Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the MDM Protocol. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices.
Mobile Device Management (MDM) is a technology commonly used to administer end-user computing devices such as mobile phones, laptops, desktops and tablets. Once enrolled, the device may receive any number of certificates, applications, WiFi passwords, VPN configurations and so on. Obtaining the DEP profile for a given Apple device discloses information about the organization that owns the device, and - if the MDM server doesn't require additional user authentication during enrollment - could be used by an attacker to enroll a device of their choosing into an organization’s MDM server. This allowed us to retrieve data specific to the device associated with the supplied serial number.
Additionally, we developed a method to instrument the cloudconfigurationd daemon to inject Apple device serial numbers of our choosing into the request sent to the DEP API. In our research, we found that in order to retrieve the DEP profile for an Apple device, the DEP service only requires the device serial number to be supplied to an undocumented DEP API. DEP hosts an internet-facing API at, which - among other things - is used by the cloudconfigurationd daemon on macOS systems to request DEP Activation Records and query whether a given device is registered in DEP. The Device Enrollment Program (DEP) is a service provided by Apple for bootstrapping Mobile Device Management (MDM) enrollment of iOS, macOS, and tvOS devices.
0 kommentar(er)
