The Apple DEP flaw explained – and how to bolster security

Researchers have highlighted a vulnerability in Apple’s Device Enrollment Program that, in some circumstances, could leave corporate networks and data insecure. But companies can mitigate the danger.

Apple security illustration
Bitdefender

On Thursday, researchers disclosed a vulnerability in Apple's Device Enrollment Program (DEP) that could allow malicious actors to compromise a corporate network. The issue, however, is more a process flaw than a functional weakness in Apple's services, devices or encryption mechanisms. (It exploits the serial number of a corporate device to gain access to a company's mobile device management (MDM) service.)

Although there are many Apple skeptics that quickly want to point to this issue as proof that Apple doesn't understand enterprise security - and thus, has no place in the business world - the truth is that this weakness can be mitigated easily, and may already be a non-issue at most companies.

What is DEP and how does it work?

Apple introduced DEP in early 2014 as a way to make bulk configuring and deploying iOS devices easier for IT departments. It streamlines the very beginning of the iOS setup process for businesses and allows a device simply to be handed to a user (potentially still in the box) and to auto-configure itself on first use. That means IT doesn't need to be part of the process, saving time for both IT shops and users - and it prevents any errors in the setup process.

When iOS devices start up on first use (or the first time after being reset to factory settings), they contact Apple's activation server early in the boot process. If the device isn't flagged in the activation service, it proceeds to launch the Setup Assistant. One of the most common reasons a device would be flagged is after it is reported lost or stolen using Apple's Find My iPhone app - a feature known as Activation Lock (or colloquially, as a "kill switch"), which prevents the device from being setup or used by anyone other than the rightful owner.

To continue reading this article register now

  
Shop Tech Products at Amazon