Announced at WWDC 2022, Managed Device Attestation protection shows that Apple is adjusting device security protections to adapt to an increasingly distributed age.
Secure the endpoints, not the end times
This adjustment reflects a reality shift. Work doesn’t happen on specific servers or behind defined firewalls today. VPN access can differ across teams. And yet, in a workplace defined by multiple remote devices (endpoints), the security threat is greater than ever.
Managed Device Attestation works to create a second boundary of trust around which device management solutions can work to protect against attack.
What is this for?
It’s all about philosophy. Apple understands that security must evolve beyond traditional perimeter protections such as VPNs or firewalls. Protection must be put in place across the edge of the network and needs to become increasingly autonomous. After all, protection can’t be wholly reliant on the data flow between device and server, as even that communication can be undermined.
Managed Device Attestation forms a proof point to help secure the device and confirm its identity. Think of it this way – you as a user may have proved who you are, and you may be in a location that your management systems see as viable – but how do you prove you are using a registered device?
That’s what Managed Device Attestation seeks to do. It requires only that you trust the Secure Enclave on your device processor, and that you also trust Apple to attest to the status of the device.
Essentially, the highly secured process shares key identity and other characteristics of the device as evidence with which to reassure the service that the device is one it can support. The Secure Enclave provides evidence to Apple’s attestation servers that the hardware is legitimate, Apple shares this with the service, and because the service trusts Apple the device is seen as legitimate.
The idea is to protect against use of compromised devices, situations in which an attacker is spoofing a service by pretending to be a legitimate device, or against attempts to access the network conducted by people who may have the users details but are working from an unrecognized device.
How does this work?
While you’ll need to dig deep to get to grips with the technology behind the system, a zoomed-out explanation follows:
- Managed Device Attestation uses the Secure Enclave built into Apple products along with cryptographic attestations that together confirm the identity of a managed device.
- When such a device attempts to connect to MDM, VPN, Wi-Fi, or other services it must also confirm it is a legitimate request from a legitimate device.
- The Attestation component comes in the form of certificates designed to provide strong assurances that a specific device is legitimate. It exploits multiple technologies, including TLS private keys generated and protected by the Secure Enclave.
- It also uses Apple’s servers and a (currently) draft standard for an Automated Certificate Management Environment.
At its simplest, when you want your device authorized and request permission to do so, the device sends key information such as user or device identity to the service to confirm it is who it claims to be. This information is secured, of course, and works via an Apple server.
The service looks at what it’s been told, compares it to its own records, verifies the message is genuine (as in signed and delivered by Apple’s servers) and approves access. Attestation works thanks to MDM servers and the company’s Automatic Certificate Management Environment (ACME) protocol, which makes attestation available to services beyond MDM.
When will this be available?
Managed Device Attestation will be available for iOS 16, iPad OS 16 and tvOS 16 as the new operating systems appear over the coming weeks. MDM providers such as Jamf will certainly embrace support for this once it appears.