[jesseendahl]

I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)

Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.

^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.

Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).