Jamf Security Series: Securely managing Apple through a device lifecycle

Although Apple devices are remarkably secure out of the box, their increased adoption in the enterprise has won them unwelcome attention. It's absolutely critical for IT to ensure security — especially where devices interact with networks.

The standard of Apple device management and security has risen a great deal in the past few years. Apple admins should take advantage of this by incorporating current and forward-thinking security measures into the entire lifecycle of the Apple devices they manage: keeping devices secure and their organizations protected.

Secure Apple device enrollment

The most secure way to onboard new students, employees, or customers is to use Apple Business Manager or Apple School Manager in tandem with a leading Apple management solution like Jamf Pro.

The traditional method to outfit and enroll devices: IT would physically prepare a device and hand it to the user. This could introduce human error: even the best IT pro can introduce a typo. Once computers were set up, it was nearly impossible to monitor and verify that all was well on an unmanaged device.

Today, IT needs a flexible way to deliver user-centric and secure onboarding while also maintaining management of company-owned hardware. That’s where Apple deployment programs come in. With “zero-touch” deployment powered by Apple Business Manager and Apple School Manager, organizations can ship new hardware directly to an employee – wherever they are working – completely bypassing IT (and the potential for human error).

And there are safety concerns beyond digital, especially lately: physical health and safety. The ability to enroll a device that arrives to the user's home still in its wrapping from the Apple store — using products like Jamf Pro with Jamf Connect — make remote onboarding a real possibility, today and moving forward.

That's more security for everyone.

Secure device and user authentication

Setting up and provisioning a local user account used to be a fairly ad-hoc process. A Mac administrator would need to bind to Active Directory (AD) or use a script and manually sync passwords, which is not sustainable — and can, again, introduce error. Even if the administrator's work is error-free, syncing can cause issues between Macs and an organization's directory.

If, for instance, a Mac user changes their AD password from a device other than their Mac, the login keychain doesn't get its password updated. On next login, the user will have to understand that they need to enter their old password or delete the keychain and create a new one (with the help of IT). When the keychain contains certificates used for authentication, this can be a real burden on IT and leave users more open to attack or just misuse, as admins often need to force unbind to reset the user's password.

Now, with Apple Business Manager combined with an Apple enterprise management tool, Apple admins can still choose to bind to AD using a configuration profile (automating a process removes potential human error, remember) or, even better: link the device to the user using a single-sign on (SSO) tool such as Okta or Azure alongside an authentication solution like Jamf Connect.

Using Jamf Connect and an SSO tool to manage Apple devices means that all syncing and SSO is automated — reducing potential points of failure in the system.

Secure Apple device provisioning

Provisioning used to be a very hands-on process, much as enrolling devices was: IT would take a device, load it with the software and features they believed their users required, and hand the device over to the user, who would either have administrative access and thus the power to download their own software or who did not – thus needing to consult with IT each time the user needed something to do their job well.

Empowering your users with a self-service model has many obvious benefits: users can manage their own machines from an online catalogue of pre-approved tools, which gives them access to the tools they need instantly without needing admin access. This helps the users do their jobs more efficiently and also saves an enormous about of time in the IT department. (Check out Self Service, a free tool included with Jamf Pro, to learn more.)

There are also security benefits that might not seem so obvious at first.

For instance, it is far easier to track licenses with a self-service model, keeping you in compliance with your organization's agreements. You can also easily reclaim licenses when employees transition roles or leave the organization, ensuring that every IT dollar is well spent.

Users can also install their own policies and configuration profiles from an automated menu, which – again, let's all say it together – removes the potential for human error,

A self-service model not only empowers your users, it also helps IT to easily keep track of digital inventory and who has accessed which tools.

Security aspects of Apple device management

The traditional way to manage devices was to use a remote tool to deploy packages, scripts and general troubleshooting on demand.

This required a management account as well as time and (you guessed it) it had the potential to introduce errors. Patch management required action on the part of the not-always-tech-savvy end user.

Using Apple Business Manager or Apple School Manager and enabling self-service and policy-based workflows, which does not require a management account on a Mac, should be part of any Mac admin's best practices.

Beyond the security advantages of automation, there is the fact of IT's time: automating many of these previous hands-on workflows frees up time for IT to spend on beefing up security and preparing themselves for possible attacks.

Monitoring Apple devices

Traditionally, Apple devices simply were not easily monitored. Much of the reason for this was Apple's strong commitment to privacy and data protection, but this feature-not-a-bug made it impossible to remotely monitor logs easily and quickly: IT needed to run scripts, gather (often enormous) output, and catalogue it — all before they could even see what was going on.

The most secure approach is to the have a product like Jamf Protect monitor networked devices for compliance of configuration, with logging activity centralized: no one has to access a device to monitor it. A central system of record aggregating logs in one location means faster information access, as well as faster remediation in the case of any problems.

A product like Jamf Protect, in concert with Apple Business Manager or Apple School manager, can monitor all devices for known malicious software using signature-based security: recognizing the unique signature of known malware and removing and remediating the damage quickly. Seeing trouble as soon as it starts means that organizations are able to remediate any malware or similar software far more quickly than the traditional method.

And then there's proactively preventing security concerns with Jamf Protect rather than simply reacting to them: behavior-based protection.

Behavior-based protection uses an understanding of how viruses work and monitors for what they can do. Behavior-based detection evaluates the potential actions that may be performed by a piece of code and can nullify that code before it even starts.

Now, the concept of monitoring devices and networks for malicious behavior has been around since the late 2000s. But it was a sophisticated understanding of technology and human behavior and the logic for normal/abnormal behavior took a while to develop before it could be implemented. Even when widespread deployment began, it was focused almost exclusively on the Windows ecosystem. Jamf Protect is one of the few products that focuse on Macs to define unusual behavior, and a system such as Jamf Protect is a must for any macOS security-focused Mac administrator.

Secure deprovisioning of Apple devices

There are a myriad of reasons to deprovision a device, and only one of them is at the end of a device's life cycle. There is device loss or theft, for example, or an employee exiting an organization.

In the past, Mac admins needed physical access to a device to wipe it.

But it's absolutely essential to be able to do this remotely. IT needs to lock down these devices to prevent accidental or malicious leaking of data or access to sensitive organizational information, and they will not always have access to the device itself. Using Apple Business Manager or Apple School Manager with a good Apple device management system allows IT to remotely lock and wipe devices in these cases.

Beyond employee exits, device retirement, theft, or loss, daily or even hourly deprovisioning is a very important security measure for many organizations – especially those with multiple users on devices.

Completely and securely wiping data from devices moving from one patient to another in a clinical setting is a must. Using Jamf Pro with Jamf Healthcare Listener, for instance, administrators can ensure that patients and clinical staff can securely and easily communicate and monitor patient progress while also ensuring that no patient can access the data of the one who used the device before them.

In warehouse and retail settings, shift workers and floor staff often need to access different information from what the next user will need. While iPads often make tracking inventory and customer contacts much easier than other methods, they also need to be wiped between users for security and varying level of access.

Students sharing iPads at school (or at home) all have personal data linked to their courses, and may have different levels of access as well. Using Jamf Pro or Jamf School with Apple School Manager can automate wiping and re-provisioning devices for each class period.

Stay aware of digital security developments

From initial enrollment to final deprovisioning, Mac Admins should ensure that organizational security is paramount in their thinking. Keeping up-to-date on Apple security developments and the solutions that integrate them is part of that important work.

Profuse thanks to Matthias Wollnik, a product marketing manager at Jamf and an all-around great guy, for his invaluable help in writing this blog post.