|
|
|
|
|
|
by zalmoxes
2811 days ago
|
|
|
You must buy your devices through the enterprise store, and then it is automatically linked to DEP. Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed? Because once you know the serial number of a DEP device you can enroll into the MDM. There is virtually no security. See https://duo.com/labs/research/mdm-me-maybe |
|
|
> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.
So, the rule is at-most-once enrollment.
And further down:
> some organizations elect not to require user authentication as part of MDM enrollment.
IOW, if you are not enabling authentication, you have only yourself to blame.