[Xylakant]

My 95% bet is that the attacker just gained access to an account with suitable privileges and then went on to use existing automation. The fact that it’s intune is largely irrelevant - I’m not aware of any safeguards that any provider would implemen.

So the options here are MDM or no MDM and that’s a hard choice. No MDM means that you have to trust all people to get things as basic as FDE or a sane password policy right. No option to wipe or lock lost devices. No option to unlock devices where people forgot their password. Using an MDM means having a privileged attack vector into all machines.

[neo_doom]

No MDM just isn’t an option for most enterprises but ideally the keys to the kingdom are properly secured.

[mulmen]

How does that look exactly? Someone has to be able to use MDM to manage devices or there’s no point in having it. This scenario is firmly in rubber hose/crescent wrench cryptanalysis territory. Can updates have delays with approval gates built in? Does MDM need a break glass capability?

[heraldgeezer]

"Principle of least privilege" as MS calls it.

Do not use global admin or admin account as daily driver for one. Dont save it in browser etc either.

Limit roles, even within the application, here Intune.

Office 365 also has conditional access and many policy leavers to tweak, many cases of people locking themselves OUT of 365. So the gates work but you need to configure them.

"Break glass" global admin accounts now also require MFA. https://learn.microsoft.com/en-us/entra/identity/authenticat...

[pixl97]

At the end of the day someone needs remote wipers privs, and in a large company it's something done pretty often.

[mulmen]

Ok and who has access to the global admin and how resistant are they to Iranian operatives?

[heraldgeezer]

What are you asking?

For Stryker specifically? We don't and probably won't know details.

For companies in general? Background checks, security clearance etc are done if the company determines this necessary and are willing to pay for the process and higher salary.

[mulmen]

I’m asking if it’s possible to secure the MDM process in a way that Iranian operatives can’t simply torture an administrator into pushing the big red MDM button.