Friday Notebook, August 23: VMware plans to acquire Carbon Black and Pivotal; iOS jailbreaks

Also: VMworld preview; Menlo Security; Citrix Managed Desktops; VDI Like a Pro; more on Black Hat; Zimperium; Adaptiva; and more!

This is our weekly log of desktop virtualization, enterprise mobility, and end user computing news.

Our blog posts

Jack: VMworld 2019 Preview: The questions we’re asking, the context, and where to find us. How will VMware capture more of the Windows 10 management market? What is VMware’s new DaaS offer? How will the relationship with Microsoft be?

We also published another lighter piece, since VMworld is coming back to San Francisco: What to do in San Francisco during VMworld - A guide from a local. How to get around, what to know about the neighborhood around Moscone, food recommendations, and what to do if you’re staying in town for the weekend.

Rachel: How does Menlo Security’s remote browser compare in an ever more crowded space? There are now many remote browser isolation options available, from both desktop virtualization vendors and security vendors. Menlo just got a $75 million round of funding--so, how does it compare?

Jo: A technical review of Citrix Managed Desktops. Jo Harder discusses the new capabilities of Citrix Managed Desktops and compares with Citrix Virtual Apps and Desktops Service, as well as presents a hands-on review.

Jack: The 2019 VDI Like a Pro EUC survey is out! Results: Citrix’s on-premises products are still dominant but showing smaller market share; DaaS is still anyone’s race.

Kyle: Yubikey 5Ci for iPhone, biometric attacks, and other odds and ends from Black Hat. Wrapping up my Black Hat 2019 coverage with an updated look at Yubico and their new hardware key, authentication hacks, and process injection attacks library.

Industry news

(From Jack.)

After the markets closed on Thursday afternoon, VMware announced plans to acquire Pivotal in a transaction that has an "enterprise value" of $2.7 billion (the transaction details are a bit more complicated; VMware will actually lpay about $800 million out of pocket, plus a share exchange), and Carbon Black for an enterprise value of $2.1 billion (in this case, the net cash payout is $1.9 billion). The news about Pivotal, a cloud application platform, had been discussed for a while, and indeed Pivotal had previously been owned by VMware and EMC. The Carbon Black acquisition was a surprise, though, and is more interesting to EUC folks, as Carbon Black does endpoint security. You can easily picture all the things that Carbon Black could do when integrated directly into Workspace ONE. Desktop endpoint protection hasn’t been a huge focus for us here at (with the exception of Bromium and other virtualization based offerings), but we definitely have plans to get familiar with Carbon Black.

On Monday, Citrix officially announced that Citrix Managed Desktops (CMD) will go GA next week, on August 26, as reported earlier this month by our TechTarget colleague Jesse Scardina. For more details on CMD, see Jo Harder’s review from this week. As a reminder, while CMD can use Windows Virtual Desktop entitlements to run multi-user Windows 10 workloads, customers won’t actually be able to do this until WVD goes GA. This will apparently be sometime soon, but we don’t have an official date for it yet. For more details, including an explanation of the differences between WVD, the WVD infrastructure (formerly known as RDmi), multi-session Windows 10, and the licensing entitlements, see our recent article on WVD.

VMware detailed what’s new in Workspace ONE UEM 1908. This includes updates for iOS 13 and macOS Catalina, including features to support Extensible SSO. VMware is also announcing Workspace ONE Express+, which is for small and mid-sized businesses and focused on Windows 10 and Office 365. Workspace ONE Express is the evolution of the old AirWatch Express, and is intended for environments from 10 to 500 devices.

Mobile threat defense vendor Zimperium announced a new on-device anti-phishing solution. Phishing is one of the bigger security concerns on mobile devices, but there are also a lot of technical issues to solve when implementing mobile anti-phishing. We plan to catch up with Zimperium to learn about their approach.

Adaptiva announced OneSite VMware Edition. Adaptiva’s peer-to-peer app distribution tech was OEMed into Workspace ONE UEM, but now it’s being broken back out into a separate product. See our VMworld 2019 preview for more details.

The pre-VMworld partner announcements continue with Stratodesk and Liquidware. The Liquidware Stratusphere UX agent will be integrated into Stratodesk’s NoTouch OS.

Other reads, news, and notes

Citrix has appointed a new CFO, Arlen Shenkman.

The new Chromium-based version of Microsoft Edge is now in beta, for both Windows and macOS. There are arguments (see this article by Kyle) that it could be a good enterprise browser. You get the compatibility and extensions of Chrome, with the enterprise trust of Microsoft.

Android has a new refined logo and is dropping the dessert names, so Android Q will just be “Android 10.” Via Google.

Jason Bayton is running an Android Enterprise survey to get “extensive insights into experiences and perceptions of Android in the enterprise.” Please go participate!

Remember back when we talked about virtual mobile infrastructure? It was like VDI, but with Android VMs and mobile clients. Well, apparently a company called Corellium was offering the same thing, except with iOS, and now Corellium is being sued by Apple.

Do you follow Brian Krebs? Just about every week I read an article from his blog, Krebs on Security, and think how much I appreciate the detailed, clearly written security reporting he does—you don’t have to know all the lingo to understand it. This week, it was “Forced Password Reset? Check Your Assumptions” which talks about how large companies are actively trying to make sure their users don’t use compromised passwords, and how they do it. 

The iOS 12.4 jailbreak

(From Kyle.)

For the first time in years, users can jailbreak up-to-date iOS devices.

News broke this week that researchers had found that iOS 12.4 undid a patch in iOS 12.3, re-exposing a vulnerability. This became an issue because security researcher Ned Williamson, who originally discovered the vulnerability, published an exploit for it believing it was still patched. The exploit, called SockPuppet, allows for an application to execute code with system privileges. We haven’t heard of any specific malware associated with SockPuppet, but the jailbreak based on it got a lot of attention.

Security researcher Pwn20wnd used the exploit to release an up-to-date jailbreak on Monday. Jailbreaking isn’t as common as it once was, but there was certainly a lot of excitement this week. This is exactly the type of thing that EMM and MTD products are supposed to detect, so it will be interesting to see if any admins have a spike in jailbroken devices in their environment.

How does it work? Apparently, it’s possible to sideload the unc0ver app and jailbreak without using a computer, though other instructions have you do it via USB and a computer. This is a semi-tethered jailbreak, so you will have to re-run it if you reboot your device. 

Furthermore, apparently not all iOS users can fully jailbreak their device. Currently, there’s only a partial jailbreak for devices with Apple’s A12 processor (iPhone XS, XS Max, XR, and 2019 iPad Mini and Air). This partial jailbreak allows for the blocking of over-the-air iOS updates and preventing apps from being revoked, but does not allow the device to run Cydia, which is needed to implement all the fun tweaks that people associate with jailbreaking. Pwn20wnd’s tweets indicate that they hope to eventually have a full jailbreak developed soon enough.

Some security researchers have said that users who are currently on iOS 12.4 should avoid downloading any apps at all until Apple releases a patch, since it might be possible to hide the jailbreak code within an app. We think this is fairly unlikely, but felt it was worth a mention.

Web browsers push back on browser fingerprinting

This week, Webkit announced a tracking prevention policy that covers fingerprinting, cross-site tracking (tracking across multiple sites by a third party, not just the site the user visited), stateful tracking (using user’s storage, e.g., cookies), covert tracking (tracking users have no knowledge or ability to consent to), navigational tracking (using info controlled by source of top-level navigation), and “currently unknown” techniques.

If the blocking of trackers would break the expected UX of a website, Webkit will allow limited access for some trackers, by implementing a time limit or reducing collection of user-identifying data. Should this still not be enough, users will be allowed to give consent to the tracking. Webkit also considers some actions as implied consent (e.g., logging into several apps/websites with same account).

Webkit will respond harshly to policy circumvention and says there will be no tracking prevention exceptions given, comparing any such action to security vulnerability exploits. The policy does note that there might be unintended impact (e.g., hindering how well an advertiser can tell how their latest advertising works or disrupting federated login via third-party login provider) but users come first, though Webkit hopes to limit how the policy affects such techniques.

On a similar note, Google announced the Privacy Sandbox initiative on Thursday. Here, the focus is simply on ad tracking via browser fingerprinting. Users don’t have much control over this, if they’re even aware of it at all. Fingerprinting allows companies to learn about the browser you’re using and other identifying info, and largely rose as a result of users blocking cookies through browsers and ad blockers.

With Privacy Sandbox, Google wants to roll out a way to more aggressively block fingerprinting, as well as reclassify cookies and limit how much info they can collect and track across sites. The idea is to gather info and anonymize it so that individual users cannot be identified, but still allow advertisers ways to collect relevant data about their users.

Google talks about how blocking cookies hurts publishers, but it obviously hurts Google’s Ad revenue, too. Either way, moving to anonymize info collected through cookies does sound good. We need to find a middle ground, so sites can stop with the annoying pop-ups begging users to disable ad blockers.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.