Hi, I'm the author(along with several other developers).
MicroMDM is used in some enterprise environments and was recently mentioned in a number of security presentations regarding Apple's MDM and Device Enrollment Program services.
Do you know if a small business can use DEP features?
Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?
I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)
Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.
^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.
Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).
This seems like the kind of thing Apple should be offering on their own already. But ultimately you're not going to see many enterprises adopt an Apple-only MDM unless they just love vendor lock-in to the most expensive vendor.
Negativity aside, I applaud the effort. The MDM space is messy and crowded with bloated products. I hope these guys can at the very least pop the bubble a bit.
One of the few remaining services in macOS Server (discussed elsewhere on HN today) is Profile Manager, an Apple-developed MDM server. Given that it requires a static public IP and only runs on macOS, there's a pretty small niche that even could use it. The MicroMDM site describes it as the 'reference' or 'proof-of-concept' MDM server, "depending on how jaded you are about it".
I think Apple is happy with the current state of MDM servers--several good 3rd-party options, both self-hosted and cloud.
Apple has absolutely no desire to go into the device management business. They make the devices, they don't provide IT departments with any in house tools, the entire macOS management ecosystem has risen from a need and it's a mish mash of different vendors / open source tools / approaches to skin the cat that is device management.
I'm administrator for GSuite for the school I'm a trustee of, so my personal (Android) device is enrolled by virtue of me wanting to know how it works and also wanting my school email on that device.
I'm not sure it would be worthwhile setting up for personal use -- the policies it lets you set aren't doing anything other than ensuring you're following best practices (like setting a screen lock) so you don't gain anything over just doing that, and the direct management tools aren't any finer-grained than you can get from Google's Find My Device.
I'm not sure you're able to set up a linked "for work" profile without MDM; that might be a benefit if you want compartmentalisation.
I manage our devices at work but not my personal devices.
If you have a lot of devices (think 10+) I guess it could be useful to keep them aligned. It could also be useful as training on how to centrally manage devices.
But I would not recommend using a MDM unless you have a specific reason. Personal devices that you have physical control over are easy to manage locally on the device. Adding a MDM also adds another attack vector, if the MDM is compromised all your devices are at risk.
Do I do it for my personal devices? No. Do I see any benefits? Nope! But ... when have I let that stop me from running something wildly inappropriate for a single user "enterprise"!
I don't own anything apple, so I'm unlikely to ever run this MDM, but, if a good Android one came to my attention.. maybe? I'm geeky enough to enjoy doing it, even if it comes with no real benefits to me.
I just learned from a colleague that you can install a MDM if you have a Google Apps account. Of course now I want to try MicroMDM first.
I think the major benefit is that this way you control the MDM, and you don't risk that a MDM gets installed on your phone unexpectedly, sort of like a rootkit.
I manage the personal devices of my family members (wife, parents, in-laws) through MDM. My parents and in-laws are quite tech-illiterate, so it helps to be able to enforce some restrictions via profiles to prevent them from doing stupid things to their own devices, and thus reduce the time I have to spend on providing tech support (across the ocean no less). It's also useful for distributing Wi-Fi/VPN configs so I can enforce that VPN must be used on untrusted Wi-Fi, for example.
The server is only meant for enterprise deployments. It would be pretty hard to do this on a personal level because you need to apply for an enterprise account with Apple, and request a very specific push certificate option.
Apple Configurator 2 can be used locally to set some policies which are only available on "supervised" devices, e.g. prevent USB pairing with unknown computers.
I don't use an MDM server/service specifically, but I use a profile (built and installed via Apple Configurator 2 over USB) to install certificates+keys for S/MIME.
The nice part is I can use the same profile on a Mac too.
what other open source MDM software is out there that aren't Apple-only? Specifically I'd like to manage Android phones and maybe Linux laptops (but I doubt I'll find that)
Reading through Apple's MDM protocol documentation and coding up one yourself is a great learning exercise. I had an idea for a niche MDM product and coded up a proof of concept. Eventually I realized the idea wasn't profitable, but still got a lot of value out of the development exercise. I even rewrote it from Java into a couple of different languages (Kotlin, Swift, Go...) to learn a bit more. It's a sufficiently difficult service to implement that you learn quite a bit along the way, but not so difficult that you don't see any progress as you go.
zalmoxes|7 years ago
https://duo.com/labs/research/mdm-me-maybe https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Dee...
walterbell|7 years ago
Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?
jesseendahl|7 years ago
Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.
^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.
Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).
tootie|7 years ago
Negativity aside, I applaud the effort. The MDM space is messy and crowded with bloated products. I hope these guys can at the very least pop the bubble a bit.
mrpippy|7 years ago
I think Apple is happy with the current state of MDM servers--several good 3rd-party options, both self-hosted and cloud.
hsk0823|7 years ago
urda|7 years ago
andrewaylett|7 years ago
I'm not sure it would be worthwhile setting up for personal use -- the policies it lets you set aren't doing anything other than ensuring you're following best practices (like setting a screen lock) so you don't gain anything over just doing that, and the direct management tools aren't any finer-grained than you can get from Google's Find My Device.
I'm not sure you're able to set up a linked "for work" profile without MDM; that might be a benefit if you want compartmentalisation.
robinwassen|7 years ago
If you have a lot of devices (think 10+) I guess it could be useful to keep them aligned. It could also be useful as training on how to centrally manage devices.
But I would not recommend using a MDM unless you have a specific reason. Personal devices that you have physical control over are easy to manage locally on the device. Adding a MDM also adds another attack vector, if the MDM is compromised all your devices are at risk.
kiallmacinnes|7 years ago
I don't own anything apple, so I'm unlikely to ever run this MDM, but, if a good Android one came to my attention.. maybe? I'm geeky enough to enjoy doing it, even if it comes with no real benefits to me.
ecesena|7 years ago
I think the major benefit is that this way you control the MDM, and you don't risk that a MDM gets installed on your phone unexpectedly, sort of like a rootkit.
cynix|7 years ago
zalmoxes|7 years ago
walterbell|7 years ago
nicoburns|7 years ago
stephenr|7 years ago
The nice part is I can use the same profile on a Mac too.
hsk0823|7 years ago
markovbot|7 years ago
tootie|7 years ago
pharaohgeek|7 years ago