Two sessions I attended at WWDC last week, the Managed Device Certification and Secure Endpoint sessions, underscore the company's commitment to providing greater capabilities for security tools. While both were naturally geared more toward developers of device management and security solutions than end users or IT administrators, some of the additional capabilities that developers will be able to integrate into business tools are worth noting.
Managed Device Attestation
Let's start with managed device attestation, a new feature that helps ensure that servers and services (on-premises or in the cloud) respond only to legitimate requests to access resources.
Both the use of cloud services and the deployment of mobile devices have grown together (and exponentially) in the last 10 years, dramatically changing the state of enterprise security. A decade ago, having strong security at the network perimeter, combined with a VPN and similar secure remote access tools, was the primary means of protecting a network, and an entire enterprise.
However, security today is much more complex. Many resources reside entirely outside the corporate network, which means trust assessment must be performed across a wide range of local, remote, and cloud services. This typically spans multiple providers, and each must be able to establish that the users and devices connecting to them are legitimate; that goes far beyond simple authentication and authorization.
Today, services rely on user identity, device identity, location, connectivity, date and time, and device management status to determine whether access requests are valid. Services can use any or all of these criteria, and most, including MDM solutions, can use these criteria when granting or denying access.
Depending on the sensitivity of the data, simple user authentication may be sufficient for a given security posture, or it may be prudent to rely on all of these criteria before granting access, especially for sensitive or administrative systems.
Device identity is one of the most powerful criteria. It ensures that any device that accesses your organization's systems and resources (including MDM services) is known and trusted. Currently, Apple device identity includes the following information: the device's unique identifier in Apple's MDM protocol, information returned by the MDM device information query (which includes items such as serial number, IMEI number, etc. .) and the security certificates that have been issued. to device.
In iOS/iPadOS/tvOS 16, Apple is integrating additional functionality to establish device identity: Device Certification. Basically, it's a way to establish the authenticity of a device using known information about it that Apple can verify using the company's attestation servers. The information Apple uses to do this includes details about the Secure Enclave on the device, manufacturing records, and the operating system catalog.
Attestation relates to the device itself, not the operating system or applications installed on it. This is important because it means a device can be compromised, but Apple would still attest that it is the device it claims to be. As long as the secure enclave is intact, the certification will continue. (MDM services, however, can verify the integrity of the operating system.)
The certificate can be used in two ways. The first is to verify the identity of a device so that an MDM service knows that the device is what it claims to be. The second is for secure access to resources in your environment. Implementing the latter use of attestation requires the implementation of an Automatic Certificate Management Environment (ACME) server or service in your organization. This provides the strongest proof of device identity and configures client certificates similar to SCEP (Simple Certificate Enrollment Protocol).
When the ACME server receives an attestation, it issues a certificate that allows access to resources. Attestation proof certificates guarantee that the device is genuine Apple hardware and include device identity, device properties, and hardware-related identity keys (related to the secure enclave of the device).
Apple notes that there are several reasons why attestation can fail, and that some failures, such as network issues or problems with the company's attestation servers, do not indicate a malicious problem. However, three types of faults indicate a potential problem that needs to be fixed or investigated. These include modified device hardware, modified or unrecognized software, or situations where the device is not a genuine Apple device.
Device attestation provides unprecedented device identity verification. Even if you're not interested in implementing ACME services in your environment, enabling attestation for your MDM solution is a simple and obvious choice. However, exactly how it works will depend on how different MDM vendors implement the feature. Some providers may also integrate ACME services into their MDM offerings, allowing you to take full advantage of this new functionality.
secure endpoint
The second session of the WWDC was about Secure Endpoint. Introduced new features for Apple's Secure Endpoint API and targeted developers of various types of Mac security tools. Apple allows developers to implement new types of events, including authentication, login/logout, and XProtect events /Gatekeeper.
- Authentication Events that the Secure Endpoint API can now access include password authentication, Touch ID, cryptographic token issuance, and automatic unlock with an Apple Watch. Developers can use them to find patterns of suspicious login attempts (successful or unsuccessful) and deal with them in a variety of ways, from simple alerts to other actions.
- Developers will now be able to use the Secure Endpoint API to review login/logout of different types, including from the login window (direct connection to the Mac using the keyboard), screen sharing connection, SSH connection and command line connection. Again, the value here is the ability to find and report suspicious activity or login attempts.
- XProtect/Guardian It will allow developers to use the Secure Endpoint API to access information when malware is detected, as well as when it has been patched, either automatically or through IT staff.
Some of these features were previously available to developers using the OpenBSM audit trail, which was deprecated as of macOS Big Sur. Although it is still available, it will be removed in a future version of macOS.
While both sessions were aimed at developers rather than frontline IT staff, they highlight the new technologies that Apple is offering to businesses and security vendors. And they underscore Apple's understanding of the changing landscape of enterprise security and its commitment to providing businesses with the tools they need to strengthen security.
Copyright © 2022 IDG Communications, Inc.