Two sessions I attended at last week’s Worldwide Developer Conference (WWDC) — the Managed Device Attestation and Secure Endpoint sessions — highlight the company’s commitment to delivering increased capabilities for security tools. While both were naturally oriented more to developers of device management and security solutions than to end users or IT admins, some of the additional capabilities developers will be able to build into enterprise tools are noteworthy.
Managed Device Attestation
Let’s start with Managed Device Attestation, a new capability that helps ensure servers and services (on-premise or in the cloud) only respond to legitimate requests for access to resources.
The use of cloud services and the deployment of mobile devices both grew in tandem (and exponentially) during the past 10 years, which changed the enterprise security ballpark significantly. A decade or so ago, having strong security at the network perimeter coupled with VPN and similar secure remote access tools was the primary way of securing a network — and all enterprise information.
Security today, though, is much more complex. Many resources live outside the corporate network entirely, and that means trust evaluation has to occur across a broad range of local, remote, and cloud services. This typically encompasses multiple providers and each needs to be able to establish that the users and devices connecting to them are legitimate; that goes well beyond simple authentication and authorization.
Today, services rely on user identity, device identity, location, connectivity, date and time, and device management state to determine whether requests for access are valid. Services can use any or all of these criteria, and most — including MDM solutions — can use these criteria when granting or denying access.
Depending on the sensitivity of the data, simple user authentication may be enough for a given security posture or it may be prudent to rely on all of these criteria before granting access, particularly for sensitive or administrative systems.
One of the more powerful criteria is device identity. It ensures that any device accessing your organization’s systems (including MDM services) and resources is both known and trusted. Today, Apple device identity includes the following information: the unique ID of the device in Apple’s MDM protocol, information returned by the MDM Device Information query (which includes things such as serial number, IMEI number, and so forth), and security certificates that have been issued to the device.
In iOS/iPadOS/tvOS 16, Apple is building in additional capabilities to establish device identity: Device Attestation. Basically it’s a way to establish the authenticity of a device using known information about it that can be verified by Apple using the company’s Attestation servers. The information Apple uses to do this include specifics about the Secure Enclave on the device, manufacturing records, and the operating system catalog.
The attestation looks at the device itself, not the OS or apps installed on it. This is important because it means that a device might be compromised, yet Apple would still attest to it being the device it claims to be. As long the Secure Enclave is intact, attestation will proceed. (MDM services, however, can verify the integrity of the OS.)
Attestation can be used in two ways. The first is to verify a device’s identity so an MDM service knows the device is what it claims to be. The second is for secure access to resources within your environment. Implementing this latter use of attestation requires deployment of an ACME (Automatic Certificate Management Environment) server or service in your organization. This offers the strongest proof of device identity and configures client certificates similar to the way SCEP (simple certificate enrollment protocol) does.
When the ACME server receives an attestation, it will issue a certificate allowing access to resources. Proof from attestation certificates assures the device is genuine Apple hardware, and includes the device identity, device properties, and hardware-bound identity keys (related to the device’s Secure Enclave).
Apple notes there are a number of reasons attestation might fail and that some failures — such as network issues or problems with the company’s attestation servers — don’t indicate a malicious issue. Three types of failures, however, do indicate a potential problem that should be remediated or investigated. These include modified device hardware, unrecognized or modified software, or situations where the device is not a genuine Apple device.
Device Attestation offers unparalleled device identity verification. Even if you aren’t interested in setting up ACME services throughout your environment, enabling attestation for your MDM solution is an easy and obvious choice. Exactly how it will function, though, will depend on how various MDM vendors implement the functionality. It’s also possible that some vendors will build ACME services into their MDM offerings, making it easy to take full advantage of this new capability.
The second WWDC session involved Secure Endpoint. It introduced new functionality for Apple’s Secure Endpoint API and was intended for developers of various types of Mac security tools. Apple is enabling developers to implement new types of events, including authentication, login/logout, and XProtect/Gatekeeper events.
- Authentication events that are now accessible to the Secure Endpoint API include password authentication, Touch ID, the issuing of cryptographic tokens, and Auto Unlock using an Apple Watch. Developers can use these to look for patterns of suspicious access attempts (successful or not) and deal with them in a variety of ways, from simple alerts to further actions.
- Developers will now be able to use the Secure Endpoint API to examine login/logout of various types, including from the login window (logging in directly to the Mac using the keyboard), login via screen sharing, SSH connection, and command line login. Again, the value here is the ability to look for and flag suspicious login activity or attempts.
- XProtect/Gatekeeper will enable developers to use the Secure Endpoint API to access information when malicious software is detected, as well as when it has been remediated — either automatically or via IT personnel.
Some of this functionality was previously available to developers using the OpenBSM audit trail, which was deprecated beginning in macOS Big Sur. Although still available, it will be removed in a future macOS release.
While both of the sessions were aimed at developers rather than front-line IT personnel, they highlight the new technologies Apple is offering to enterprise and security vendors. And they underscore Apple’s understanding of the changing enterprise security landscape and its commitment to giving enterprises the tools they need to bolster security.