Hi, I'm the author(along with several other developers).
MicroMDM is used in some enterprise environments and was recently mentioned in a number of security presentations regarding Apple's MDM and Device Enrollment Program services.
Do you know if a small business can use DEP features?
Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?
Anyone can use DEP, just need a DUNS number to enroll into the program, and then to purchase devices from apple direct, or from an approved reseller.
Unfortunately you cannot retroactively add devices that were already purchased.
Speaking as a former Apple employee I can say with 100 percent certainty that you can add devices post purchase even before DEP existed. There are a number of ways:
If the device was purchased on or after March 1st 2011 you can do the following:
1. Work with your reseller if they participate in DEP to get the devices enrolled retroactively. Sometimes you have to put the nails on the reseller (they can pretty bad about this. Looking at you Verizon) but it absolutely can be done.
2. If your devices are eligible and were a direct purchase from Apple you should contact Apples enterprise support and they can start the process of double checking eligibility and getting those devices enrolled accordingly. This is pretty straightforward.
3. You can enroll eligible devices via Apple Configurator 2 into DEP using the process described here:
Using Apple Configuratior 2 will allow you to bypass any reseller to enroll into DEP so it’s your best move if you are having issues getting people to do it fast enough. Any eligible device can be enrolled this way
Here’s a relevant help link with phone numbers more
On eligibility and enrolling etc
> purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.
So you need to provide a DEP-authorized account number to the salesperson in an Apple store? Is this possible when buying online from apple.com?
Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed? It would deter attempts to resell DEP-managed devices.
> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.
So, the rule is at-most-once enrollment.
And further down:
> some organizations elect not to require user authentication as part of MDM enrollment.
IOW, if you are not enabling authentication, you have only yourself to blame.
Are those the same profiles generated by Apple Configurator 2? I was able to get per-site Safari VPNs added by manually editing XML in the profile, but no success with per-application VPNs.
Commercial MDM providers only whitelist a handful of VPN client apps for per-app VPN profiles. Why are those needed when there is already a native iOS VPN client for IPSEC?
Funnily enough I have been trying to do that today - I don't think you can. You create the per app VPN with a UUID, but the only way to associate an app to a Per-App-VPN definition is through MDM - I think.
I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)
Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.
^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.
Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).
Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?