The Security Misconceptions of Apple

According to Digital Trends, workers rely on and view Apple products as the best and safest option for privacy. Tim Cook has been outspoken about company responsibility for user security, and Apple’s recent WWDC event introduced new privacy and security features like managed Apple IDs for business.

However, there are still misconceptions and concerns surrounding Apple hardware and device security compared to other platforms. These are our top five areas where misinformation lingers, and instead empower IT decision makers and their organizations with the facts regarding Apple device security.

Myth #1: You should approach macOS security the same way as Windows security

Instead of asking, “How do I install all of my Windows security solutions on my Mac?” teams should focus on “What additional tools do I need to mitigate risks beyond the native solutions macOS already provides?”

When it comes to Apple operating systems, many security capabilities are built natively into the platform and don’t require the additional support of a third-party solution. Apple’s native solutions include an application firewall, a signature verification (application whitelist/blacklist) solution (GateKeeper), an antivirus solution (XProtect) and a malware removal tool (MRT). Additionally, the requirement of applications to be notarized in macOS Catalina increases trust with macOS developers making malware and adware attacks more difficult.

In order to best leverage Apple’s efforts, an enterprise should start with visibility into these built-in Apple native technologies. This evolution of thought allows the infosec and IT teams to understand the risks mitigated natively by the operating system. They can then focus efforts on identifying process and tools built to adhere to Apple's native approaches to fill any remaining gaps in visibility and increase protection of their devices.

Myth #2: MDM is not critical to keeping an Apple device secure

At times, organizations deploy devices by lining them up one by one and manually going through each setup step, mainly because they’re treating them as they would a consumer device. Or, they have a device management tool that does not provide capability to auto-enroll and configure Apple devices, instead forcing employees to revert to a manual deployment. The problem is, by not leveraging the management capabilities of Apple devices, it will not only take a lot of time, but could also lead to security gaps.

Automated mobile device management (MDM) enrollment is more than just installing a profile and saving time. It shows organizational ownership, and has the potential to unlock additional security features including capabilities to have profiles become non-removable. Organizations can configure and validate that a device is secure before any user or company data is placed on it.

Also, in a situation that an organizationally-owned and MDM-enrolled device becomes inaccessible due to a forgotten passcode or missing user credential, data and Activation Lock recovery options are available.

The most secure and preferred way to deploy devices is via Apple Business Manager’s Automated MDM enrollment. Using this workflow will automatically provision your devices, and not only will it seamlessly enroll and configure a device, but several additional “supervision” features are automatically unlocked. This changes the DNA of the device – triggering that a company owns the device - therefore granting elevated rights to manage the device itself.

With the profiles and additional controls certain MDM providers have with Apple devices, an organization can ensure that all devices are configured appropriately and secure by default.

Myth #3: Apple IDs are difficult to use

There are a few common Apple ID workflows that pose security gaps. Most organizations don’t realize that by reimbursing employees for apps, or having them “just download” a free app, they’re actually giving the employee not only ownership of the app, but also ownership of the data as well – which can create security gaps.

That’s where the flexibility of choosing device deployment of Apple’s Volume Purchasing of Apps and Books work hand-in-hand. When these services are used in combination with MDM, organizations can deploy apps securely and independent of using a personal Apple ID. Think of it as creating a company Apple ID that allows organizations to not only easily distribute apps but maintain ownership of the apps and company or client data within those apps.

In situations where personally owned devices (like BYOD iPhones) are desired, managed Apple IDs can be used to allow the same capabilities to protect and separate ownership of personal and organizational data.

Myth #4: Additional encryption tools are required

One of the biggest misunderstandings about Apple devices is the use and administration of additional third-party encryption tools. Third-party encryption software is simply not required for an Apple device. Why? Because it is included. On the iOS side, AES encryption is built into the hardware, with a passcode requirement. VPN is built into iOS. With certain MDMs, VPN can support per-app VPN. Biometric access like Face ID leverage a hardware-based key manager called Secure Enclave for access to the device, apps and resources.

Provided that the Apple devices are appropriately provisioned and are managed as a company device, these additional security tools become a part of your business’ security stack.

For computers, macOS provides native encryption with FileVault2 – in fact, Apple has been providing native disk encryption since the release of Mac OS 10.3 in 2003. In the latest versions of macOS, FileVault2 can be automated and configured to have encryption keys escrowed to MDM during the initial macOS setup process to make sure there is never user data that is unprotected. Newer Macs include the custom Apple T2 Security Chip, featuring Secure Enclave which provides the foundation for new security features and protects Touch ID fingerprint information.

The Apple T2 Security Chip also features an SSD controller with automatic, on-the-fly data encryption — offering the most secure storage of any computer. It also ensures software loaded during the boot process has not been tampered with — offering the most secure boot process available today. These are powerful built-in features that enhance security from the get-go in a highly efficient way.

Myth #5: Binding Mac to the network is necessary

Many organizations have policies in place that were created at a time when Windows clients were the only devices allowed in a workplace. The phrase “I have to bind to the network. We are required” is all too common. It may be surprising to hear, but binding Macs to a directory service on the corporate network is not a must. When we try to apply Windows concepts to Apple devices, it just isn’t a seamless user experience and it often creates unforeseen issues.

Apple continues to focus on and promote cloud use. So do many of the organizations that use Apple in the workplace. Managed access and authentication platforms can be integrated with Mac to ensure secure user identity management and auditability from any network. With this focus and capability, the power of the Mac + cloud identity providers + an identity management solution is enabling organizations to access devices/information remotely, empowering a remote and highly mobile workforce, students using school-issued devices at home, and more.

When choosing the right devices for an organization, IT teams try to reduce risk while preserving the experience end users demand in today’s candidate-driven job market.

Combatting common misconceptions about Apple security in the workplace is a strong step forward to allowing employees to choose the device that they are the most productive from – all while maintaining company and data security. 

What’s Hot on Infosecurity Magazine?