Announced at WWDC 2022, Managed Device Attestation protection shows that Apple embraces the need for endpoint security. Announced at WWDC 2022, Managed Device Attestation protection shows that Apple is adjusting device security protections to adapt to an increasingly distributed age. Secure the endpoints, not the end times This adjustment reflects a reality shift. Work doesn’t happen on specific servers or behind defined firewalls today. VPN access can differ across teams. And yet, in a workplace defined by multiple remote devices (endpoints), the security threat is greater than ever. Managed Device Attestation works to create a second boundary of trust around which device management solutions can work to protect against attack. This is one of a wide and growing range of security enhancements coming to Apple’s platforms, including declarative device management, Rapid Security Response, and Private Access Tokens. All these solutions represent Apple’s work to deliver rock-solid security in such a way as to also improve the user experience. What is this for? It’s all about philosophy. Apple understands that security must evolve beyond traditional perimeter protections such as VPNs or firewalls. Protection must be put in place across the edge of the network and needs to become increasingly autonomous. After all, protection can’t be wholly reliant on the data flow between device and server, as even that communication can be undermined. Managed Device Attestation forms a proof point to help secure the device and confirm its identity. Think of it this way – you as a user may have proved who you are, and you may be in a location that your management systems see as viable – but how do you prove you are using a registered device? That’s what Managed Device Attestation seeks to do. It requires only that you trust the Secure Enclave on your device processor, and that you also trust Apple to attest to the status of the device. Essentially, the highly secured process shares key identity and other characteristics of the device as evidence with which to reassure the service that the device is one it can support. The Secure Enclave provides evidence to Apple’s attestation servers that the hardware is legitimate, Apple shares this with the service, and because the service trusts Apple the device is seen as legitimate. The idea is to protect against use of compromised devices, situations in which an attacker is spoofing a service by pretending to be a legitimate device, or against attempts to access the network conducted by people who may have the users details but are working from an unrecognized device. How does this work? While you’ll need to dig deep to get to grips with the technology behind the system, a zoomed-out explanation follows: Managed Device Attestation uses the Secure Enclave built into Apple products along with cryptographic attestations that together confirm the identity of a managed device. When such a device attempts to connect to MDM, VPN, Wi-Fi, or other services it must also confirm it is a legitimate request from a legitimate device. The Attestation component comes in the form of certificates designed to provide strong assurances that a specific device is legitimate. It exploits multiple technologies, including TLS private keys generated and protected by the Secure Enclave. It also uses Apple’s servers and a (currently) draft standard for an Automated Certificate Management Environment. At its simplest, when you want your device authorized and request permission to do so, the device sends key information such as user or device identity to the service to confirm it is who it claims to be. This information is secured, of course, and works via an Apple server. The service looks at what it’s been told, compares it to its own records, verifies the message is genuine (as in signed and delivered by Apple’s servers) and approves access. Attestation works thanks to MDM servers and the company’s Automatic Certificate Management Environment (ACME) protocol, which makes attestation available to services beyond MDM. When will this be available? Managed Device Attestation will be available for iOS 16, iPad OS 16 and tvOS 16 as the new operating systems appear over the coming weeks. MDM providers such as Jamf will certainly embrace support for this once it appears. Find out more about Managed Device Attestation Apple developers can find out more about Managed Device Attestation at the WWDC 2022 session that explains it and within this extensive Device Management roundup on Apple’s developer site. Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe. Related content news analysis Apple Silicon sets scene for a new AI ecosystem With its new iPads, Apple presses home the message that Apple Silicon is built for AI. By Jonny Evans May 08, 2024 12 mins Apple Generative AI iPad news analysis 3+ reasons Apple might want to make its own server chips Apple reportedly has a top secret plan to make AI chips for servers to provide generative AI services. By Jonny Evans May 07, 2024 5 mins Apple CPUs and Processors Generative AI news With its new iPad, Apple's Empire strikes back Apple is preparing to introduce new iPad Pro and iPad Air models as it seeks to regain momentum in the tablet market. By Jonny Evans May 06, 2024 5 mins iPad Apple Tablets news analysis Apple earnings: About that iPhone 'slump' in China Based on information from Thursday's earnings report, it seems that data pointing to an iPhone slump in China were over-baked. By Jonny Evans May 03, 2024 9 mins iMac iPhone Apple Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe