If, like me, your job involves managing large numbers of Macs, yesterday’s announcement of the upcoming Mac App Store probably raises questions. Here’s a few I have.
In the Mac App Store demo on Wednesday’s Apple Event, the presenter bought and installed Pages without being asked for an admin password. Presumably that will be the experience when using the Mac App Store. So how does that work? A couple of possibilities:
- The App Store runs with special privileges, and can install apps for the user without needing admin credentials.
- Mac App Store applications are installed somewhere the user has rights to modify without elevating privileges — like their own home directory.
Parts of the new Mac App Store Guidelines have leaked on the web, and there’s evidence that the second possibility is the “right” one:
Apps must be self-contained, single application installation bundles, and cannot install code or resources in shared locations. Apps that download or install additional code or resources to add functionality or change their primary purpose will be rejected.
By requiring that all Mac App Store apps be self-contained bundles, it makes it possible to “install” such an app simply by copying it anywhere the user has write access. This could be in the user’s home, or possibly a new location created when the new Mac App Store debuts. Time will tell. This also means that “uninstalling” such an app is simple as well — just delete the app bundle.
If the download/install location is within the user’s home directory, that implies some other issues:
- Apps downloaded and installed by one user of a machine will not be usable by another user of the same machine.
- Users with network home directories may run into quota issues, or find their apps don’t behave perfectly when run from their network home
- If your organization backs up user data and/or transfers it from a user’s old machine to a new one, you now have a whole new class of “data” to worry about.
If the Mac App Store installs apps in a globally writable space outside any user’s home — something like /Users/Shared/Apps/, some of the above issues no longer apply, but new issues might raise their head:
- Can a user delete an app purchased, downloaded, and installed by another user?
- Can a user update an app installed by another user?
- If you migrate local user data from a user’s old machine to a new one, this will be a new location to be worried about.
So let’s assume that non-privileged users will be able to buy, download, and install apps using the Mac App Store. Will you as an administrator have any control over this?
It seems likely that you could exercise draconian control simply by not installing the Mac App Store application when it becomes available, or removing it on machines on which it is pre-installed. But we can hope for more fine-grained control via MCX.
Hopefully, more answers will be available in the next 90 days…