonder what damage can be done if Users install Apps. I don’t expect malware to arise. More about confusion that may arise, and what advice to give. Users can download music, video etc. Why not Apps ?
I am imagining what will be the effect any different to say users playing a flash game in the browser, or accessing Facebook Apps.
The key concern is install of native executables – but pre screened for malware, what is the worst that can happen ?
[…] Managing OS X Trials and Tribulations of an OS X Administrator « Mac App Store […]