Brad Chapman, a Jamf Certified Expert and veteran systems engineer, has supported mixed Mac/PC environments in multiple industries for more than 10 years. He works on a team of engineers managing more than 10,000 Macs and more than 40,000 PCs. He delivered this advanced-level presentation for "elite Mac admins" covering how APNs enable MDM, how MDM enables great experiences with Apple — and why you should care.
His movie-spoofing introduction left audience members in stitches, using Blade Runner-style scrolling text on the screen to introduce the main themes and styling Mac Admins as JAMF RUNNERS: part of a highly-trained, elite force searching out rogue devices. “This was not called policy execution,” read the ominous declaration, “it was called compliance.”
While this was all in fun, Chapman's message was all business: Apple push notifications have become absolutely essential for effective device deployment. And management strategies depend on them being able to communicate with APNS.
Before he got into the details, he did a quick summary from his last presentation on this topic in 2017:
He covered the 7 principles of APNS:
- Push notifications are small packets of data with instructions for a device.
- APNS uses Akamai Global Traffic Management for peak performance.
- APNS has multiple security factors for integrity and authenticity.
- APNS is required for secure delivery of configuration profiles.
- Devices expect a direct, persistent path to the Internet.
- You must permit outbound connections to Apple.
- Apple does not make inbound connections.
APNS hosts and ports
The original 16 endpoints are still active, said Chapman, so there is a grand total of 32 points of presence that results in 2000 IP addresses.
Rules of the road
- Apple still owns 126.96.36.199/8
- Apple services uses certificate pinning to ensure that secure connections haven’t been altered or decrypted and remain private. Apple with reject that connection.
- Jamf uses APNS binary (2195-2196)
Hosted outside 188.8.131.52/8:
- Init bag files
- Software CDNs
- OCSP Cert Validation
After bringing the packed audience up to speed, Chapman shared some big news about APNS: Binary protocol ends November 2020! Plan accordingly.
Apple wants everyone to move to HTTP/2-based API, which will allow:
- High speed, parallel processing
- Improved error handling
- Per-notification feedback
What’s new for Mac?
Brad outlined 10 key developments in the last two years that have dramatically altered the landscape of Mac management and how institutions regard Apple as a secure computing platform.
- T2 Secure Boot: The T2 is an incredibly complex and powerful coprocessors that provides a secure storage and boot facility, realtime encryption, hardware management, and more. Data is always encrypted at rest, even if FileVault is not enabled. Without FV2 enabled, anyone could boot to Recovery Mode and read the contents of your disk. Secure Boot ensures that a valid, signed copy of MacOS is installed on the boot drive. Signatures must be validated by Apple at the time of installation. Strict Boot security = full security, external media disallowed.
- Requires local admin user to modify
- Uakel: kexts blocked by default
- User has 30 min. to approve
- Whitelisting requires approval
Chapman explained how it used to work:
UAMDM: Admin tested; user approved. MDM had to be approved manually, and could not be clicked remotely. As a result of this change, EVERY MDM vendor had to adjust their enrollment process and documentation.
But Institutions wanted a way to manage more than one MDM solution /workflow. Phones, Macs, AppleTVs, etc…
Enter Apple Business Manager and Apple School Manager!
- Replaces Device Enrollment Program
- Automated Device Enrollment
- Multiple tokens / pre-stage workflows
- MDM Profiles are user-approved
TCC + PPPC
- Users prompted once by every app requesting specific permissions.
- Whitelist with user-approved MDM profile
- Jamf updates often to support new TCC permissions
Now, says Chapman, the Kickstart command no longer works. Additionally, control and observe was removed during the 10.14 beta cycle.
AppleSeed for IT
This used to be invite-only, explained Chapman, and only accessible using a personal ID. Now institutions can easily add their own testers via ABM / ASM.
- ISO 27001:2013 infosec management systems
- ISO 27018:2019 Cloud / PII
Apple’s public facing services are certified: iCloud, iMessage, FaceTime, Siri, Apple Push Notification Service, Apple School Manager, Apple Business Manager, Apple Business Chat, iTunes U, Schoolwork, Managed Apple IDs
Chapman outlined important features Catalina brought admins:
- App Notarization
- Mac supervision
- New TCC & Notification controls
- Activation Lock for T2 Macs only
- MDM can only bypass if Mac is supervised
See for Yourself
Before you start having conversations with higher-ups about upgrading Mac, says Chapman, gather data to bolster your point with one of these analysis tools:
- Exclusively for Mac : obdev.at
- Rich UI with powerful filtering
- Checks app code signatures
- PCAP: Individual apps / services
- OSI layers 3-7
- Ultra-compact DNS server
- Built for the Raspberry Pi platform
- Also works on VMs and Dockers
- Great for SoHo & test networks
- Black + white lists, detailed logging
- Free & Open Source: pi-hole.net
- The ultimate packet inspector
- Captures all traffic on an interface (OSI Layers 2-7)
- Detailed analysis & export functions
- Can be overwhelming at first: look online for cheatsheets or Intro to Wireshark for help.
- Free & open source: www.wireshark.org
- Chapman told viewers that sometimes the graphic user interface bogs down during long, heavy sessions, and suggests command line tools: /Applications/Wireshark.app/Contents/MacOS/
- dumpcap -D
- dumpcap -i en# [-w outfile]
- editcap -c ### infile outfile
Chapman offered a live demonstration of Wireshark capturing all traffic of a local computer. The amount of information it captures is astounding; it shows basically everything that is happening with the computer. Wireshark can run a report with all DNS records, but to make sense of what you've pulled, he suggests that you filter it and export to a .csv file.
Remember that Akamai is a content distribution network, warns Chapman. Follow DNS and whitelist accordingly:
Apple Push Notifications: HT210060
"If you leave today with only one article," said Chapman, "this is the one to read." HT210060 contains a very complete list of hostnames and ports used by Apple devices, and a description of most services. It also mentions APNS and SSL termination.
If you still need some help with a proof of concept test on your network, you might want to try MacEval Utility. It studies a network’s readiness to deploy and manage Apple devices and offers a concise report with action items. Contact an Apple SE for details.
With APNS, Chapman told the gathering, here is what's possible:
- Automatic enrollment & supervision
- Rapid deployment of apps
- Delightful user experiences
How about without APNS?
"Houston," said Chapman, "we have a problem."
- Auto Device Enrollment; when a device can’t reach activation servers…
- Macs can skip remote management
- Not enrolled & unsupervised
- Manual enrollment
- Will fail because APNS is not reachable in your environment
- Security policies and config profiles
- Enforced with profiles
- Triggered by APNS
- Sideloaded profiles are not trusted
- Restrictions on computer actions, iCloud, Preference Panes…
- FileVault configurations and key escrow
- Special overrides only available via supervision
- Kernel extension whitelisting
- Software updates
- T1 / T2: BridgeOS validation fails
- Can’t defer or force software updates
- macOS updates cannot be verified
- No background + critical updates
- Management actions
- Enable / disable:
- Remote desktop
- Remote lock and wipe
- Override Activation Lock
- Enable / disable:
- User experience
- Can’t manage privacy / notifications
- No Self Service notifications
- No remote notifications
- Cloud Services
- No VPP / App Store
- No FaceTime or iMessage
- No Continuity
- Return to service
- Manual enrollment: Mac installs profiles, yet fails to validate via APNS. Enrollment fails
- Return to Service
- macOS (Internet) Recovery
- 802.1X / RADIUS not supported
- Wi-Fi: WPA2-PSK or Open
- External DNS resolution
- No proxies or SSL decryption
- Consider a limited ‘deploy’ SSID
That's a lot of calamity! It's essential for admins to network with others in their organizations who are strong Mac advocates to help make the case for APNS.
What if Microsoft asked you to prepare for a Windows Notification Service?
They did … in 2011.
A Warning: If you don’t make changes to your network, Jamf + Apple may be unable to support you.
Prepare your institution
Chapman suggested that the audience read Apple’s knowledgebase article HT210060, and recommended it as a great place to start those tough conversations with the network and information security teams about how to trust Apple.
Think globally, not locally
Use MDM to set a baseline security posture. The organization should invest in its people with continuing security education. Continue to monitor traffic at the perimeter and log network application access. Avoid local security agents on the device to minimize impact on performance and battery life.
Why care about MDM?
- Consistent, delightful experiences
- Streamlining support model for IT staff. The less variables they have to worry about, the better they can serve
- Empowering end users
- Simplifies support for help desk and field technicians. They can make reliable assumptions and eliminate many unknown during troubleshooting. By giving your users self-service tools and setting consistent expectations on the Mac platform, the technology just gets out of the way and allows employees to focus on making their best work.
As you craft your information and security policies, remember the human. Assume good intent.
"Remember," Chapman said, "People are awesome."
Additional reading and resources
Apple: Mac Deployment Overview
A Deep Dive into macOS MDM, Jesse Endahl and Max Bélanger
Apple Device Management , Charles Edge and Rich Trouton
Inspired by DEPNotify and Splashbuddy
Demo: GitHub Gallery @ JNUC