Hi, I'm the author(along with several other developers).
MicroMDM is used in some enterprise environments and was recently mentioned in a number of security presentations regarding Apple's MDM and Device Enrollment Program services.
Do you know if a small business can use DEP features?
Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?
Anyone can use DEP, just need a DUNS number to enroll into the program, and then to purchase devices from apple direct, or from an approved reseller.
Unfortunately you cannot retroactively add devices that were already purchased.
Speaking as a former Apple employee I can say with 100 percent certainty that you can add devices post purchase even before DEP existed. There are a number of ways:
If the device was purchased on or after March 1st 2011 you can do the following:
1. Work with your reseller if they participate in DEP to get the devices enrolled retroactively. Sometimes you have to put the nails on the reseller (they can pretty bad about this. Looking at you Verizon) but it absolutely can be done.
2. If your devices are eligible and were a direct purchase from Apple you should contact Apples enterprise support and they can start the process of double checking eligibility and getting those devices enrolled accordingly. This is pretty straightforward.
3. You can enroll eligible devices via Apple Configurator 2 into DEP using the process described here:
Using Apple Configuratior 2 will allow you to bypass any reseller to enroll into DEP so it’s your best move if you are having issues getting people to do it fast enough. Any eligible device can be enrolled this way
Here’s a relevant help link with phone numbers more
On eligibility and enrolling etc
> purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.
So you need to provide a DEP-authorized account number to the salesperson in an Apple store? Is this possible when buying online from apple.com?
Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed? It would deter attempts to resell DEP-managed devices.
> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.
So, the rule is at-most-once enrollment.
And further down:
> some organizations elect not to require user authentication as part of MDM enrollment.
IOW, if you are not enabling authentication, you have only yourself to blame.
Are those the same profiles generated by Apple Configurator 2? I was able to get per-site Safari VPNs added by manually editing XML in the profile, but no success with per-application VPNs.
Commercial MDM providers only whitelist a handful of VPN client apps for per-app VPN profiles. Why are those needed when there is already a native iOS VPN client for IPSEC?
Funnily enough I have been trying to do that today - I don't think you can. You create the per app VPN with a UUID, but the only way to associate an app to a Per-App-VPN definition is through MDM - I think.
I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)
Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.
^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.
Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).
This seems like the kind of thing Apple should be offering on their own already. But ultimately you're not going to see many enterprises adopt an Apple-only MDM unless they just love vendor lock-in to the most expensive vendor.
Negativity aside, I applaud the effort. The MDM space is messy and crowded with bloated products. I hope these guys can at the very least pop the bubble a bit.
One of the few remaining services in macOS Server (discussed elsewhere on HN today) is Profile Manager, an Apple-developed MDM server. Given that it requires a static public IP and only runs on macOS, there's a pretty small niche that even could use it. The MicroMDM site describes it as the 'reference' or 'proof-of-concept' MDM server, "depending on how jaded you are about it".
I think Apple is happy with the current state of MDM servers--several good 3rd-party options, both self-hosted and cloud.
Apple has absolutely no desire to go into the device management business. They make the devices, they don't provide IT departments with any in house tools, the entire macOS management ecosystem has risen from a need and it's a mish mash of different vendors / open source tools / approaches to skin the cat that is device management.
They already took a baby step in by acquiring TestFlight. It's a more dev/QA-centric product, but it overlaps with MDM. Google is already in the MDM space for Chrome devices. Apple has already been remarkably successful in the enterprise space despite seemingly never going after it. Vendors like Square are deploying thousands of iPads to retail spaces. I think there's a huge opportunity there.
TestFlight helped solve very real problems iOS developers had back in the day when it came to managing beta testing etc, and the acquisition was clearly developer tools focused for Apple. I don’t think it’s sensible to read too much MDM ambition (if any really) on Apple’s part into that particular acquisition.
MDM is a very “enterprisey” market for Apple specifically, historically they’ve been more than happy to let others fight for the few dollars it typically brings in relative to their giant consumer/hardware businesses. Even Tim Cook has made the argument that letting businesses like IBM handle the enterprise cruft helps keep Apple’s focus on just making great consumer products.
Apple is actively trying to sell me MDM services. So they may not be in the business of making it easy, but they're certainly in the business of making money on it.
Isn’t that their pro-services offering where they monkeyed together a bunch of enterprise scripts for bugs/shortfalls Apple will never fix/implement? Last I checked, I think the only MDM “service” they offer is evaluating your situation as part of the enterprise package and no matter what telling you to use JAMF.
I'm administrator for GSuite for the school I'm a trustee of, so my personal (Android) device is enrolled by virtue of me wanting to know how it works and also wanting my school email on that device.
I'm not sure it would be worthwhile setting up for personal use -- the policies it lets you set aren't doing anything other than ensuring you're following best practices (like setting a screen lock) so you don't gain anything over just doing that, and the direct management tools aren't any finer-grained than you can get from Google's Find My Device.
I'm not sure you're able to set up a linked "for work" profile without MDM; that might be a benefit if you want compartmentalisation.
If you don't care about the managed Google Play store, you could always use Google's TestDPC app (or create your own) to create a work profile ("do-not-use-in-production" warnings notwithstanding): https://play.google.com/store/apps/details?id=com.afwsamples...
That said, it might be more straightforward to just use another user on your device
I manage our devices at work but not my personal devices.
If you have a lot of devices (think 10+) I guess it could be useful to keep them aligned. It could also be useful as training on how to centrally manage devices.
But I would not recommend using a MDM unless you have a specific reason. Personal devices that you have physical control over are easy to manage locally on the device. Adding a MDM also adds another attack vector, if the MDM is compromised all your devices are at risk.
Do I do it for my personal devices? No. Do I see any benefits? Nope! But ... when have I let that stop me from running something wildly inappropriate for a single user "enterprise"!
I don't own anything apple, so I'm unlikely to ever run this MDM, but, if a good Android one came to my attention.. maybe? I'm geeky enough to enjoy doing it, even if it comes with no real benefits to me.
I just learned from a colleague that you can install a MDM if you have a Google Apps account. Of course now I want to try MicroMDM first.
I think the major benefit is that this way you control the MDM, and you don't risk that a MDM gets installed on your phone unexpectedly, sort of like a rootkit.
I manage the personal devices of my family members (wife, parents, in-laws) through MDM. My parents and in-laws are quite tech-illiterate, so it helps to be able to enforce some restrictions via profiles to prevent them from doing stupid things to their own devices, and thus reduce the time I have to spend on providing tech support (across the ocean no less). It's also useful for distributing Wi-Fi/VPN configs so I can enforce that VPN must be used on untrusted Wi-Fi, for example.
The server is only meant for enterprise deployments. It would be pretty hard to do this on a personal level because you need to apply for an enterprise account with Apple, and request a very specific push certificate option.
You can't even sign up for the Enterprise program if your Apple ID is associated with the Apple Developer Program. You'll get the following error when signing up:
> Your Apple ID is already associated with a Team Agent enrolled in this program
Setting up Mobile Device Management itself is not particularly onerous, it's definitely best practice to create a new Apple ID for that purpose, however. A technical individual can already do this easily enough with the freely-available Meraki MDM. The Device Enrollment Program I believe is more complicated and inaccessible to individuals (haven't dealt with this personally), and is quickly becoming a prerequisite for many of the more invasive and useful capabilities, like the kext signing and deployment mentioned on the MicroMDM homepage.
Hm, guess I missed that...and their offering has a long way to go before I'd consider it worth paying for. An alternative then might be Jamf, they recently started offering a free tier with a handful of devices for their hosted 'Jamf Now' MDM (or at least it's free via their promotions on sites like Daring Fireball).
Apple Configurator 2 can be used locally to set some policies which are only available on "supervised" devices, e.g. prevent USB pairing with unknown computers.
I think the new parental controls iOS and Android have recently introduced are far more effective for this than using MDM, personally. These features are specifically designed for this use case.
I don't use an MDM server/service specifically, but I use a profile (built and installed via Apple Configurator 2 over USB) to install certificates+keys for S/MIME.
The nice part is I can use the same profile on a Mac too.
what other open source MDM software is out there that aren't Apple-only? Specifically I'd like to manage Android phones and maybe Linux laptops (but I doubt I'll find that)
Reading through Apple's MDM protocol documentation and coding up one yourself is a great learning exercise. I had an idea for a niche MDM product and coded up a proof of concept. Eventually I realized the idea wasn't profitable, but still got a lot of value out of the development exercise. I even rewrote it from Java into a couple of different languages (Kotlin, Swift, Go...) to learn a bit more. It's a sufficiently difficult service to implement that you learn quite a bit along the way, but not so difficult that you don't see any progress as you go.
https://duo.com/labs/research/mdm-me-maybe https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Dee...