The mobile office is becoming more and more popular. iOS 16 and iPadOS 16 therefore come with Secure Enclave-supported enhanced security.
With the new version of iOS and iPadOS, Apple is also bringing a special security function to the devices for the first time, which is intended to improve the sealing of company networks. The so-called Managed Device Attestation (MDA) is aimed in particular at the fast-growing home office market and should only give access to company resources to devices that have been approved by administrators.
“Security by Device” instead of “Security by Location”
The iPhone maker had MDA presented at WWDC 2022 in June. The basic idea behind this is simple: Instead of just relying on security based on the user’s location – indicated by the company’s local network used – in future it will be the device itself that identifies the officially approved user to company servers, databases and internal websites.
In practice, Managed Device Attestation will leverage the iPhone or iPad’s Secure Enclave to perform device matching. The Secure Enclave is sealed off from the outside and is currently already used for biometric information such as fingerprints (Touch ID) or face (Face ID), as well as for Apple Pay information. Information from the Secure Enclave is intended to ensure that the device connecting to the network is likely to be one previously authorized by the administrator.
Apple’s own attestation servers
Apple will also operate its own attestation server, which will allow devices to be withdrawn from approval at short notice, for example in the event of theft. In practical terms, this means that the DeviceInformation MDM command has been improved in such a way that MDA synchronization is possible.
In addition, Apple also Support for the new Payload Automatic Certificate Management Environment (ACME) built-in. For more details on the implementation of both ACME and MDA, see Apple’s presentation linked above. It also describes how the connection to the MDM server, VPNs and WLANs for company devices is to be better secured via the Secure Enclave in the future.
