[vr46]

I don't think this is quite that simple, because one user's authority could potential trump everyone else's in a company or group, once a vulnerable device infiltrates the system. Having trusted authorities works well when everyone has to rely on the security of the device. Once you can bypass that authority you effectively have a cheap MITM attack.

[okennedy]

You are describing a different class of attacks. If the company owns the device, they should be free to (try to) lock it down all they want. OP is about Apple locking down devices that someone else ostensibly owns.

[LeanderK]

this is still no excuse. You could just disable 3rd party replacement parts by group-wise policy, maybe even enabled as default.

[rickdeckard]

Why? If this is really an attack-vector a company considers, it could streamline hardware-repairs into their internal processes.

If the device is enrolled in a corporate MDM, the confirmation of HW-changes could be delegated from the user to the admin, with the device working in "degraded" mode (i.e. no FaceID) until the admin approves the Repair.

Even more, large companies could contract with specific repair-companies to authorize them for their company devices and their repairs are synced into the corporate processes.

This would create a paradigm-shift in that market as repair-volume suddenly becomes more predictable ("I'll repair phones when they come in" --> "my company is the exclusive repair-center for a footprint of 10k corporate devices"), repair-companies will commit to certain performance, then drive smaller-volume contracts and individual repairs to offset the cost of such guaranteed turnaround-times, and so on...