Mac OS 10.7 Lion for Providers

Mac OS 10.7 Lion, formally announced on June 6, 2011, is the seventh significant update to Mac OS X, Apple's UNIX-based desktop operating system. It became available exclusively from the Mac App Store on July 20, 2011, bypassing traditional distribution channels.

Information Systems & Computing (ISC) currently supports Mac OS 10.7 Lion for its clients, including off-campus students, only on new Macintoshes that ship with Mac OS 10.7 pre-installed. ISC strongly recommends that all other University users adopt a "wait and see" approach, continuing to use previous versions of Mac OS (including Mac OS 10.5.8 and Mac OS 10.6.8) until the initial bugs in Mac OS 10.7 are identified and fixed.

Provider note: ISC will follow standard operating system release procedure and will revisit this status in approximately three months - October or November.

When ISC recommends this upgrade, it will be for Apple systems with Intel Core 2 Duo or newer processors (this excludes Core Duo and Core Solo Macs) that have at least 2.0 GB of RAM (this excludes Core Duo and Core Solo Macs). Note that 2.0 GB of RAM is the minimum required amount, while ISC recommends 4.0 GB for a a substantially improved experience. The full installation of Mac OS 10.7 Lion uses at approximately 4.5 GB of disk space for the download and installation depending on the type of Macintosh and choices made during the installation.

Mac OS 10.7 Lion is available as an upgrade from Mac OS 10.6 for $29 from the Mac App Store. There is no direct upgrade path from Mac OS 10.5 to Mac OS 10.7, so users upgrading from Mac OS 10.5 must first purchase Mac OS 10.6 Snow Leopard ($29) from the Computer Connection and then upgrade to Lion from the Mac App Store after updating to 10.6.8 or above. It is expected that the Computer Connection will continue to stock Snow Leopard, but for how long and the available stock are unknown. Apple will also release Lion on a USB thumb drive in August for $69; whether this will require 10.6 preinstallation or not is unknown.

Apple's use of Mac App Store as the distribution channel for Mac OS 10.7 Lion significantly changes and complicates how providers upgrade Mac OS computers at the University. The Mac App Store was released with the Mac OS 10.6.6 update and is only available on Macintoshes with at least that version of Snow Leopard. As of now, there is no alternative method of purchasing or installing Lion for computers at Penn. Apple has announced alternative purchasing paths for Education and Business customers, but this applicable only to AELP customers, which the University currently is not. It is unknown how this limitation will unfold in Penn's decentralized computing environment. Additionally, the lack of physical media for now will complicate the OS re-installation process for providers, and it is unknown if it will be possible to install Lion directly onto an empty disk without previously installing Snow Leopard. The release of Lion on USB drive in August will alleviate many of these concerns, but at more than twice the cost of the version available in the Mac App Store.

Provider note: ISC's guidance for support providers at this time is to avoid large institutional purchases of Mac OS 10.7 via the Mac App Store, buying through the App Store for testing and evaluation purposes only. We expect Apple to make other licensing avenues available shortly.

Issues

There are a number of known issues with Mac OS 10.7 Lion, several of which are especially relevant to Penn's Macintosh users:

Supported Applications

• All current versions of University-supported Macintosh applications work without issue in Mac OS 10.7 except the current version of XpressConnect.
• Until XpressConnect is upgraded, to connect to AirPennNet, a workaround exists and is documented here. Machines upgraded from 10.6.x should retain their AirPennNet connection.
• However, in a change from previous OS X releases, Java Runtime Environment (JRE) is not installed by default and must be installed by the user. Without JRE, several applications cannot be run, including XpressConnect, Symantec Endpoint Protection (SEP), and Adobe Creative Suite. As XpressConnect is the standard means of connecting Apple computers to AirPennNet, and SEP is the University-provided antivirus/malware suite, installing Java should be taken into account when deploying and supporting Mac OS 10.7 systems.

Other Applications

• Apple Remote Desktop (ARD), in its current version (3.4), does not function with Mac OS 10.7. Apple's ARD release cycle is generally concurrent with OS releases, so a new version should arrive shortly after Mac OS 10.7. However, it is expected that the next release of ARD will support only Mac OS 10.6 and 10.7 and not 10.5, complicating the environments of those who use ARD with a wide range of Mac OSs.
• Rosetta is neither installed nor available on Mac OS 10.7. This prevents any program compiled only for PowerPC from running on Mac OS 10.7. Notably for some University constituents, this includes Quicken 2007 and the current version of Assignments.

Changes in Mac OS 10.7

Mac OS 10.7 Lion is a major release with over 250 new features, including a number of significant changes from previous iterations. Below are some changes that may be of interest to the Penn community:

1) Whole Disk Encryption via FileVault 2

As of Mac OS 10.7, FileVault has been changed significantly enough to warrant a new version number. FileVault 2 now provides whole disk encryption using XTS-AES128 (previously, FileVault only encrypted a user's home folder). This makes it a potential alternative to PGP Whole Disk Encryption for compliance with the University's Computer Security Policy for Portable Computing Devices with Confidential Data. ISC will issue further guidance on this when it has fully reviewed the 10.7 implementation of FileVault.

2) Full-Screen Apps

Mac OS 10.7 includes support for full-screen use of applications. This makes significant use of multitouch gesturing and is a desktop replication of the iOS application experience.

3) System-wide integration of multitouch gestures

Building on the overwhelming success of the touch-based iOS interface, and given that almost three-quarters of Macintoshes sold are notebooks, Apple has significantly expanded the integration of multitouch gestures into the operating system. These gestures will be available to any Macintosh with an integrated trackpad, a Magic Trackpad, or a Magic Mouse. Gestures such as tapping and pinching will now be available in all applications and gestures will allow moving between applications and navigating through the OS.

4) Resume

A new feature called Resume allows applications to be restarted from the previous Quit point with windows, positions, menus, and other user-manipulated elements as they were at the time of quitting. This significantly improves the experience of power users and users who are particular about their program environments.

5) System-wide Auto-save

There is a system-wide auto-save feature that stores versioned copies of files as they change. The interface to retrieve previous versions is similar to that used in Time Machine. This should prove to be a very popular and useful feature that alleviates the severity of overwriting documents, one of the more common problems faced by users.

6) AirDrop

A new file-sharing tool called AirDrop allows users to share files directly between Mac OS 10.7 computers over a WiFi network. The availability of AirDrop raises security concerns as it provides a new vector of near-local attack.

7) Launchpad and Mission Control

Exposé and Spaces have been replaced by a unified application called Mission Control that significantly refines the functionality of the original programs, while a new application-launching interface called Launchpad has been introduced. The Launchpad UI draws significantly on the iOS app interface, and both Launchpad and Mission Control are accessed with multitouch gestures.

Other features of note to LSPs:

• A recovery partition is included that contains the utilities previously found on Mac OS installation disks. This will allow Mac OS 10.7 to be reinstalled from Recovery Mode on disks with a previous Mac OS 10.7 installation, whether pre- or user-installed.
• Mac OS 10.7 implements Address space layout randomization (ASLR), randomizing the memory location of key data areas. This closes a vector of attack in which the attacker predicts the location of these data or looks in known locations for it. Applications are also sandboxed to limit interaction between applications and the operating system. Overall, Mac OS 10.7 is significantly more secure than previous versions of Mac OS.
• SMB with DFS is now supported for connecting to Windows file servers; NFSv4 is also now supported.
• Mac OS 10.7 includes a Windows migration assistant along with the Mac-specific Migration Assistant.
• There are significant improvements to Asian language support and allows the displaying and typing of vertical text used in Japanese and Chinese languages.
• FaceTime is installed with the operating system allowing video calling with other FaceTime-enabled devices. For Mac OS users, this is a potential alternative to Skype for long-distance calling.