Enterprise Mobility & the Connected Worker Blog

Sour Apple: Vulnerability Issues with Apple’s Device Enrollment Program

by Connor Collier | 10/22/2018


As more companies turn to Apple for their corporate devices of choice, bulk ordering and large scale configuration have tasked the mobile technology titan with creating a more fluid method for Mobile Device Management (MDM). In 2014, Apple introduced their Device Enrollment Program, a program that would allow them to auto configure devices upon purchase. The upside? Apples ability to automate the configuration process reprieves IT departments from having to configure devices in bulk, or firms from paying for additional third party management systems. The downside? Apple has yet to master the configuration process themselves, consequentially exposing firms to security breaches and hackers. While these vulnerability issues might give the inclination that Apple faces a legitimate barrier from successfully entering the MDM enterprise altogether, the general consensus is that this setback is merely temporary.

While Mobile Device Management have been utilized within the enterprise since the early 2000’s, it is a relatively new venture for Apple. Apple’s DEP is unique in that device settings are pre-configured, automatically enrolled in the company’s MDM upon purchase from Apple or authorized resellers. Pre-configured devices are appealing to companies in that they minimize the work of IT departments and prevents users from opting out of MDM or removing IT management settings from the device. Essentially, Apple supplies firms with out of the box, ready to use devices that are already compatible with the company’s device management preferences.

In order for a company to access Apple’s DEP they must first be enrolled in Apple’s Deployment Program (ADP). Once enrolled, an account at deployapple.com is created using a company email address and nine digit I.D code. DEP accounts are then linked to Apple approved MDM servers and devices are distributed to company employees. Once employees turn on their devices, Apple receives a notification and redirects the device to the appropriate MDM server. As administrators are added, devices are then assigned to the company’s virtual servers by order number or serial code. Essentially, any device with a unique serial code (a new device or one that has not already been pre-configured) has access to the company’s online servers. While serial code identification allows for efficient configuration, it is has also exposes firms to dangerous levels of vulnerability.

The MDM server can be configured to require a username and password, but most firms avoid this step with the belief that the serial number check Apple employs is sufficient enough. Unfortunately, those firms that rely only on serial code identification expose themselves to various security threats. The issue is two-fold. First, it is not all that difficult for a potential hacker to obtain the serial number from an already configured device. Fraudulent callers identifying themselves as IT could obtain a serial number from unsuspecting employees. Once obtained, an individual can access the DEP API to garner private company held information. Additionally, Apple’s DEP does not have a limit on the number of attempts one can use to register a serial number. Simply, a malicious individual could attempt to register a phony serial number as many times as they wish. Considering serial numbers are predictable and generated using logarithmic techniques, a hacker could enroll their own personal device, granting them access to things like company passwords, applications, employee information etc.  

This attack method was reported to Apple by technology security experts Duo in May of 2017. Apple’s response has been limited. Essentially, Apple has voiced that businesses that wish to further protect their MDM servers must take the necessary steps to do so. Industry professionals believe that Apple will eventually come around and work to remedy this issue on their end, but in the meantime, firms might want to re-think how liberally they wish to deploy Apple’s DEP. One thing companies might consider is making user authentication required upon device enrollment, in addition to the serial number check.  Further, blocking access to devices that might attempt an initial set-up outside of the office or off the corporate network might mitigate the threat of outside threats. As stated, this level of vulnerability is on that can be avoided. While Apple might initially neglect to recognize the faults on their end, firms can, and should choose to take matters into their own hands by ramping up their required layers of authentication.

View the 2018 Enterprise Mobility & Connected Devices Research Outline to learn more.