With each and every iteration of WWDC, Apple releases a number of new and exciting features for its systems and this year has been no different. With this year’s announcements come a number of security updates that help protect devices and users across all organisations.
In this article we’ll be diving into the new security features that are coming in the year ahead across iOS, MacOS and iPadOS.
Passkey
Passwords unfortunately are no longer a good security measure in our current cyber society and remembering numerous passwords across multiple websites become tedious without any form of a password management solution. They are also required to be stored on a database that leaves them vulnerable to breaches or harvesting through social engineering attacks.
To combat these limitations, Apple has announced arguably the most impressive security feature at WWDC with their iteration of its public-private key cryptographic authorisation through their Passkey infrastructure.
When signing up to a website or application, you will be prompted to create a Passkey which creates a unique digital key and stores it onto your devices local keychain which is then synced across your devices. Users also have the ability to share their passkeys to devices through Airdrop.
Passkeys organically address the problems currently combatted by using additional authentication factors, eliminating their need, and resulting in a simpler experience for the end user while simultaneously improving security. It is a giant leap forward for online security, with Passkey protecting against password guessing, credential re-use, device theft, phishing and server leaks.
Accessory Authorisation
Portable media such as USBs are commonly used across businesses, organisations, and for personal use at home. It is no surprise these are one of the most frequent and dangerous threats to devices.
MacOS Ventura’s implementation of accessory authorisation is a simple, yet powerful way to reduce the threat vector of these mediums. This has been borrowed from the previous iteration that is present on both iPadOS and iOS.
By default, this new feature will require the user to unlock their device, then approve a challenge for any new USB or Thunderbolt connections. Wired devices such as keyboards and mice will then be allowed access without limitations and devices such as USBs having access for up to three days post approval.
iPadOS Accessory Auth Challenge
Managed Device Attestation
Prior to the hybrid working world we’re in now, IT departments were focussed on securing the organisations location rather than the endpoint. End users would simply utilise a VPN tunnel or physically be onsite to access company data. Unfortunately, this model has changed immensely with the shift to remote working.
Apples understands that security must evolve past the traditional perimeter protections and using their Secure Enclave is bringing Managed Device Attestation to iOS, iPadOS and tvOS 16.
When a device attempts to connect to an organisations infrastructure such as a VPN, WiFi or MDM, it must also confirm it is legitimate. This is done through the combination of key device information and Automated Certified Management Environment (ACME). The device information is compared within the ACME Apple server to confirm who it claims to be and only then is it granted access to the organisation’s assets.
Rapid Response
With Zero Day vulnerabilities occurring almost weekly and causing unneeded stress for security administrators, it is no wonder that Apple are implementing their new Rapid Security Response across all MacOS, iPadOS and iOS devices
This is a new mechanism within their update system that allows critical security updates to be pushed out to users running the latest OS without the need of a reboot and without updating the devices firmware. These updates can also be rolled back should end users uncover any further difficulties.
Apple has not yet released information on how the system will be implemented but it is a welcomed addition to patch management for all mac admins.
Declarative Management
To cap it off, Apple have announced the expansion to its Declarative Management from iOS/iPadOS to now be available for all platforms such as MacOS and tvOS
The update also adds new status reports features that allow a device to share information of it’s current state back to the MDM server proactively and does not require the MDM to poll for its status.
The MDM will be able to ‘subscribe’ to devices status reports to which the device will then decide what to send and when to send back to the server. These reports can also report on any applications that were pushed out by the MDM and their status of installation/removal by the user.
The benefits to security that have been announced and covered are a further testament to how Apple is constantly advancing the environment we work in and pioneering how we protect the devices we utilise within an organisation and at home.
Over the coming months, we will be providing more information and in-depth looks on these updates so stay tuned! If you want to learn more about how we can help or want to organise a meeting to discuss your requirements – Contact us today.
Written by: Nick Alafogianis, IT Services Engineer, Mac Centre.
