Common security concerns regarding Apple devices for enterprises

Hexnode
11 min readSep 8, 2020

--

1. Is Touch ID safe for enterprise device security?

Studies have indicated that Touch IDs are more secure than a 4-digit password however weaker when compared to a six-character alphanumeric password. Touch ID is considerably easier to use than a password and remains one of a kind, unlike passcodes where the employees are too complacent to even think about creating a strong and secure one and normally end-up with rehashed numbers and characters.

Touch ID should be acceptable in most enterprise scenarios. If your organization’s operations require greater security it’s smarter to avoid Touch ID. Touch ID is supported by a password in instances of restart or repeated failures yet it’s not surprising to see that the reinforcement password does meet the necessary security standards.

In the case of MDMs, it’s possible for IT admins to secure devices with password requirements like strength, age, etc. Disabling and enabling touch ID is possible from the Hexnode MDM console and can be used as per the enterprise’s needs.

2. Is Face ID safe for enterprise device security?

Apple leverages the True Depth camera for Face ID detection, it consists of a dot projector, flood illuminator, and an infrared camera. Several reported cases of unlocking devices using the user’s photo, video or by identical twins were common among other vendors but the Face ID feature on Apple devices remain the most difficult to crack. Over the years, users have verified Apple’s assertion that its face ID is 20 times more reliable than a normal touch ID.

The combination of technologies in face ID provides “presentation attack detection”, making it more suited to enterprise needs. Apple has advised enterprises to allow Face ID in any and all scenarios where you would allow Touch ID. Face ID can be enabled or disabled via the Hexnode MDM portal. MDMs are still in the process of adding more granular features for Face ID management.

3. Is it acceptable to share Apple IDs in enterprises?

Apple ID identifies an iOS user, unlike Managed Apple ID which is an organizational Apple ID that can be used for accessing enterprise features like, password resets, role-based administration and more.

In the case of schools and businesses where devices regularly change hands, the use of a personal Apple ID is almost impractical. The introduction of the Volume Purchase Program from iOS 7 has solved this problem. VPP apps are assigned to a personal Apple ID by the organization. By using VPP it is also possible to associate an app with specific devices.

With VPP, apps act as enterprise applications. This ensures that when a user exits the company or the device has to be handed off to another person, their apps may be removed. When a user signs in with his user-specific domain credentials, all applications and settings authorized for that user are deployed by Hexnode MDM.

An Apple ID shared by an organization will be hard to support and scale-out. The maximum number of devices that an Apple ID can support is 10 if you want more, the redemption codes would be needed. Organizations should therefore plan to move away from using shared Apple IDs and leverage Apple Business Manager or Apple School Manager. To sum up no, it is never smart to share accounts that will compromise your data or personal information.

4. Should users own the Apple ID they use?

The owner of an Apple ID has access to an iOS feature called ‘find my phone’. It is a feature that allows users to track, lock and wipe the iOS device remotely.

This can become an issue from a business perspective. When employees are allowed to use personal Apple ID‘s, after they leave, they have the power to lock the device. This can be solved by supervising the devices before they are made available to your employees.

A supervised device can circumvent the activation lock. At certain companies, calling for the email credentials of the employee as they depart is an usual practice. This can be a headache if both enterprise and personal data are still in the account.

MDM’s can be used to bypass the activation lock remotely via clear activation lock action or using the bypass code obtained from the MDM console (the bypass code is provided by Apple). Employees can use their personal accounts on the organization’s device and with the activation lock bypass, the organization can wipe the device and reset it for a new user via our remote actions. The ownership of the Apple ID can hence be corporate and need not necessarily be personal.

5. How can enterprises manage the archiving of text messages from iOS device?

Archiving messages is a requirement in certain industries like healthcare and finance. The iMessaging application does not allow EMM’s or third parties to access its SMS contents. This is a testament to the high level of security that Apple strives to provide its users.

So, is there a workaround? Yes, there is, using a third-party app you can. Manage settings in the third-party messaging applications that support archiving. But for all these to take effect, it’s necessary to block the iMessaging application via the restriction on your Hexnode MDM portal.

6. Should enterprises allow iTunes and iCloud backup on their devices?

iCloud backups can be blocked via your MDM portal, but iTunes backups can only be blocked by supervising the device. This is important as unsanctioned, unmonitored backups can be harmful to the device.

The major issues with backups right now are the inability of MSM’s to determine whether a backup is taking place on a private device or a corporate device. Most companies allow encrypted backups on their corporate devices. But it can vary with the policies and user agreements that the company has set up at the start.

Organizations seeking high security, prefer to deploy containers that can secure the corporate data from being mishandled. When conducting an iTunes backup, data will be encrypted as on the secure container. It will only be correctly restored on an authorized device. Containers can also inhibit the iCloud backup for business applications. With these proper precautions in place, allowing a backup will not hurt the enterprise.

7. Is AirDrop secure for corporate use?

AirDrop is the inter iOS and macOS file exchange method. Airdrop uses Wi-Fi and Bluetooth for connection and transmission of data.

Similar to iCloud and iTunes the main concern in the case of AirDrop is that a user may accidentally or intentionally use it to share sensitive corporate data to an unauthorized device. The exchange process of files via AirDrop requires device pairing and a series of steps making it a risk especially in cases of a deliberate malicious action from an employee.

In the absence of a corporate monitoring setup, it is unwise to allow the sharing of files to private devices via Airdrop. With the help of an MDM, enterprises can help manage how Airdrop is used on their corporate devices.

8. Does enabling SIRI compromise corporate data?

Siri, Apple’s VPA (virtual personal assistant) can perform actions like setting reminders providing directions, etc. In some cases, Siri needs access to resources and in other cases, she uses the device functions to perform the specified task.

Siri has been a talking point of security experts for a long time owing to where the data collected is stored. All these confusions were publicly cleared up by an Apple spokeswoman Trudy Muller in an interview to Wired.com.

Apple revealed that Siri stores a user’s data for up to two years and that all queries are transferred to Apple’s data farm, where a random number is generated to represent the user.

Hexnode MDM provides restrictions to block Siri, if needed for enterprises. It includes Allow or Disable Siri to access to user-generated content as a restriction. SIRI is safe for corporate use but if your enterprise doesn’t want any data on 3rd party servers, regardless of Apple’s standards, then disabling it would be the way to go.

9. Why should enterprises use iOS device supervision?

Apple’s device supervision is an iOS device management setup that empowers admins to leverage MDM tools from third parties to exert additional control over iOS devices. Restriction policies such as blocking iTunes backups, pushing updates to the OS can only be imposed on supervised devices.

After the announcement by Apple that some restrictions on iOS features will be limited to supervised devices, it has become a focus of determining if the business wants higher-level protection which requires supervision.

These restrictions include app installation and removal, FaceTime, Safari, explicit content, iCloud documents and data, multiplayer gaming and adding game center friends.

Apple’s Business Manager should be made use of for securing supervision which allows easy deployment( over the air) into the MDM’s like Hexnode without any physical connection requirements.

Apart from all these advantages, the enrollment in Apple business manager also makes for easy deployment of devices in bulk and inhibits the removal of device management as per the needs of the organization.

10. What should the minimum iOS hardware and software requirements be?

As an Enterprise, the criteria for deciding hardware and software levels on devices should be based on the requirements, level of policy enforcement and security concerns. With each version of iOS / iPad OS, there are features that were deprecated to enable a higher security level and as such using lower versions can be risky as it can render the organizational data unsafe.

Devices prior to iPhone 5 cannot upgrade to 10.3.3, which patches a major vulnerability referred to as Broadpwn that affects the Wi-Fi chipset. Devices prior to the iPhone 5s and iPad Air do not have a Secure Enclave to act as a hardware-based root of trust.

To enhance the security it always recommendable to use the latest version but iOS 10.3+ would be adequate for most use cases currently. Enterprises also need to take into consideration the OS levels and devices that have been retired by Apple, as such devices cannot support certain enterprise applications.

11. How should businesses manage the update of iOS versions on devices?

Apple’s OTA (over the air update) has proven very efficient in providing iOS updates in cases where vulnerabilities have surfaced. Although Apple advises that businesses should keep their software up-to — date to the latest versions as soon as an update becomes available, there may be bugs with certain enterprise applications such as email and calendar that will persist until a minor patch fix update is released.

Testing an update before rolling it out to all devices is highly recommended to ensure that no such problems occur. MDM‘s like Hexnode can be used to enforce those updates via policies. IT administrators can track device compliance to ensure that devices are updated in accordance with company standards.

Pushing iOS updates to devices used to be challenging but with the recent updates by Apple the OS updates can be pushed easily to supervised devices even when it’s locked. While there are workarounds, it is only advisable in scenarios where devices are solely connected to the enterprise network.

Note: Preventing or delaying iOS updates is not supported in iOS.

12. Are Anti-malware applications necessary for iPhones and iPads?

Although it is impossible to state that the Apple App Store is malware-free, it is the closest to it. Not all iOS malware attacks originate from the App Store.

Even though the presence of malware is low it still contains a small number of “leaky” apps.

Most of the threats present can be avoided with solid restriction policies like jailbreak detection, encryptions, OS patching and device authentication through the Hexnode MDM portal.

Newer iOS versions have threat mitigation properties like whitelisting and blacklisting applications and websites which are available through MDMs. The high-security standards set in place by Apple to ensure that their app stores remain secure eliminates the need for any additional anti-malware support even for enterprises.

13. How can a VPN solution aid iOS device?

The per-app-VPN allows applications to set up a VPN. Apple’s embedded VPN client supports mainstream VPN provider’s request to connect to the gateways.

iOS supports single sign-on account payload authentication via MDM’s which can be complex for smaller enterprises with limited experience in Kerberos and iOS profiles.

IOs’s single sign-on support can help reduce the manual configuration efforts for enterprises via the integrated support into mainstream VPN and Single Sign-On solution.

The app config community’s website has a list of 3rd party ISV apps that have been configured to allow MDM’s to consistently support configuration which can be used for per-app-VPN, Single Sign-On and other common management features without additional customizations.

14. How effective is managed open in for seperating sensitive apps and data in an organization?

Apple’s iOS application control feature is called managed open in. Sharing content with social apps like Facebook and LinkedIn are still possible through managed open in. Copying the content from a document in a managed app to the document in an unmanaged app can also be done.

It does not offer security features like 2-factor authentication and single sign-on which may cause security concerns for certain enterprises looking for higher security.

Enterprises looking for containerization of work data will find managed open in suitable but there are third party applications that can be used to serve the same purpose .

There are certain third-party services with proprietary APIs which are currently inaccessible to third-party MDM’s which may cause concerns depending on your organizational usage and requirements.

15. Is the iOS keychain secure enough to store corporate credentials?

IOS devices have a resource called the iOS keychain that can be used to store application credentials such as passcodes and certificates in a secure environment.

MDMs store credentials for resources like Wi-Fi and VPN by default in the keychain and should be leveraged whenever possible by the enterprises.

As a weaker one leaves the keychain exposed through iTunes backups and physical access to the device a secure passcode on the computer should be required.

Enterprises with higher security need to offer solutions for storing credentials apart from the keychain, since it is the default location for hackers to target it can be highly vulnerable. In such cases, white-box cryptography is leveraged for security.

The iCloud keychain is different from the basic iOS Keychain, it is what is used for autofill features and it is highly recommendable to block the use of iCloud keychain for enterprise users via an MDM.

16. How can enterprises handle connected Apple devices such as Apple Watch and Apple TV?

The enterprise use case for Apple watches is still limited. Apple Watch is mainly used to access data and apps on iPhones and can be used for sending messages and payments.

Calls can be made directly from the Apple Watch from Apple Watch 3 and above with the help of embedded SIM using the same phone number as in the iPhone. it can also be used as the second factor of authentication in certain scenarios.

Apple Watch’s higher usage recently can pose security risks and the MDM’s control over it isn’t exactly granular. Most advanced settings are still controlled by the users.

Enterprises with higher security requirements should leverage privacy-related policies to inhibit sensitive notifications until the user requests it.

In most cases, smartwatches are privately owned and should be considered as BYOD. Employees can use it in the enterprise that they own as long as they’re willing to comply with the enterprise’s policies.

Apple has also allowed MDM support for tvOS. Enterprises can push applications set kiosks, send configurations to restrict incoming airplay remote app pairing and more.

These controls are expected to get more granular in the coming updates.

--

--

Hexnode

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.