This week, I got on the phone with two of the co-founders of Fleetsmith, Zack Blum, CEO, and Jesse Endahl, chief product and security officer. Today, they’re announcing a two new features for their Mac management and monitoring products: a new security dashboard and an audit log function.
I also took the chance to talk about security in the Apple Device Enrollment Program (DEP, now “automated MDM enrollment”). In case you haven’t heard, DEP security has been the buzz of the Mac management space for a few months now, particularly on the heels of two white papers, one co-written by Jesse, and one by Duo Labs.
New Fleetsmith features
Today, Fleetsmith is launching a new security dashboard. Their pitch is that it makes it easy and convenient to have all possible security issues surfaced in one place, so that you don’t have to do queries manually, and so that you don’t miss things you might not have thought to search for. The dashboard is available now in both Fleetsmith Manage and Fleetsmith Intelligence, their free monitoring product. So, if you want to try this out, you can go for it.
The second announcement today is a new audit log, so for customers who need this for compliance, it will certainly be welcome. It will be launching soon.
I covered Apple Device Enrollment Program concepts and the recent conversations around them as they happened in the Friday Notebook, but here’s the recap:
In early August at Blackhat, Jesse Endahl from Fleetsmith and Mex Bélanger (an engineer at Dropbox) presented research (PDF here) about a bug affecting DEP and macOS. They found a flaw deep in the enrollment process that, in theory, could be exploited to install malware; though in practice it would have been difficult. This got a bit of attention, including an article in Wired, though things quieted down fast, as the flaw was corrected in High Sierra 10.13.6.
Later in August, Addigy brought up another issue in DEP as part of a product announcement. I wrote up a full description in the Friday Notebook, but essentially, when a Mac powers on and comes up in DEP, Apple doesn’t do anything to strongly authenticate the device. Essentially, it just checks the serial number and directs it over to the associated MDM server for enrollment. You can spoof a serial number in a VM or on a physical device, so that means that if know or brute-force the serial number of a legitimate corporate device, your device/VM can be redirected to a the associated MDM server for enrollment.
Personally, this was the first time I had heard of this, but after reading up on a few Mac management blogs, I quickly learned that this aspect of DEP enrollment has been known for years, and many admins and developers use it for testing.
The common mitigation for this issue is to be sure to not include any sensitive information or configurations in the initial DEP enrollment, and to only send those to the device after you’ve had a chance to strongly-authenticate the user. DEP can also do a basic LDAP authentication during the enrollment process, but I get this isn’t used very much.
Later, in September, the situation came up again when Duo Labs raised the alarm (here’s the blog post and full report). This time, it got more attention. Duo noted that one way to fix the issue would be for Apple to do stronger device and/or user authentication, but of course, Apple works on its own time frame, and it’s hard to predict what they’ll do and when they’ll do it. (It would be nice if Apple also made accomodations for a new testing process, too.) The second mitigation suggested by Duo is to authenticate users before the MDM server even allows the enrollment attempt to happen. Lastly, they covered the previously-mentioned approach—allow enrollments, but hold the sensitive configurations until after users authenticate
After spending a few days at Jamf’s JNUC conference, I got the impression that most admins are fine with what seems to be the common practice—again, that means do a basic enrollment, authenticate the user, and then deliver the sensitive stuff. Indeed, a few attendees expressed frustration that Duo was rocking the boat.
Fleetsmith and DEP enrollment
When Fleetsmith reached out about their product news, I was also excited to ask them about their thoughts and approach to the DEP issues. Jesse’s research may have focused on a different particular issue, but clearly he’s spent a lot of time on this. As it turns out, he already wrote a very detailed blog post on it, which got a shout out from folks at Duo, as well.
Fleetsmith is focusing on the second mitigation. They make sure that the user is authenticated and that the enrollment is approved before the MDM server lets it happen. Importantly, subsequent re-enrollments of a given device must be approved as well. The blog post goes into much more detail on the approval process (and explains the rest of the situation), so check it out if DEP enrollment is of concern to you.
There are a few overall trends influencing all of this: Apple is transitioning Mac management over to MDM and automated enrollment. Choose-your-own-device programs are spreading throughout the enterprise, and startups with lots of Macs are growing into enterprise-sized companies. Macs are coming under more enterprise scrutiny, and more end user computing folks are going to be working on them. (And coincidentally, we have at least two more Mac-related articles in the queue for the next week.)