The two sessions I attended at last week’s Worldwide Developer Conference (WWDC) – Managed Device Attestation and Secure Endpoint Sessions – highlighted the company’s commitment to providing enhanced capabilities for security tools. While both naturally relied more on developers of device management and security solutions than end users or IT admins, it is noteworthy that some additional capabilities developers will be able to build on enterprise tools.
Managed device certification
Let’s start with Managed Device Attestation, a new capability that helps servers and services (on-premises or in the cloud) only respond to legitimate requests for access to resources.
The use of cloud services and the deployment of mobile devices have both grown simultaneously (and rapidly) over the last 10 years, significantly changing the Enterprise Security Ballpark. A decade or so ago, having strong security in the perimeter of a network connected to VPNs and similar secure remote access tools was a network – and the primary way to secure all enterprise information.
Although security is much more complicated today. Many resources are completely outside the corporate network and this means trusted evaluations must take place across a wide range of local, remote and cloud services. This usually involves multiple providers and each must be able to establish that the users and devices connecting to them are legitimate; Which goes beyond simple authentication and approval.
Today, services rely on user identity, device identity, location, connection, date and time, and device management status to determine whether access requests are valid. Services may use any or all of these criteria, and most – including MDM solutions – may use these criteria when granting or denying access.
Depending on the sensitivity of the data, authentication of the general user may be sufficient for a given security position or it may be prudent to rely on all of these criteria before granting access, especially for sensitive or administrative systems.
A more powerful criterion is the identity of the device. This ensures that any device accessing your organization’s systems (including MDM services) and resources is known and trusted. Today, Apple devices have the following information: Apple’s MDM protocol includes the device’s unique ID, information returned through the MDM device information search (including serial numbers, IMEI numbers, and more), and security certificates issued on the device.
In iOS / iPadOS / tvOS 16, Apple is building additional capabilities to establish device identity: device certification. It’s basically a way to establish the authenticity of a device that uses familiar information that can be verified using Apple’s attested server. The information that Apple uses to do this includes specific information about the device’s secure enclave, manufacturing records, and operating system catalogs.
The certificate looks at the device itself, not the OS or apps installed on it This is important because it means that a device may be compromised, yet Apple will prove that it is a device. As long as the secure enclave remains intact, certification will continue. (MDM services, however, can verify the integrity of the OS.)
Certification can be used in two ways. The first is to verify the identity of a device so that an MDM service knows what the device is claiming. The second is for secure access to resources within your environment. To implement this subsequent use of authentication, you need to set up an ACME (Automatic Certificate Management Environment) server or service in your organization. It provides the strongest proof of device identity and configures client certificates in much the same way as SCEP (General Certificate Enrollment Protocol).
When the ACME server receives a certificate, it will issue a certificate that allows access to the resources. Certificate Evidence confirms that the device is genuine Apple hardware, and includes the device’s identity, device features, and hardware-bound identity key (related to the device’s secure enclave).
Apple notes that authentication may fail, and some failures – such as network problems or problems with the company’s certification server – do not indicate a malicious problem. But three types of failure, To do Indicate a potential problem that should be remedied or investigated. These include modified device hardware, unfamiliar or modified software, or situations where the device is not a real Apple device.
Device Certification offers unmatched device identity verification. Even if you’re not interested in setting up ACME services across your environment, enabling certification for your MDM solution is a simple and obvious choice. Exactly how this will work, however, will depend on how different MDM vendors implement the functionality. It is also possible that some vendors will create ACME services in their MDM offers, making it easier to take full advantage of this new capability.
The second WWDC session involved the safe endpoint. It introduced new functionality for Apple’s Secure Endpoint API and was intended for developers of a variety of Mac security tools. Apple is enabling developers to implement new types of events, including authentication, login / logout, and exponent / gatekeeper events.
- Authentication Events now accessible in the Secure Endpoint API include password authentication, Touch ID, issuance of cryptographic tokens, and auto unlock using Apple Watch. Developers can use these to detect patterns of suspicious access attempts (successful or not) and deal with them in a variety of ways, from general caution to the next step.
- Developers will now be able to use the Secure Endpoint API for testing Login / Logout From the login window (log in directly to the Mac using the keyboard), including screen sharing, SSH connection and login via command line login. Again, the value here is the ability to detect and flag suspicious login activity or attempts.
- Exporter / Doorman When malicious software is identified, as well as when it is remedied – will enable developers to use the Secure Endpoint API to access information automatically or through IT personnel.
Some of this functionality was previously available to developers using the OpenBSM audit trail, which was underestimated at the beginning of the MacOS Big Tune. Although still available, it will be moved to a future macOS release.
Although both sessions target developers rather than front-line IT workers, they highlight the new technology Apple is offering for enterprise and security vendors. And they underscore Apple’s understanding of the changing enterprise security landscape and its commitment to provide enterprises with the tools they need to strengthen their security.
Copyright © 2022 IDG Communications, Inc.