Proper device management could have prevented the whole FBI-Apple fight

Even without a comprehensive policy, just enrolling the device in an MDM system would have been enough.

There’s been a ton of ink spilled over the last several days regarding Apple’s (justified, in my opinion) refusal to create a “one-time” backdoor giving the FBI access to encrypted data stored on an iPhone 5c owned by San Bernardino County. And there are far smarter minds than mine already arguing the whys and wherefores of whether Apple should or should not bow to the demands of the FBI, Justice Department, and Magistrate Court.

If you’re looking to better understand the legal implications of this court order, start here, here, here, and here. That’ll keep you busy for an hour or two.

But there is another, larger question that needs answering. A question regarding this phone in particular and any device owned by or accessing data belonging to every government, business, or educational entity:

  • How is it that Syed Rizwan Farook’s iPhone, which was issued to him by San Bernardino County, and which was being used for county government purposes, wasn’t secured, managed, and maintained using some type of Mobile Device Management (MDM) service?

  • Why wasn’t San Bernardino County in control of the device?

  • What other of their devices are in day-to-day use, containing potentially sensitive data, that they have no control over as well?

How do I know San Bernardino County wasn’t (and likely still isn’t) using any kind of MDM to secure their devices?

Because if they were, they would have been able to clear the device’s passcode in a matter of seconds. Take note of rob53’s comments on this Macworld article. Emphasis mine:

This isn’t Apple’s fault, it’s the County’s fault. If the County had done their job, it would be an easy task to open up the iPhone since the MDM software is the equivalent of a legal backdoor. —rob53

That? Is 100 percent correct.

Every managed device has a legal back door.

Baked into every managed iOS device, whether you’re using Apple’s Server app’s Profile Manger, JAMF Software’s Casper, or any other MDM service, is the ability to remotely clear the passcode.





Forget about the unnamed IT employee who reset the password for the Apple ID used on the phone.

Disregard the assertions that Apple is “letting the terrorists win” if they don’t create a backdoor to this device.

Pay no attention to the likelihood that any conversations Farook may have had in the weeks preceding this attack would have taken place on the personal phone he destroyed and not the phone his employer issued.

The question isn’t why Apple doesn’t want to unlock the device; it’s why wasn’t this device managed. Why wasn’t a device owned by a government entity being managed by that government entity? And, to personalize this a bit, what are you doing to take control of your devices?

No policy

San Bernardino County actually owns MDM software but, according to the AP, they never implemented it. Emphasis mine:

San Bernardino had an existing contract with a technology provider, MobileIron Inc., but did not install it on any inspectors’ iPhones, county spokesman David Wert said. There is no countywide policy on the matter and departments make their own decisions, he said.

The mistake San Bernardino County made is not unusual. And that mistake is thinking that you have to know all the details of how devices are going to be managed before you begin rolling out a management plan. The mistake is in thinking that having a policy for MDM means you have answers to questions like:

  • What’s the password policy?
  • Are we filtering Internet?
  • Should we provide VPN?
  • Are we allowing Siri?
  • Is FaceTime cool?

And questions like those lead to questions like:

  • For all departments?
  • For users with personal devices?
  • What if they don’t have company email?
  • Do they have access to company data?
  • Are they working in the R&D department?

Which leads to: “There is no policy on this matter and departments make their own decisions.”

If you’re responsible for iOS devices, here’s a simple policy for you:

All devices must be enrolled in the MDM system.

Period. No questions asked.

The simple act of enrolling devices adds the legal backdoor to those devices and allows an administrative user to temporarily wipe a device’s passcode, if necessary.

No legal intervention required.

Once enrolled, you can wrangle over the who, what, how, and why of security policies. You can even let departments make their own decisions! But while the wrangling or lack thereof takes place, you will have control of all your devices.

A brief shill

If you, like San Bernardino County, have purchased an MDM product, start using it now. Turn it on. Enroll your devices.

If you don’t already have something in place, we’ve spent the last three months looking at Apple’s super inexpensive, easy-to-implement MDM service. A few hours and $20 will get you started.

Really. It’s just that simple.

Join the CSO newsletter!

Error: Please check your email address.

Tags Apple

More about AppleClickFaceTimeFBIInc.MobileIronTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeffery Battersby

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place