Forbidding itunes

Hi there,

I need to forbid itunes in my company. Users have already been warned no to
install it but I believe we can't trust them.

On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
itunes store anymore. That should stop 80% of the people.

Regarding downloads, they still work because a podcast to "NBC Today Show"
for example goes directly through NBC.com. So I guess, there's not much I
can do more, right?

But is there a way where I can forbid people to register to new podcasts?

Cheers,

--
Choowie

choowie

"choowie" <> writes:

> Hi there,
>
> I need to forbid itunes in my company. Users have already been warned no to
> install it but I believe we can't trust them.

First, why? What is the business issue? Not wanting external devices
plugged into the computer? Bandwidth associated with downloads? Core
business interrupted by someone listening to music? What about
Windows Media Player?

> On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
> itunes store anymore. That should stop 80% of the people.

ITunes certainly runs without being able to contact the itunes store.


> Regarding downloads, they still work because a podcast to "NBC Today Show"
> for example goes directly through NBC.com. So I guess, there's not much I
> can do more, right?

Depends what you're really trying to accomplish and why.

> But is there a way where I can forbid people to register to new
> podcasts?

Depending on what sort of gateway protection you have in place there
are products you can tell to say block mp3 file downloads period.
But I for one wouldn't be too excited about working for a company with
such an authoritarian approach to IT, and I suspect I'm not alone.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.

choowie <> wrote:
> Hi there,
>
> I need to forbid itunes in my company. Users have already been warned no to
> install it but I believe we can't trust them.

This is a self-fulfilling prophecy. If you don't think you can trust
your users, then eventually all of the ones you CAN trust will leave
in disgust for jobs where they're treated like grown-ups.

Colin B.

"Todd H." <> wrote in message
news:...
> "choowie" <> writes:
>
>> Hi there,
>>
>> I need to forbid itunes in my company. Users have already been warned no
>> to
>> install it but I believe we can't trust them.
>
> First, why? What is the business issue? Not wanting external devices
> plugged into the computer?
Indeed + itunes already conflicted with other business software.

> Bandwidth associated with downloads?
As well.

> Core
> business interrupted by someone listening to music? What about
> Windows Media Player?
Don't care about people not working or listening to MP3 while working. This
is not a security issue. Same as watching porn. Don't care unless they go to
porn sites from which they download malware or if they go to illegal porn.
Not judging the moral here.

>
>> On the filtering proxy, I blacklisted phobos.apple.com so users can't go
>> to
>> itunes store anymore. That should stop 80% of the people.
>
> ITunes certainly runs without being able to contact the itunes store.
Yes but it limits users from registering to video podcasts. Few have the
knowledge to understand they can get podcasts from other places than itunes.

>
>
>> Regarding downloads, they still work because a podcast to "NBC Today
>> Show"
>> for example goes directly through NBC.com. So I guess, there's not much I
>> can do more, right?
>
> Depends what you're really trying to accomplish and why.
>
>> But is there a way where I can forbid people to register to new
>> podcasts?
>
> Depending on what sort of gateway protection you have in place there
> are products you can tell to say block mp3 file downloads period.
Size of MP3 are usually small compared to video podcasts. Video is more of
the issue here but some videos are used for business purposes. Youtube and
Dailymotion are bandwidth killer and have been filtered out.
More simply, I'll sniff what happens when a podcast is registered and create
a rule on proxy for it.

Cheers.

choowie

"Colin B." <> wrote in message
news:W_Klj.832$jw.650@pd7urf2no...
> choowie <> wrote:
>> Hi there,
>>
>> I need to forbid itunes in my company. Users have already been warned no
>> to
>> install it but I believe we can't trust them.
>
> This is a self-fulfilling prophecy. If you don't think you can trust
> your users, then eventually all of the ones you CAN trust will leave
> in disgust for jobs where they're treated like grown-ups.
>

You don't know anything about the context which lead to such restrictions.
Please provide a technical advice, not a moral judgement.

choowie

From: "Todd H." <>

| "choowie" <> writes:
|
>> Hi there,
>>
>> I need to forbid itunes in my company. Users have already been warned no to
>> install it but I believe we can't trust them.
|
| First, why? What is the business issue? Not wanting external devices
| plugged into the computer? Bandwidth associated with downloads? Core
| business interrupted by someone listening to music? What about
| Windows Media Player?
|
>> On the filtering proxy, I blacklisted phobos.apple.com so users can't go to
>> itunes store anymore. That should stop 80% of the people.
|
| ITunes certainly runs without being able to contact the itunes store.
|
>> Regarding downloads, they still work because a podcast to "NBC Today Show"
>> for example goes directly through NBC.com. So I guess, there's not much I
>> can do more, right?
|
| Depends what you're really trying to accomplish and why.
|
>> But is there a way where I can forbid people to register to new
>> podcasts?
|
| Depending on what sort of gateway protection you have in place there
| are products you can tell to say block mp3 file downloads period.
| But I for one wouldn't be too excited about working for a company with
| such an authoritarian approach to IT, and I suspect I'm not alone.
|
| Best Regards,

Todd:

This is TOTALLY understandable as we too have a corporate wide ban of iTunes software.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

From: "Colin B." <>


|
| This is a self-fulfilling prophecy. If you don't think you can trust
| your users, then eventually all of the ones you CAN trust will leave
| in disgust for jobs where they're treated like grown-ups.

Grownups who violate corporate policies on the use of company provided equipment SHOULD quit
or be fired.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

David H. Lipman <DLipman~nospam~@verizon.net> wrote:
> From: "Colin B." <>
>
>
> |
> | This is a self-fulfilling prophecy. If you don't think you can trust
> | your users, then eventually all of the ones you CAN trust will leave
> | in disgust for jobs where they're treated like grown-ups.
>
> Grownups who violate corporate policies on the use of company provided equipment SHOULD quit
> or be fired.

That was actually my point, in a roundabout way. Policy is usually a
better solution that technical means. If you say, "No iTunes on company
machines" then if someone installs iTunes, you discipline them, up to
and including firing if appropriate. No need to waste cycles trying to
add handcuffs. Applying software or network blocks is pretty much a big
message saying, "we don't trust you to follow the rules." It takes time,
effort, money, and creates a hostile environment. As often as not, it
also interferes with people's actual work.

To the OP, I don't really recommend any technical solutions (although here
are a few options: Block all MP3s on the wire, remove admin privileges
from users for their workstations so they can't install software, block
traffic by port number or destination, and so on) because I don't think
that it's a predominantly technical problem. You're trying to direct
behaviour with technical means, and behaviour is almost always better
managed with policy.

Not trying to judge you here, just suggesting that it's not the right
solution for your problem.

Colin

Colin B.

Colin B. wrote:

> remove admin privileges from users for their workstations so they can't

> install software,

That won't stop them from using installer-free software, software with
working installers, patching installers or porting installed applications.

The real solution, aside from the obvious necessity you stated, is to
globally remove exec rights.

> block traffic by port number or destination,

Won't help against proxzing and/or tunneling. Again, globally removing exec
rights does the job.

Sebastian G.

From: "Colin B." <>

| David H. Lipman <DLipman~nospam~@verizon.net> wrote:
>> From: "Colin B." <>
>>
|>> This is a self-fulfilling prophecy. If you don't think you can trust
|>> your users, then eventually all of the ones you CAN trust will leave
|>> in disgust for jobs where they're treated like grown-ups.
>>
>> Grownups who violate corporate policies on the use of company provided equipment SHOULD
>> quit or be fired.
|
| That was actually my point, in a roundabout way. Policy is usually a
| better solution that technical means. If you say, "No iTunes on company
| machines" then if someone installs iTunes, you discipline them, up to
| and including firing if appropriate. No need to waste cycles trying to
| add handcuffs. Applying software or network blocks is pretty much a big
| message saying, "we don't trust you to follow the rules." It takes time,
| effort, money, and creates a hostile environment. As often as not, it
| also interferes with people's actual work.
|
| To the OP, I don't really recommend any technical solutions (although here
| are a few options: Block all MP3s on the wire, remove admin privileges
| from users for their workstations so they can't install software, block
| traffic by port number or destination, and so on) because I don't think
| that it's a predominantly technical problem. You're trying to direct
| behaviour with technical means, and behaviour is almost always better
| managed with policy.
|
| Not trying to judge you here, just suggesting that it's not the right
| solution for your problem.
|
| Colin

I disagree. There are legal and technical ramifications of some software and it is proper
for a corporation to not only make a statement, an Authorized Use Policy (AUP) is *BEST*,
but to block software as well.

You can NOT trust employees explicitly. It is a case that peple just don't follow the rules
and a company must protect their assets.

Prevention is better than cure. Prevention starts with FireWall and Group Policies.

This is my opinion and it is based upon experience.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman