Welcome to the WEI Tech Exchange Blog

Apple Sets the Security Standard in the Digital Workplace

Written by David Fafel | Sep 10, 2020 12:45:00 PM

Apple has a product to suit all aspects of your life with a platform that supports apps for your hobbies and entertainment, storage for your memorable photos and videos, and everything in between, including work. If you think about it, Apple® is your ‘digital workplace’ and companies large and small recognize the benefits of extending Apple products across their business and making them available to employees. Your employees desire flexibility and the option to work anytime from anywhere from the devices that they prefer. With freedom of choice, employees have more control over their work experience, resulting in higher job satisfaction and increased productivity. Enterprises report that the majority of their staff members prefer Apple devices.

Apple helps companies empower their employees through personalized, optimized work environments. On the tech side, Apple Business Manager enables seamless setup and support of Apple products. It has become easier and more cost-effective than ever to give your employees the freedom to choose. But you also have to secure those devices. With the growing number of devices an employee uses to do their job effectively, security becomes a critical conversation point. As an IT leader trying to support a growing and constantly evolving remote workforce, it becomes even more critical to discuss security.

3 Ways Apple Focuses on Security

A 2019 survey showed that 97 percent of Mac users are more productive after switching from Windows. Because Apple allows users to personalize their devices so extensively, their devices become an extension of who they are. Apple products also help stimulate creativity and encourage collaboration amongst team members. As a result, enterprise users are embracing Apple products everywhere, creating cohesive ecosystems that are increasing levels of productivity for their organizations. 

What about security? In an era in which enterprise users are constantly under attack by malicious forces made up of hackers, cybercriminals, bots and automated malware, imagination and teamwork don’t necessarily correlate with security. Ingenuity and collaboration is paramount, but security is also paramount. In the traditional world, security isn’t supposed to be fun. For CISOs, compliance surpasses personalization.

Security can coexist alongside inspiration and creativity. Apple has found the proper balance between freedom and security, usability, and sanctuary. Apple has managed to assure an enhanced user experience that is secure at the same time. While users love their Mac, they hate passwords, and who doesn’t. The ordeal of juggling multiple elongated passwords that must perpetually be changed is aggravating and in the end compromises security. So, Apple does authentication a better way. Apple’s unique security system called Secure Enclave enables Touch ID and Face ID to provide secure authentication.

1. Security at the Hardware level

In order for security to be effective, it cannot be an afterthought. Apple just didn’t encapsulate layers of security. Security is built into the hardware itself. Its security capabilities are actually designed into silicon, making them secure by design.

Take the example of Secure Enclave used for ID. Secure Enclave utilizes a separate and dedicated hardware processor to handle the biometric information of the user during authentication.[i] Think of it as a separate computer dedicated just for security. It boots separately from the rest of the device and runs its own microkernel in total isolation. It is there in 4 MB of flash storage that the unique keys of that device reside. The OS never even sees the keys. All of this makes it next to impossible for hackers to decrypt sensitive information without having direct physical access to your device. 

Security begins long before the ID process, however. The Secure Enclave Boot ROM is immutable code that establishes a hardware trust process from the moment the device is powered up. A secure boot process, which also runs in isolation to the rest of the device, builds a chain of trust through software, where each step ensures that the next is functioning properly before handing over control. This guarantees that only trusted code and apps run on the device. 

Of course mobile devices demand encryption today and all Apple devices have encryption features to safeguard user data, even when other elements of the infrastructure have been compromised. Current iOS and iPad devices use file encryption methodology called Data Protection, while the data on Mac computers is protected with a volume encryption technology called FileVault. Both leverage a dedicated AES engine that is enabled out of the box in order to support line-speed encryption, ensuring that long-lived encryption keys never need to be provided to the kernel OS or CPU. In the case of device theft or loss, all Apple devices are protected by remote wipe, so all data is safeguarded.

[FEATURED VIDEO]

Real Tech with WEI (Extended Cut)

Apple in the Enterprise

 

2. Security at the Software level

We all know software is the most vulnerable to malicious code. That is why Apple provides multiple layers of protection in order to combat malware. It all starts with the OS, and that means that devices must stay updated in order to garner the most secure code possible. All software updates are authorized to ensure that only software provided by Apple is installed. Not only does the internal software update mechanism ensure that updates are timely, it prevents downgrade attacks so devices cannot be rolled back to an earlier OS version as a method of attack. 

With so many apps available for Apple devices, one may wonder how Apple is able to ensure the integrity of each and every one of them. Well, here’s how:

  • Apple verifies the identity of all developers before they can participate in an Apple Developer Enterprise Program
  • In-house apps must be signed and provisioned with a certificate provided by Apple
  • Apps in the App Store are reviewed by Apple to confirm no significant bugs nor any compromise of privacy
  • All MAC apps must be notarized by Apple in order to launch to confirm the absence of any malware even if downloaded outside of the App Store

As a stopgap measure, Apple integrates internal sandboxing in order to protect user data from unauthorized access by Apps. In fact, data in critical areas of the macOS™ is even sandboxed, ensuring that users remain in control of all facets of the device interface. The end result is that users can download, install and run any app on their Apple device with total confidence that the apps themselves are only accessing their data in authorized ways.

In today’s mobile world, network traffic must be protected on-premises and off. That is why Apple devices support standard network security protocols such as VPN and secure Wi-Fi to ensure that users have a secure connection with the corporate infrastructure regardless of location.

Being locked down doesn’t have to stifle the user experience. Apple has definitely found a way to achieve the utmost security and protection of their devices, without compromising usability. Apple has always been dedicated to the idea that the interaction between users and their devices should be individualized. At the same time however, Apple also ensures that all interactions are uniformly secured as well. That is the balance that Apple has achieved and will continue to maintain.

3. Security Across the Lifecycle

Just as you shouldn’t ask your employees to buy their Apple devices at a mall, you shouldn’t ask them to take their devices to a retail storefront for repair. While convenient for consumers, these walk-in services may not be compliant with enterprise-class security requirements, especially when compliance is at stake. Retired hard drives, SSDs, logic boards or entire devices may, for example, end up in the trash, resold or taken home by employees. And access to the device’s applications and data may not be regulated, monitored or restricted in these environments.

The best way to ensure total compliance and security is to develop and enforce a repair service level agreement that provides you with, at a minimum, the following assurances:

  • A warranty provider of repair services
  • Device lock-down during transport
  • The ability to audit for compliance and enforce custom security measures
  • Secure disposal of components and devices, including wipe clean service
  • Rapid provisioning and delivery for loaner devices during service
  • Stocking replacement devices so they’re ready when needed

Ready to Get Started? Ask us you Apple Security Questions

WEI can help you quickly and efficiently integrate Apple into your enterprise with full lifecycle support, so you can deliver the new digital workplace experience your users have come to expect. We have been an Apple Authorized Reseller In addition to our partnership with Apple, WEI promotes a market-leading ecosystem of complimentary tools and technologies designed to integrate, manage, secure, and support iOS and Mac OS within any organization. If you have questions about introducing Apple into your enterprise environment, let’s talk. Leverage WEI’s extensive knowledge of Apple products and services while WEI engineers collaborate with you and your team to design custom solutions and build best-practices that are affordable and sustainable for years to come.

NEXT STEPS: Learn more about how to prepare for Apple in your enterprise by reading our ebook. Click below to get started.