There’s been a ton of ink spilled over the last several days regarding Apple’s (justified, in my opinion) refusal to create a “one-time” backdoor giving the FBI access to encrypted data stored on an iPhone 5c owned by San Bernardino County. And there are far smarter minds than mine already arguing the whys and wherefores of whether Apple should or should not bow to the demands of the FBI, Justice Department, and Magistrate Court.
But there is another, larger question that needs answering. A question regarding this phone in particular and any device owned by or accessing data belonging to every government, business, or educational entity:
How is it that Syed Rizwan Farook’s iPhone, which was issued to him by San Bernardino County, and which was being used for county government purposes, wasn’t secured, managed, and maintained using some type of Mobile Device Management (MDM) service?
Why wasn’t San Bernardino County in control of the device?
What other of their devices are in day-to-day use, containing potentially sensitive data, that they have no control over as well?
How do I know San Bernardino County wasn’t (and likely still isn’t) using any kind of MDM to secure their devices?
Because if they were, they would have been able to clear the device’s passcode in a matter of seconds. Take note of rob53’s comments on this Macworld article. Emphasis mine:
This isn’t Apple’s fault, it’s the County’s fault. If the County had done their job, it would be an easy task to open up the iPhone since the MDM software is the equivalent of a legal backdoor. —rob53
That? Is 100 percent correct.
Every managed device has a legal back door.
Baked into every managed iOS device, whether you’re using Apple’s Server app’s Profile Manger, JAMF Software’s Casper, or any other MDM service, is the ability to remotely clear the passcode.
Forget about the unnamed IT employee who reset the password for the Apple ID used on the phone.
Disregard the assertions that Apple is “letting the terrorists win” if they don’t create a backdoor to this device.
Pay no attention to the likelihood that any conversations Farook may have had in the weeks preceding this attack would have taken place on the personal phone he destroyed and not the phone his employer issued.
The question isn’t why Apple doesn’t want to unlock the device; it’s why wasn’t this device managed. Why wasn’t a device owned by a government entity being managed by that government entity? And, to personalize this a bit, what are you doing to take control of your devices?
San Bernardino County actually owns MDM software but, according to the AP, they never implemented it. Emphasis mine:
San Bernardino had an existing contract with a technology provider, MobileIron Inc., but did not install it on any inspectors’ iPhones, county spokesman David Wert said. There is no countywide policy on the matter and departments make their own decisions, he said.
The mistake San Bernardino County made is not unusual. And that mistake is thinking that you have to know all the details of how devices are going to be managed before you begin rolling out a management plan. The mistake is in thinking that having a policy for MDM means you have answers to questions like:
- What’s the password policy?
- Are we filtering Internet?
- Should we provide VPN?
- Are we allowing Siri?
- Is FaceTime cool?
And questions like those lead to questions like:
- For all departments?
- For users with personal devices?
- What if they don’t have company email?
- Do they have access to company data?
- Are they working in the R&D department?
Which leads to: “There is no policy on this matter and departments make their own decisions.”
If you’re responsible for iOS devices, here’s a simple policy for you:
All devices must be enrolled in the MDM system.
Period. No questions asked.
The simple act of enrolling devices adds the legal backdoor to those devices and allows an administrative user to temporarily wipe a device’s passcode, if necessary.
No legal intervention required.
Once enrolled, you can wrangle over the who, what, how, and why of security policies. You can even let departments make their own decisions! But while the wrangling or lack thereof takes place, you will have control of all your devices.
A brief shill
If you, like San Bernardino County, have purchased an MDM product, start using it now. Turn it on. Enroll your devices.
If you don’t already have something in place, we’ve spent the last three months looking at Apple’s super inexpensive, easy-to-implement MDM service. A few hours and $20 will get you started.
Really. It’s just that simple.