Last Updated: 10th April, 2020
Apple Device Security and Hardware Security: According to Digital Trends, workers rely on and consider Apple products as the most preferred and most reliable option for privacy. Tim Cook has been outspoken about company responsibility for user security, and Apple’s recent WWDC event introduced new privacy and security features like managed Apple IDs for business.
However, there are, nevertheless, misconceptions and concerns surrounding Apple device security and hardware security compared to other platforms. These represent our top five areas where misinformation lingers and instead empowers IT decision makers and their organizations with the facts regarding Apple device security.
Misconceptions #1: You Should Approach MacOS Security The Same Way As Windows Security
When it comes to Apple operating systems, many Apple device security and hardware security capabilities are built natively into the platform and don’t require the additional support of a third-party solution. Apple’s native solutions include an application firewall, a signature verification (application whitelist/blacklist) solution (GateKeeper), an antivirus solution (XProtect) and a malware removal tool (MRT). Additionally, the requirement of applications to be notarized in MacOS Catalina increases trust with MacOS development, making malware and adware attacks more difficult.
In order to best leverage Apple’s efforts, an enterprise should start with visibility into these built-in Apple native technologies. This evolution of thought allows the infosec and IT teams to evaluate the risks mitigated natively by the operating system. They can then focus efforts on identifying process and tools developed to adhere to Apple’s native approaches to fill any remaining gaps in visibility and increase protection of their devices.
Misconceptions #2: MDM Is Not Critical In Keeping Apple Device Security
On the odd occasion, organizations utilize devices by lining them up one by one and manually going through each setup step, mainly because they’re treating them as they would a consumer device. Or, they have a device management tool that does not provide the capability to auto-enroll and configure Apple devices, instead forcing employees to revert to a manual deployment.
The problem is, by not leveraging the management capabilities of Apple devices, it will not merely undergo a lot of time, but could also lead to security gaps.
Automated Mobile Device Management (MDM) enrollment is more than just installing a profile and saving time. It shows organizational ownership and demonstrates the potential to unlock additional Apple device security and hardware security features including capabilities to gain profiles become non-removable. Organizations can configure and validate that a device is secure before any user or company data is placed on it.
Also, in a situation that an organizationally owned and MDM-enrolled device becomes inaccessible due to a forgotten passcode or missing user credential, data and Activation Lock recovery options are available.
The most secure and preferred way to employ devices is via Apple Business Manager’s Automated MDM enrollment. Using this workflow will automatically provision your devices, and not only will it seamlessly enroll and configure a device, but several additional “supervision” features are automatically unlocked. This changes the DNA of the device – triggering that a company owns the device – therefore granting elevated rights to manage the device itself.
With the profiles and additional controls, certain MDM providers have with Apple devices; an organization can ensure that all devices are configured appropriately and secure by default.
Misconceptions #3: Apple IDs Are Difficult To Use
A few common Apple ID workflows pose Apple device security and hardware security gaps. Most organizations don’t realize that by reimbursing employees for apps, or retaining them “just download” a free app, they’re essentially giving the employee not only ownership of the app, but also ownership of the data as well – which can create security gaps.
That’s where the flexibility of choosing device deployment of Apple’s Volume Purchasing of Apps and Books works hand-in-hand. When these services are employed in combination with MDM, organizations can deploy apps securely and independent of using a personal Apple ID. Think of it as designing a company Apple ID that allows organizations to not only easily distribute apps, but maintain ownership of the apps and company or client data within those apps.
In situations where personally owned devices (like BYOD iPhones) are desired, managed Apple IDs can be used to allow the same capabilities to protect and separate ownership of personal and organizational data.
Misconceptions #4: Additional Encryption Tools Are Required
One of the biggest misunderstandings about Apple devices is the use and administration of additional third-party encryption tools. Third-party encryption software is definitely not required for an Apple device. Why? Because it is included. On the iOS side, AES encryption is built into the hardware, with a passcode requirement.
VPN is built in to iOS. With certain MDMs, a VPN can support per-app VPN. Biometric access like Face ID leverage a hardware-based key manager called Secure Enclave for access to the device, apps and resources.
Provided that the Apple devices are appropriately provisioned and are managed as a company device, these additional Apple device securities and hardware security tools become a part of your business’ security stack.
For computers, MacOS provides native encryption with FileVault2 – in fact, Apple has been providing native disk encryption since the release of Mac OS 10.3 in 2003. In the latest versions of MacOS, FileVault2 can be automated and configured to have the encryption keys escrowed to MDM during the initial MacOS setup process to make sure there is never user data unprotected.
Newer Macs include the custom Apple T2 Security Chip, featuring Secure Enclave, which provides the foundation for new device security and hardware security features and protects Touch ID fingerprint information.
The Apple T2 Security Chip also features an SSD controller with automatics, on-the-fly data encryption — Offering the most secure storage of any computer. It also ensures software loaded during the boot process has not been tampered with — offering the most secure boot process available today. These are powerful built-in features that enhance Apple device security and hardware security from the get-go in an extraordinarily efficient way.
Misconceptions #5: Binding Mac To The Network Is Necessary
Many organizations maintain policies in place that were created at a time when Windows clients were the unique devices allowed in a workplace. The phrase “I bear to bind to the network. We are required” is all too common. It may be surprising to hear, but binding Macs to a directory service on the corporate network is not a must. When we attempt to implement Windows concepts to Apple devices, it solely isn’t a seamless user experience and it frequently produces unforeseen issues.
Apple continues to focus on and promote cloud use. Accordingly, many of the organizations that use Apple in the workplace. Managed access and authentication platforms can be integrated with Mac to ensure secure user identity management and audit ability from any network.
With this focus and capability, the power of the Mac + cloud identity providers + an identity management solution is enabling organizations to retrieve devices/information remotely, empowering a remote and highly mobile workforce, students utilizing school-issued devices at home, and more.
When adopting the right devices for an organization, IT teams try to reduce risk while preserving the experience end users demand in today’s candidate-driven job market.
Combating common misconceptions about Apple device security and hardware security in the workplace remain a strong step forward to allowing employees to choose the device that they are the most productive from – all while maintaining company and data security.