Jamf Blog
June 26, 2019 by Kat Garbis

Apple device security misconceptions (and how to get ahead of them)

Security is a top priority for any IT admin, no matter which platform(s) they are supporting. Read this for a tutorial on Apple device security.

Security is a top priority for any IT admin, no matter which platform(s) they are supporting. For many unfamiliar with Apple or more familiar with securing Windows devices, the security checklist is often similar, but how we execute securing these devices can vary. Often there are misconceptions that arise as workflows try to be repurposed from one platform to another. While many in the marketplace understand the unique security capabilities of the Apple ecosystem, there are still a few lingering misconceptions that must be put to rest.

1. Deploying and securing devices is challenging and can introduce Apple device security gaps.

Provisioning devices can vary amongst different platforms. The problem is, by not properly deploying Apple devices, it will not only take up a lot of time, but lead to huge security gaps. When deployed properly, Apple device security can improve significantly. Most IT professionals with this misconception deploy devices by manually setting up each Apple device, as they would a consumer device. Or, their mobile device management (MDM) solution is not best suited for Apple and doesn’t have the ability to auto-enroll Apple devices.

The most secure and preferred way to enroll and provision devices is via Apple Business Manager’s automated device enrollment with Jamf. The days of manually imaging and setting up a device are gone.

This seamless setup is not only an excellent user experience and a great timesaver for IT, but it also unlocks an additional layer of admin rights, making available key iOS security features, such as:

  • Non-removable MDM profile
  • Preventing the user from using “Erase all Content and Settings,” activation locks, as well as iCloud features, Bluetooth, AirPrint, password sharing or syncing to computers via USB
  • Restricting specific apps or iTunes stores
  • Disallowing of connecting to unmanaged Wi-Fi networks

Another secure and popular way to roll out devices is by using a low-touch link for employees to self-enroll. Once enrolled, the device will receive configurations over-the-air through automation, using Apple’s Push Notification Service (APNs). This allows IT to have admin rights and to efficiently deploy updates, patches and apps throughout their organization over a secure connection.

Jamf offers a total of eight unique ways to enroll devices, ensuring confidence in securing and enrolling your new or existing Apple devices. When Apple devices are properly deployed via Jamf and Apple’s deployment solutions, IT can save time and effort while actually increasing Apple device security.

2. It’s impossible to get away from Apple IDs, which are cumbersome, insecure and difficult to use.

It’s understandable that organizations might have trouble working with a system not meant for a corporate environment. Apple IDs are really meant for personal rather than corporate use. What organizations may not realize is that in existing workflows, having employees use an Apple ID can also lead to huge and unintended security gaps: by having employees use their own Apple IDs, this means that not only does the employee own and control the app, but the company and client data within it — regardless of whether the app was free or the employee was reimbursed by the organization. With turnover and using a consumer workflow for the workplace, this can lead to security headaches galore.

However, it’s possible to avoid use of Apple IDs altogether, with Jamf’s help, by purchasing content in Apple School Manager or Apple Business Manager.

This helps you to deploy apps securely with only one company Apple ID. Jamf integrates directly with Apple School Manager and Apple Business Manager: company-owned apps and books can be securely distributed from a central location based on individual user or device.

To purchase content in volume, Jamf uses a feature that controls the flow of data between apps, manages mail destinations and ensures corporate data is only used in corporate-managed apps.

In addition to controlling corporate data and property, using Apple standard VPN protocols can segment user apps by, for example, launching a VPN when using Salesforce, but not using a VPN for a user’s personal Facebook use.

With the recent announcement of managed Apple IDs at WWDC, Jamf will have more updates and additional workflows upon the official release of macOS Catalina later in the year.

3. Apple device security requires additional encryption tools.

It is understandable that those accustomed to using the Windows platform might assume that, like Windows, Apple device security requires additional third-party encryption tools to keep data secure. However, with Apple, encryption is already included.

A lot of times, we tend to think that 'included' means ‘generic, incomplete, and may not meet our needs.’ With Apple, this is not so.

  • iOS security provides built-in encryption with a hardware-based, passcode 256-bit encryption. VPN is also a built-in iOS security feature, and with Jamf, users enjoy a per-app VPN feature.
  • Newer Mac computers include the custom Apple T2 Security Chip, featuring a secure enclave that protects Touch ID information, encrypted storage and boot options. These automatic security features provide the most secure storage available.
  • FileVault 2: built-in full disk encryption for macOS encryption keys can be centrally stored in Jamf Pro, which securely stores and remotely reissues keys for optimum macOS security.

At Jamf, we build upon these encryption features, allowing IT admins to have access keys, make changes, or even encrypt devices over-the-air via Jamf policies. At the end of the day, by leveraging Apple’s encryption features, IT can be confident in Jamf workflows to ensure they have what they need at their fingertips.

4. Apple device security is just not enough through solely native features.

Simply put, most organizations may not actually need to have more than the native built-in security features that Apple device security provides. Combined with Jamf’s framework for granular control and integrations, most organizations find they can just use Apple and Jamf exclusively for their Apple device security needs, thus not only securing their devices, but also saving them money on third-party products and enhancing hardware performance.

Apple offers Network Firewall, Gatekeeper and XProtect built into the OS to protect against malware threats. With Jamf, you can enforce, report and leverage these features to amplify security.

System Integrity Protection, for example, prevents potentially malicious software from modifying protected files and folders. Native malware protection features save you from spending extra money on additional software that you don’t need. Organizations want these security features and may not realize they already have them available at no additional cost with their hardware— and can leverage them via Jamf for their Apple fleet.

5. Binding Mac devices to a network is a must for macOS security.

It’s a huge misconception that you MUST bind the Mac for maximum macOS security. This is a very common workflow that is native to Windows devices. In the Apple platform, it is simply not so. When we try to apply Windows concepts to Apple devices, it can create unforeseen problems and an unintended bad user (and IT) experience. You may have found or even experienced that it can actually create more issues when Macs are bound to a network, such as translation problems with passwords not syncing and sign-on fails.

Jamf Connect can ensure a seamless, secure experience so end users can confidently use their Mac computers, while IT can integrate with a single sign-on (SSO) solution to enhance security.

Jamf Connect can:

  • Synchronize passwords for users
  • Notify users of expiring passwords
  • Provide easy access to Jamf Self Service
  • Offer a quick link for creating help desk tickets
  • Include browser extensions for single sign-on

As you can see, many security issues that concern IT professionals are simply not an issue with Apple device security — especially when used in conjunction with Jamf. Our goal is to help organizations be successful with their Apple hardware. We help manage over 14 million Apple devices globally and many of these organizations are leveraging these workflows to meet or exceed their company’s security and compliance needs.

Learn more technical details and view examples by watching our webinar, 5 Apple Security Misconceptions, where we examine these areas and empower IT administrators and their organizations with the facts regarding Mac, iPad, iPhone and Apple TV device security. To learn more about Jamf's security protocols and implementation, visit our security page. Or take Jamf for a free test drive and put these workflows to use.

Photo of Kat Garbis
Kat Garbis
Jamf
Kat Garbis is channel program manager at Jamf, supporting sales initiatives in enterprise markets.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.