Seems to me like it was low-hanging fruit that Apple (no pun intended) finally decided to pick. I imagine dropping to a BFU state will help curb possible brute force or physical access attacks. The relative security/ongoing improvements of iPhones/iOS have given LEOs a certain level of unjust paranoia whenever a new security feature is rolled out.
Unless I'm missing something, it also happens to benefit the average user for a random web site not to be able to prevent the phone's screen from locking.
The bug states that it works in the browser just not in PWA's.
So random websites can actually do this, but not websites the users specifically installs as a PWA, which is kinda the opposite of what you would expect.
“Apple's privacy is just marketing smoke and mirrors” — an HN commenter, probably
For every privacy feature Apple advertise to consumers about, there are ten they didn't, that still very much raise the bar.
The quiet improvements are so under-marketed that even technically savvy users aren't aware of most of them.
There was a period before MDM matured that certain three letter U.S. Gov agencies forbade iPhones. Not because they were insecure, but because the agency's infosec team couldn't surveil the devices or break in to do a data dump if the employee was under investigation.
While Apple may have features to ensure that only you have access to your phone. They still run a very large ad network.
Like Google has a lot of features to avoid other people from logging into your account. That doesn't mean they don't track your activities and centrally log it.
The MDM does not give your employer a way to retroactively unlock the phone. Depending on the MDM solution and capabilities they allowed they may be able to install an application though. But most people that have accepted MDM on their personal device from their employer, the only thing the employer can do is remotely wipe the device.
I don't think this is correct, Jamf has a "Clear Passcode" option that I have used with success, although it does require the device to have an internet connection.
I wonder if the recent retiring of the CEO of Cellebrite has something to do with this. I read that since IOS 17.4 they've been having troubles accessing devices.
If they can't keep them unlocked, they at least don't want them to reboot, since that puts the phone in a less exploitable state.
If they never reboot, then the phone can just be kept powered and isolated for years if need be to find an exploit in the AFU (after first-unlock) decrypted but screenlocked state.