You may have thought iTunes was just a music program for Macs, Windows, and iPhone systems but lately we’re hearing questions about whether iTunes is required on enterprise desktops. Behind this interest is Apple’s use of iTunes on the desktop to deliver updates to the popular iPhone. With iPhone now connecting to organizational mail systems such as Microsoft Exchange, iTunes has come to have a business purpose.
Absent the iPhone update requirement, organizations would probably want to discourage iTunes deployment on business systems and networks for the following reasons:
1) iTunes expands workstation attack surfaces
a. The program has 13 vulnerabilities listed on the National Vulnerability Database dating from 2005 and 2008; that versions before 18.104.22.168 did not verify authenticity of updates raises particular concerns about whether security was even considered in the program’s original design
b. The Bonjour service advertisement protocol that iTunes uses could also be used by a compromised system as an attack vector against other LAN-connected systems
2) Malware could be introduced through iTunes, especially on Windows systems
3) iTunes may be used to facilitate copyright violations by sharing unlicensed music or content over LANs, raising liability issues for the organization
4) iTunes is not an enterprise product – it has no enterprise management features that might, for example, be used to disable every function that was not business relevant (potentially everything except for iPhone update); thus organizations are stuck with the whole ball of wax if they allow iTunes to be deployed
Considering the requirement to support iPhone – a useful device that may be extremely popular for large elements of the organization’s workforce – organizations have the following alternatives.
1) Put iTunes on the organization’s standard desktop and (as with everything else) try to mitigate the risk through third party patch management, anti-malware, intrusion prevention, and other security products
2) Allow individual workers to put iTunes on the organization-owned computers that have been issued to them, and provide users with general education on basic endpoint security concepts such as patching systems, not working in the admin account on a daily basis, and maintaining anti-malware software
3) Ban iTunes but allow end users to update their iPhone from the iTunes on their home computers, or not update their iPhone
4) Ban iTunes and de-authorize iPhone for the organization’s data communications because it cannot be properly updated
iPhone and iTunes - the thin edge of a consumerization wedge - may be just one of the first consumer applications forced on the enterprise. iPhone and other mobile devices are providing a platform for social networking and other chatty applications. And with Apple’s Application Store bursting at the seams, there is more to mobile system update than meets the eye.
Regardless of the choice you make on iTunes today, it is a good idea to push Apple and other vendors to furnish simple, locked down enterprise management utilities to update organization-approved smart phones and the applications that run on them. Engage in a conversation about how we get out in front of consumerization with other organizations in your industry as well as with the vendors. There should be plenty of opportunities for vendors to grow their market share, improve protection, and provide for basic security management needs when their technologies come into business use.