top | item 18117151

(no title)

zalmoxes | 7 years ago

You must buy your devices through the enterprise store, and then it is automatically linked to DEP.

Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed?

Because once you know the serial number of a DEP device you can enroll into the MDM. There is virtually no security. See https://duo.com/labs/research/mdm-me-maybe

discuss

jiveturkey|7 years ago

There is reasonable security. From your link:

> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.

So, the rule is at-most-once enrollment.

And further down:

> some organizations elect not to require user authentication as part of MDM enrollment.

IOW, if you are not enabling authentication, you have only yourself to blame.

walterbell|7 years ago

Thanks for the pointer, some good reasons there to avoid DEP.