Open noahtalerman opened 6 months ago
noahtalerman
commented
6 months ago Understand why/how ACME is more secure than SCEP for MDM enrollment and communication.
Hey @nonpunctual, I'm someone who's completely new to the device management/MDM space. How would you explain the above to me?
Moreover, Apple lists several ACME benefits:
If the device is in ABM, don't I already get all of these?
nonpunctual
commented
6 months ago @noahtalerman @marko-lisica @roperzh So, here's my understanding, going down the list:
So, yes, all of these attributes are technically available in MDM today & you could build conditional checks for them, but, the ACME specification creates an encrypted, observable, signed entity that validates all of these attributes per device that is resistant to tampering & spoofing.
I think the "philosophy" behind this (& a good way of explaining why it's an improvement in security) is that as MDM becomes more & more mainstreamed & prevalent, its attack surface also gets bigger. Spoofing fake MDM servers, sending malicious MDM profiles, etc. is already something both MDM vendors & platforms are worried about.
If there is an encrypted cert that is the determinant of enrollment in an MDM service it's more secure than the current state:
(e.g., for ) even though there must be a trust relationship between APNS & the device & the MDM (the APNS cert) this does not really guarantee anything on the device side other than that it is allowed by the org that owns it to be managed / supervised.
Also, device attestation can be utilized in the opposite direction to satisfy zero-trust requirements, i.e., is the device I am allowing to connect to my stuff from anywhere REALLY the device it claims to be? That is a much higher level of scrutiny than is currently available without a lot of customization (e.g., what customers like Pingali & Ufa are already
trying to do...)
dherder
commented
6 months ago noahtalerman
commented
5 months ago @roperzh if we started using ACME instead of SCEP what would be the work involved? How large of an effort is it?
My guess:
roperzh
commented
5 months ago @noahtalerman that sounds accurate 👍
nonpunctual
commented
5 months ago @noahtalerman @roperzh pretty good summary with diagram: https://smallstep.com/blog/acme-managed-device-attestation-explained/
pboushy
commented
1 month ago @roperzh if we started using ACME instead of SCEP what would be the work involved? How large of an effort is it?
My guess:
- Update Fleet to use the ACME protocol when communicating w/ hosts
- For all new hosts we deliver a ACME cert instead of SCEP
- For all existing hosts we deliver an ACME cert and remove the SCEP cert
- Renew ACME certs before expiration instead of SCEP certs (I'm guessing ACME certs must be renewed ever so often)
The certs installed by SCEP or ACME are the same overall (they can appear identical in keychain). The core differences between ACME and SCEP are in how the client identifies itself during the certificate issuance and renewal phases. With Apple's implementation of ACME for the MDM spec, it has two major benefits:
NOTE - ACME itself is a protocol used originally for installing certificates on web servers and does not have the device attestation items that Apple has added to the implementation used for MDM.
dherder
commented
2 weeks ago @noahtalerman https://www-theregister-com.cdn.ampproject.org/c/s/www.theregister.com/AMP/2024/10/15/apples_security_cert_lifespan/
If Apple does this, it will be highly desirable to implement ACME on a wide scale.
nonpunctual
commented
2 weeks ago @noahtalerman @dherder Highly recommended on this topic: https://www.youtube.com/watch?v=Wgo_xES3-ts
Joel Rennich on ACME at MacSysAdmin 2024
From Apple:
Problem
Understand why/how ACME is more secure than SCEP for MDM enrollment and communication.
Notes