Announced at WWDC 2022, Managed Device Attestation protection shows that Apple is adjusting device security protections to accommodate an increasingly distributed era.
Safe endpoints, not end times
This adjustment reflects a change in reality. The work is not done on specific servers or behind firewalls defined today. VPN access may vary from computer to computer. And yet, in a workplace defined by multiple remote devices (endpoints), the security threat is greater than ever.
Managed Device Attestation works to create a second trust boundary around which device management solutions can operate to protect against attacks.
It's one of many security enhancements to Apple's platforms, including declarative device management, rapid security response, and private access tokens. All of these solutions represent Apple's work to deliver uncompromising security in a way that also improves the user experience.
What use is it?
It's about philosophy. Apple understands that security needs to evolve beyond traditional perimeter protections like VPNs or firewalls. Protection must be implemented at the edge of the network and must become increasingly autonomous. After all, protection cannot depend entirely on the flow of data between the device and the server, as even this communication can be compromised.
Managed device attestation provides a point of proof to help protect the device and confirm its identity. Think of it this way: As a user, you may have proven who you are and you may be in a location that your management systems deem viable, but how do you prove you're using a registered device?
This is what managed device attestation seeks to do. You only need to trust the Secure Enclave in your device's processor and also trust Apple to vouch for the health of the device.
Essentially, the highly secure process shares the key identity and other characteristics of the device as proof to assure the service that the device is compliant. The secure enclave provides proof to Apple's certification servers that the hardware is legitimate, that Apple shares it with the service, and because the service trusts Apple, the device is considered legitimate.
The idea is to protect against the use of compromised devices, situations where an attacker spoofs a service by posing as a legitimate device, or network access attempts by people who may have user details but are working from a device. unrecognized. device.
How does this work?
Although you have to dig deep to get familiar with the technology behind the system, here is an expanded explanation:
- The attestation of managed devices uses the secure enclave integrated into Apple products along with cryptographic attestations that, together, confirm the identity of an managed device.
- When such a device attempts to connect to MDM, VPN, Wi-Fi, or other services, you must also confirm that it is a legitimate request from a legitimate device.
- The Attestation component comes in the form of certificates designed to provide strong assurances that a specific device is legitimate. Leverage multiple technologies, including TLS private keys generated and protected by the Secure Enclave.
- It also uses Apple servers and a draft standard (currently) for an automated certificate management environment.
In its simplest form, when you want your device to be authorized and request permission to do so, the device sends key information, such as the user's or device's identity, to the service to confirm that it is who it says it is. Of course, this information is secure and works through an Apple server.
The service reviews what was said to it, compares it to its own records, verifies that the message is genuine (as signed and delivered by Apple's servers), and approves access. Attestation works through MDM servers and the enterprise's Automatic Certificate Management Environment (ACME) protocol, which makes attestation available for services beyond MDM.
When will it be available?
Managed Device Attestation will be available for iOS 16, iPad OS 16, and tvOS 16 as new operating systems are released in the coming weeks. MDM providers like Jamf will certainly embrace support for this once it comes along.
Learn more about managed device attestation
Apple developers can learn more about managed device certification in the WWDC 2022 session that explains it and in this comprehensive overview of device management on Apple's developer site.
Follow me on Twitter or join me at AppleHolic's bar & grill and Apple discussion groups on MeWe.
Copyright © 2022 IDG Communications, Inc.