igor - Fotolia
IT administrators that assume Apple's Device Enrollment Program is inherently secure should think again.
Researchers at Duo Security, a security software provider based in London, last month revealed a potential vulnerability in the DEP that affects the security of device onboarding, because it uses serial numbers to verify a device to the mobile device management (MDM) server. Others contend that the vulnerability in the authentication process is simply a feature, however. Admins can find alternatives to this authentication method to prevent Apple DEP issues.
"It's safe to say that [the Apple DEP vulnerability] is not an active area of attack right now," said Rich Smith, director of Duo Labs, part of Duo Security. "But it highlights the importance of thinking about authentication during an onboarding and MDM process."
Apple DEP issues snag authentication
Apple DEP automates the enrollment and configuration of iOS and macOS devices in an MDM platform. The company in June rolled DEP and the Volume Purchase Program into a more comprehensive service called Apple Business Manager.
Apple maintains an activation record of devices' serial numbers in a database. Once Apple creates a record of the device through the DEP API, IT assigns that device to the MDM server, which obtains that device record and creates a DEP profile. The device authenticates to the DEP API using a serial number and retrieves its activation record.
The problem is that devices can supply that serial number through an undocumented private API, and serial numbers are susceptible to brute-force attacks. This increases the likelihood of Apple DEP issues with security. With the serial numbers, attackers could enroll rogue devices in an MDM server and obtain sensitive corporate information.
Apple should explore alternatives to serial numbers for DEP device registration, said Ira Grossman, CTO at MCPc Inc., an IT consultancy in Cleveland. Microsoft, for example, uses a hardware hash generated from a script to authenticate devices in Autopilot, a configuration service for Windows devices.
IT can do two things to ensure that the organization properly authenticates devices, said James Barclay, a senior R&D engineer at Duo Labs who helped discover the vulnerability. First, require end users to authenticate as part of the MDM enrollment process. Second, don't treat devices as trusted simply because they are enrolled in MDM.
Apple recommends these best practices in Apple Business Manager documentation, but the company could better highlight the importance of authentication, Barclay said.
Ultimately, the onus is on the administrator to sidestep the Apple DEP issues with authentication because the admin has access to the organization's MDM, Smith said.
"Looking to Apple to inform administrators ... is not really the right way of trying to solve this problem," he said.
Flaw or feature?
However, Apple maintains that the discovery is a feature in DEP, not a vulnerability, according to a company spokesperson -- and some IT pros agree.
Maracus ScottIT administrator, Southern Illinois University Edwardsville
"You can say it's a flaw, but I can also see it as a benefit," said Maracus Scott, an IT administrator at Southern Illinois University Edwardsville, who said he has known about the issue for a while. "To me, [it's] more of a case of lack of preparation or understanding of how DEP works."
Previously, Scott required end users to enroll devices in the organization's MDM platform, Jamf, after they entered their usernames and passwords into the system. He recently disabled that feature, however, because a pre-enrollment authentication requirement presents problems if a device is lost or stolen; it restricts IT access to key information that could lead to the device's recovery.
IT is working on a native app that would allow for a post-enrollment authentication process, Scott said. That way, in the case of a stolen device, IT could obtain the device location and IP address and hand over those details to the police. This method wouldn't eliminate potential security issues associated with authenticating through a serial number, but it still introduces minimal risk because there's no personally identifiable information on the devices, Scott said.
Less experienced IT administrators may not think to add an extra security layer that prevents Apple DEP issues with authentication.
"DEP makes it very easy to implement features, which sounds great, unless you come across an issue where someone is trying to steal the device to get information about your organization," Scott said. "Then it takes a little bit of systems analysis and understanding risks."
The security weakness doesn't deter the university from using DEP, Scott said.
"There are plenty of programs that we've developed around Apple DEP that we wouldn't be able to implement without that service," he said.