Apple Managed Device Attestation and Jamf

Apple introduced Managed Device Attestation at WWDC 2022, now available in OS 16. How will it increase the security of device deployments? What does it mean for the industry? And what does it mean for Apple admins?

October 27 2022 by

Haddayr Copley-Woods

A person attesting in court as Apple Managed Device Attestation requires of all devices.

What is Managed Device Attestation?

Apple Mobile Device Management has become even more secure with the rollout of Managed Device Attestation in OS 16 (including iOS 16, iPadOS 16, and tvOS 16). Managed Device Attestation (MDA), in a nutshell, proves a device’s identity. It makes sure that only genuine and approved devices can connect to an organization's server. It ensures that the iOS/iPadOS identifier (UDID and serial number) is authentic; it also ensures that it hasn’t been altered or misused by an attacker.

MDA does this by using Apple’s Secure Enclave— a dedicated subsystem integrated into Apple systems on chip (SoCs). The Secure Enclave is isolated from the main processor and provides an extra layer of security. It’s designed to keep sensitive user data secure even if the application processor kernel becomes compromised.

How does MDA work?

Apple Admins can install a newly-supported Automatic Certificate Management Environment (ACME) payload profile through an MDM, such as Jamf Pro. With a profile containing an ACME payload, your device provides an attestation to an organization's ACME server. Based on this, the ACME server can now issue a new client certificate trusted by your servers.

These two new attestation certificates prove that:

  • The device is genuine Apple hardware
  • The device is a specific device
  • The device has certain properties
  • A private key is bound to the device

What attestation means for Apple and the IT industry

Apple’s unveiling of this capability at WWDC 2022 showcases its ability to adjust device security protections to the needs of an increasingly mobile workforce. Apple understands that security must evolve beyond traditional perimeter protections such as VPNs or firewalls.

A well-known and well-respected company like Apple building a feature that thoroughly commits to remote work indicates a wider acceptance of remote work. And a firm understanding that device management is an important building block for device security.

How MDA impacts Apple admins

MDA is a powerful tool for IT professionals to increase security using Apple’s hardware (Secure Enclave), and a Mobile Device Management solution, (MDM) such as Jamf Pro. This combination assures Apple admins that devices are what they claim to be. Those using MDM now have Managed Device Attestation, Apple Configurator updates, sign-in with Apple and Managed Apple IDs at their disposal.

How is Managed Device Attestation different?

Many organizations, including Jamf, have been focusing on user identity to aid a company’s security when remote workers access servers, and that’s a good thing. MDA focuses on device identity, which combines with user identity for a harder security posture.

Available with OS 16. Download our iPadOS and iOS Upgrades Guide For Beginners and upgrade today!

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.

Tags: