Proper device management could have prevented the whole FBI-Apple fight

22.02.2016
There’s been a ton of ink spilled over the last several days regarding Apple’s (justified, in my opinion) refusal to create a “one-time” backdoor giving the FBI access to encrypted data stored on an iPhone 5c owned by San Bernardino County. And there are far smarter minds than mine already arguing the whys and wherefores of whether Apple should or should not bow to the demands of the FBI, Justice Department, and Magistrate Court.

If you’re looking to better understand the legal implications of this court order, start here, here, here, and here. That’ll keep you busy for an hour or two.

But there is another, larger question that needs answering. A question regarding this phone in particular and any device owned by or accessing data belonging to every government, business, or educational entity:

How do I know San Bernardino County wasn’t (and likely still isn’t) using any kind of MDM to secure their devices

Because if they were, they would have been able to clear the device’s passcode in a matter of seconds. Take note of rob53’s comments on this Macworld article. Emphasis mine:

That Is 100 percent correct.

Every managed device has a legal back door.

Baked into every managed iOS device, whether you’re using Apple’s Server app’s Profile Manger, JAMF Software’s Casper, or any other MDM service, is the ability to remotely clear the passcode.

Click.

Approve.

Push.

Done.

Forget about the unnamed IT employee who reset the password for the Apple ID used on the phone.

Disregard the assertions that Apple is “letting the terrorists win” if they don’t create a backdoor to this device.

Pay no attention to the likelihood that any conversations Farook may have had in the weeks preceding this attack would have taken place on the personal phone he destroyed and not the phone his employer issued.

The question isn’t why Apple doesn’t want to unlock the device; it’s why wasn’t this device managed. Why wasn’t a device owned by a government entity being managed by that government entity And, to personalize this a bit, what are you doing to take control of your devices

San Bernardino County actually owns MDM software but, according to the AP, they never implemented it. Emphasis mine:

The mistake San Bernardino County made is not unusual. And that mistake is thinking that you have to know all the details of how devices are going to be managed before you begin rolling out a management plan. The mistake is in thinking that having a policy for MDM means you have answers to questions like:

And questions like those lead to questions like:

Which leads to: “There is no policy on this matter and departments make their own decisions.”

If you’re responsible for iOS devices, here’s a simple policy for you:

All devices must be enrolled in the MDM system.

Period. No questions asked.

The simple act of enrolling devices adds the legal backdoor to those devices and allows an administrative user to temporarily wipe a device’s passcode, if necessary.

No legal intervention required.

Once enrolled, you can wrangle over the who, what, how, and why of security policies. You can even let departments make their own decisions! But while the wrangling or lack thereof takes place, you will have control of all your devices.

If you, like San Bernardino County, have purchased an MDM product, start using it now. Turn it on. Enroll your devices.

If you don’t already have something in place, we’ve spent the last three months looking at Apple’s super inexpensive, easy-to-implement MDM service. A few hours and $20 will get you started.

Really. It’s just that simple.

(www.macworld.com)

Jeffery Battersby