Common security concerns regarding Apple devices for enterprises

Jayden Traoré

Apr 4, 2020

14 min read

1. Is it safe to use Touch ID?

Touch ID, it’s more secure than a 4-digit passcode but no stronger than a six-character alphanumeric passcode. Touch ID is much more user friendly than a passcode and stays unique, unlike passcodes where the users are too lazy to create a strong and secure one and usually end-up with repeated numbers and characters.

Touch ID should be acceptable in most enterprise scenarios. But if your organization style demands more security it’s better to stay away from Touch ID.gedTouch ID is backed by a passcode in cases of restart or repeated failures but it’s common to see that the backup password lacks the strength to be secure.

Coming to the case of MDM’s it’s possible for IT admins to secure devices with password requirements like strength, age, etc. Disabling and enabling touch ID is easy from the Hexnode MDM console. Another option is to backup touch ID with a separate authentication method like a personal information manager to store enterprise data and apps.

Another scenario to look out for is when your employees travel. In cases where devices are seized by law enforcement in other countries during travel, touch ID may hurt you. Most country’s legislations have rules to safeguard such issues, but some allow for compelled fingerprints. You might want to look this over before letting your employees travel again.

The best solution for this is to change the password related policies on devices of such employees at the time of travel from the Hexnode MDM portal to guarantee your data is safe and your employees have a happy journey.

2. What about face ID? Is it safe to use?

iPhone X, you remember the launch, right? The much talked of face ID fail. Ok, it may have failed during the demo, but I believe the failure is an ode to its security and quality. As a consumer, it might be frustrating if a lack of clarity in your face causes a delay in phone unlocking but for enterprises, it’s the exact opposite. The harder to get in the device the safer the data in it is.

Apple leverages the True Depth camera which consists of a dot projector, flood illuminator, and infrared camera. Several reported cases of device unlocking on showing the user’s photo or video or twins haven’t hampered Apple’s confidence in coming out and claiming that face ID is 20 times more secure than touch ID.

The combination of technologies in face ID provides “presentation attack detection”, making it more suited to enterprise needs. Apple has advised enterprises to allow face ID in any and all scenarios where you would allow touch ID. Hexnode MDM has provision to enable or disable Face ID on supervised iOS devices and is at restless work to bring you the latest restrictions and features related to face ID.

face id for ios security

3. Is it smart to share an Apple ID?

The answer is no. It is never smart to share accounts that will compromise your data or personal information. Apple ID identifies an iOS user. There is also Managed Apple ID which is an organizational Apple ID that can be used for accessing enterprise features like, password resets, role-based administration and more.

In older versions, purchased apps were associated with a particular Apple ID which was the reason for some organizations using shared Apple ID’s.

In the case of schools and companies where the devices change hands on a regular basis, it is almost impractical to use a personal Apple ID. The introduction of the Volume Purchase Program from iOS 7 has solved this issue.
VPP apps are assigned to a personal Apple ID by the organization. By using VPP it is also possible to associate an app with specific devices.

With VPP, apps act as enterprise applications. That means that their applications can be removed when a user leaves the organization or when the device must be handed to another user. When a user signs in with his user-specific domain credentials, Hexnode MDM will deploy all apps and settings authorized for that user.

An organizational shared Apple ID will be difficult to support and scale-out. The maximum number of devices an Apple ID can accommodate is 10 if you want more, it will require redemption codes. Organizations should hence plan to move away from using shared Apple ID’s and leverage VPP.

4. Should users own the Apple ID?

The owner of an Apple ID has access to an iOS feature called ‘find my phone’. It is a feature that allows users to track, lock and wipe the iOS device remotely.

From an enterprise point of view, this can become an issue. When employees are allowed to use personal Apple ID’s, they have the power to lock the device after they leave. This can be solved by supervising the devices before providing them to your employees.

A supervised device can bypass the activation lock. In some organizations, it’s a common practice to ask for the employee’s login credentials when they leave. This can be a headache if your account has both enterprise and personal data.

Hexnode MDM can be used to bypass the activation lock remotely via clear activation lock action or using the bypass code obtained from the MDM console (the bypass code is provided by Apple).

Employees can use their personal accounts on the organization’s device and with the activation lock bypass, the organization can wipe the device and reset it for a new user via our remote actions.

5. How can we archive text messages from iPhone?

Archiving messages is a requirement in certain industries like healthcare and finance. The iMessaging application does not allow EMM’s or third parties to access its SMS contents. This is a testament to the high level of security that Apple strives to provide its users.

So, is there a workaround? Yes, there is, using a third-party app you can. Manage settings in the third-party messaging applications that support archiving. But for all these to take effect, it’s necessary to block the iMessaging application via the restriction on your Hexnode MDM portal.

6. Should we allow iTunes and iCloud backup?

iCloud backups can be blocked via your Hexnode MDM portal, but iTunes backups can only be blocked by supervising the device. This is important as unsanctioned, unmonitored backups can be harmful to the device.

The major issues with backups right now are the inability of MSM’s to determine whether a back is taking place on a private device or a corporate device. Most companies allow encrypted backups on their corporate devices. But it can vary with the policies and user agreements that the company has set up at the start.

Organizations seeking high security, prefer to deploy containers that can secure the corporate data from being mishandled. When conducting an iTunes backup, data will be encrypted as on the secure container. It will only be correctly restored on an authorized device. Containers can also inhibit the iCloud backup for business apps.

7. Is AirDrop secure for corporate use?

AirDrop, the inter iOS and macOS file exchange method uses Wi-Fi and Bluetooth for connection and transmission.

As with iCloud and iTunes, the main concern in the case of AirDrop is that a user may accidentally or intentionally use it to share sensitive corporate data to an unauthorized device. The exchange process of files via AirDrop requires device pairing and a series of steps making it a risk especially in cases of a deliberate malicious action from an employee.

In the absence of a corporate monitoring setup, it is unwise to allow the sharing of files to private devices via Airdrop. Hexnode can help you manage airdrop on your corporate devices. Fret not.

8. Is it safe to use SIRI? Is she a spy?

“Hey Siri, are you safe to use?” it would have been ironic if Siri actually answered that, but for now all you get is” I don’t have the answer for that. Is there something else I can help you with?”. Even Siri doesn’t know if she’s safe to use. Well, I guess Siri doesn’t have an answer to everything after all. Disappointed, but it’s better than false information.

Siri, Apple’s VPA (virtual personal assistant) can perform actions like setting reminders providing directions, etc. In some cases, Siri needs access to resources and in other cases, she uses the device functions to perform the specified task.

Siri has been a talking point of security experts for a long time owing to where the data collected is stored. All these confusions were publicly cleared up by an Apple spokeswoman Trudy Muller in an interview to Wired.com.

Apple revealed that Siri stores a user’s data for up to two years and that all queries are transferred to Apple’s data farm, where a random number is generated to represent the user.

Hexnode MDM provides restrictions to block Siri which is highly advisable for companies. It includes Allow or Disable Siri access to user-generated content option to restrict supervised devices for added security.

9. Why and how should we use iOS device supervision?

Apple’s device supervision is an iOS device management setup that enables the admins to leverage third-party MDM tools to exercise additional control over iOS devices. Restriction policies like blocking iTunes backups, pushing OS updates can only be enforced on supervised devices.

Since Apple’s announcement that certain iOS feature restrictions will be confined to supervised devices, it has become a point to decide if the enterprise needs higher-level security which requires supervision.

These restrictions include app installation and removal, FaceTime, Safari, explicit content, iCloud documents and data, multiplayer gaming and adding game center friends.

Apple’s Business Manager should be made use of for securing supervision which allows easy deployment( over the air) into the MDM’s like Hexnode without any physical connection requirements.

Besides all these benefits Apple business manager enrollment also allows for easy bulk deployment of apps and inhibits the removal of device management as per the organization’s needs.

10. What should our minimum iOS hardware and software requirements be?

As an Enterprise the criteria for deciding hardware and software levels on devices should be based on the requirements, level of policy enforcement and security concerns. With each level of iOS / iPad OS, there are features that deprecated to enable a higher security level and as such using lower versions can render the organizational data unsafe. Devices prior to iPhone 5 cannot upgrade to 10.3.3, which patches a major vulnerability referred to as Broadpwn that affects the Wi-Fi chipset. Devices prior to the iPhone 5s and iPad Air do not have a Secure Enclave to act as a hardware-based root of trust.

To enhance the security it always recommendable to use the latest version but if you need a number then iOS 10.3+ would be ideal for most use cases. Enterprises also need to take into consideration the OS levels and devices that have been retired by Apple, as such devices cannot support certain enterprise applications.

11. How should we go about updating iOS versions on devices?

Apple’s OTA (over the air update) has proven very efficient in providing iOS updates in cases where vulnerabilities have surfaced. While Apple recommends enterprises to keep their devices updated to the latest versions as soon as an update is available there can be problems with certain enterprise apps like email and calendar which may persist until a minor Patch fix update is issued.

It is highly recommendable to test out an update before rolling it out to all the devices to ensure that such issues do not occur. MDM’s like Hexnode can be used to enforce these updates via policies. IT admins can monitor the compliance of the devices to ensure that all devices are updated as per the enterprise standards.

Pushing iOS updates to devices used to be challenging but with the recent updates by Apple the OS updates can be pushed easily to supervised devices even when it’s locked.

Preventing or delaying iOS updates is not supported in iOS.

While there are workarounds, it is only advisable in scenarios where devices are solely connected to the enterprise network.

12. Do we need anti-malware for our iPhones and iPads?

Though it’s impossible to state that the Apple App Store is void of malware it is still leaps and bounds better than its competitors. Not all iOS malware attacks come from the App Store.

Even though the presence of malware is low it still contains a good amount of “leaky” apps.

Most of the current threats can be avoided with solid restriction policies like jailbreak detection, encryptions, OS patching and device authentication available on the Hexnode MDM portal.

Newer iOS versions have threat mitigation properties like whitelisting and blacklisting applications and websites which are available through MDM’s like Hexnode. Enforcement of such policies will not completely remove the risk but it will still be a step in the right direction towards better security.

13. Do we need a VPN solution for iOS devices?

The per-app-VPN allows applications to set up a VPN. Apple’s embedded VPN client supports mainstream VPN provider’s request to connect to the gateways.

iOS supports single sign-on account payload authentication via MDM’s which can be complex for smaller enterprises with limited experience in Kerberos and iOS profiles.

IOs’s single sign-on support can help reduce the manual configuration efforts for enterprises via the integrated support into mainstream VPN and Single Sign-On solution.

The app config community’s website has a list of 3rd party ISV apps that have been configured to allow MDM’s to consistently support configuration which can be used for per-app-VPN, Single Sign-On and other common management features without additional customizations.

14. Do we need a container for sensitive apps and data?

Apple’s iOS application control feature is called managed open in. Sharing content with social apps like Facebook LinkedIn is still possible. Copying from a managed app document to an unmanaged app document is also possible.

It does not offer security features like 2-factor authentication and single sign-on which may cause security concerns for certain enterprises looking for higher security.

Enterprises looking for containerization of work data will find managed open in suitable but third party applications for containerization are still providing better choices and higher granularity of data access.

There are certain third-party services with proprietary APIs which are currently inaccessible to third-party MDM’s which may cause concerns depending on your organizational usage and requirements.

15. Should we use the iOS keychain to store credentials?

IOS devices have a resource called iOS keychain which can be used as a secure environment to store application credentials like passcodes and certificates.

MDM’s store credentials for resources like Wi-Fi and VPN by default in the keychain and should be leveraged whenever possible by the enterprises.

A secure passcode on the device should be mandated as a weaker one leaves the keychain exposed via iTunes backups and physical access to the device.

Enterprises with higher security need to offer solutions other than keychain for storing credentials since it is the default location for hackers to target it can be highly vulnerable. white-box cryptography is leveraged to protect in such cases.

The iCloud keychain is different from the basic iOS Keychain, it is what is used for autofill features and it is highly recommendable to block the use of iCloud keychain for enterprise users via Hexnode MDM.

16. How should we handle connected Apple devices such as Apple Watch and AppleTV?

Apple Tv remote

The enterprise use case for Apple watches is still limited. Apple Watch is mainly used to access data and apps on iPhones and can be used for sending messages and payments.

Calls can be made directly from the Apple Watch from Apple Watch 3 and above with the help of embedded SIM using the same phone number as in the iPhone. it can also be used as the second factor of authentication in certain scenarios.

Apple Watch’s higher usage recently can pose security risks and the MDM’s control over it isn’t exactly granular. Most advanced settings are still controlled by the users.

Enterprises with higher security requirements should leverage privacy-related policies to inhibit sensitive notifications until the user requests it.

In most cases, smartwatches are privately owned and should be considered as BYOD. Employees can use it in the enterprise that they own as long as they’re willing to comply with the enterprise’s policies.

Apple has also allowed MDM support for tvOS. Enterprises can push applications set kiosks, send configurations to restrict incoming airplay remote app pairing and more.

These controls are expected to get more granular in the coming updates.

Jayden Traoré

Product Evangelist @ Hexnode. Sometimes, I have the feeling I live in a story: a magnificent story written by a mediocre writer living off coffee and technology.

  • 7

Leave a Comment

Your email address will not be published. Required fields are marked *