Friday Notebook, August 24: Addigy addresses macOS DEP enrollment spoofing

Also: Liquidware public pre-briefing; Jamf Now; Knox 3.2; Android Enterprise; RDmi multi-tenancy; Exchange 2019; Parallels Desktop 14; Citrix; and more!

This is our weekly log of desktop virtualization, enterprise mobility, and end user computing news.

Our blog posts

Jack: The top enterprise mobility management resources - August 2018 Edition. Learn about or get up to date on everything you need to know on enterprise mobility with this ultimate resource article.

Jack/Kyle: Parallels Desktop 14 shows the maturity of client hypervisors; but their role is evolving. Parallels announced Parallels Desktop 14 on Tuesday, providing users with performance improvements and feature tweaks. We couldn’t help but wonder about the changing role of client hypervisors.

Jack: Google’s Sean Ginevan talks Android Enterprise (Sponsored Podcast). Sean sat down with me to talk all about Android Enterprise. We covered everything from Google Cloud’s focus on the enterprise to Android work profiles and installing apps from unknown sources on BYOD/COPE devices. This podcast was sponsored by Android Enterprise.

Theresa: In the cloud era, what’s the role of Exchange 2019? With the popularity of Office 365, it’s kind of surprising to hear Microsoft released a public preview of Exchange 2019. So, we were curious about who would actually use it.

Kristin and Benny: An overview of multi-tenancy in Remote Desktop modern infrastructure (RDmi). RDS wasn’t designed with multi-tenancy in mind, so Microsoft looked to improve that in RDmi. Learn how it works and how to set it up.

Kyle: GeekOut 365 video: Use Remote Display Analyzer to determine ideal end-user experience. Barry Schiffer and Bram Wolfs created the Remote Display Analyzer to help users figure out the best remote display protocol configurations for end-user experience.

Industry news

On Thursday, Liquidware held a webinar that included a public pre-briefing of their announcements coming out next week at VMworld. FlexApp 8.6 will support storing apps on object-based cloud storage (ProfileUnity gained similar abilities in April). FlexApp will also be able to extract and deploy App-V packages. On the monitoring side, Stratusphere UX will be able to monitor physical macOS devices, which I found interesting, given that it’s another sign of of how Macs are becoming “real” in the enterprise. There are plenty of other new features, so watch out for Liquidware’s announcements next week, or look out for a replay of the Inside Track webinar, which also includes AWS, NVIDIA, and Stratodesk.

Jamf Now—Jamf’s lighter, SMB-oriented Mac and iOS management platform—is adding support for distributing custom iOS apps and deploying macOS packages. This will be part of a new, more expensive Jamf Now SKU.

Samsung revealed new features in Knox 3.2, the latest version of their proprietary MDM API. They include a mix of new features, addressing DeX, security, and compliance (including GDPR).

VMware earnings: Q2 revenue is up 13% year-over-year.

Citrix announced support for Apple Business Manager.

Addigy, macOS, and DEP enrollment

Mac management vendor Addigy is bringing attention to an issue with macOS and the Apple Device Enrollment Program (DEP). This week, Addigy announced a new step in their enrollment flow to authenticate users (via Okta or Active Directory) before any sensitive configurations are pushed down to a Mac. They also do just-in-time local account creation, so users can’t use the Mac at all until authenticated.

What’s the story behind this? As they describe the situation in their press release:

“Recent research has uncovered macOS vulnerabilities showing susceptibility to malware when setting up systems for the first time. However, there are other vulnerabilities, including the spoofing of a device's serial number (via a virtual machine or other methods) during the deployment process to provision the system as a corporate-owned device. This spoofing allows hackers to gain access to sensitive company, employee, and customer data easily unless proper defenses and processes have been applied.”

The research they’re referring to covers a difficult-to-exploit and now-patched certificate pinning flaw, and was presented at BlackHat.

But what about the spoofing? As described in various sources (including here and here), you can use a spoofed serial number to enroll a macOS device into DEP. (Here’s more on DEP and how it works.) You take the serial number of a machine that’s been flagged for DEP, and apply it to a second machine (which can be done in a VM or on physical hardware). When the second machine boots for the first time, the Apple DEP service will redirect it to the associated MDM server for enrollment, just like the original machine.

So the idea here is that you should authenticate the user before you put any sensitive data down, since Apple is apparently just doing a simple check of the serial number, and not doing any other authentication to ensure that the device is actually associated with your organization in DEP. (And by the way, if you have a Macbook handy, flip it over and see what’s written on the bottom!)

I think that getting Apple to do any additional authentication would be tricky, as it would require much deeper identity integrations all across all the parts of a DEP deployment (reseller, MDM provider, Apple, and the customer.)

Instead, the responsibility is on your MDM and identity platform. But really, pushing down a minimal enrollment profile, and then only pushing down sensitive profiles after you do a stronger authentication, should be a clear best practice. (See defense in depth, multi-factor authentication, etcetera, etcetera...)

More notes from the week

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.