NoMAD Credential Methodology

I finished listening to the MacAdmins podcast: Episode 78: Nolo Contendere, with Josh Wisenbaker.

Guest Josh Wisenbaker from Orchard & Grove (makers of NoMAD and NoMAD Login) discussed engineering at the Login Window level and modern security.    

I've written about NoMAD before. To learn about the products available from Orchard & Grove click the pictures below.

I want to camp out a bit regarding their product NoMAD Login+ that comes with NoMAD Pro. On the podcast, Josh Wisenbaker said they will be changing the naming of their products so NoMAD Login+ may have changed by the time you read this.

For visual learners such as myself check out "NoMAD Login+ managed via your Okta dashboard" video.

If you are not familiar with Okta then read "Okta Today and Tomorrow: Going Beyond Internal Access Management".

For an explanation regarding development read "Authentication API".

NoMAD Pro allows users to login at the Login Window using Okta credentials. If the user does not have a local account on the Mac then using Okta credentials then NoMAD Pro will create a local username that matches Okta credentials. NoMAD Pro keeps the credentials synchronized.

From NoMAD Pro’s description: "NoMAD Pro can ensure that your user’s Okta passwords are synchronized down to their local accounts on the Mac. With plugins for Safari, Chrome, and Firefox you are able to catch every time a user signs into Okta and make sure the accounts are synchronized".

If your Mac computers and enrolled in the "Device Enrollment Program' then the following workflow occurs:

  • A user unboxes their new Mac, connect to their network allowing for the enrollment into DEP and MDM. 
  • The first item seen is the NoMAD Login+ window. If the user hasn’t set up their Okta and activated Multi-Factor Authentication then the user can set up these items at the Login Window on their Mac.
  • They would then close the window and log in to their Mac account they have just set up.

NoMAD Pro keeps their credentials in sync.

This allows the inclusion of YubiKey or other third party Identity Management solutions. Very cool! 

yubikey.png

If you are unfamiliar with YubiKey by YubiCo then check out this resource.

Included in the discussion was in-depth discussion regarding handling authentication and proving one’s identity on the internet without the help of passwords.

WebAuthn and UAF

Diana Birsan refers to the talk given at OURSA

The movement away from depending on Active Directory for authentication and authorization is exciting indeed. However, I've spoken with too many administrators that will continue to refuse any methodology other than AD. I wouldn't get excited to soon. 

Apple Deployment Programs Updated

These are my notes from WWDC 2017 session "What's New in Device Configuration, Deployment, and Management" They can seem quite scattered. I did want to share them and provide a reference for myself other than Evernote.

Enrollment

Apple TV - now be enrolled in Device Enrollment Program

Add Personally Owned Devices to DEP

  • Add devices purchased outside of supported channels to DEP
  • Devices with iOS 11 or tvOS 11
  • Apple Configurator 2.5

Requires Supervision and MDM is mandatory.

  • When you add a device to DEP, it erases the device
  • 30-day provisional period - provisional period starts when the device is activated
  • User can remove the device from DEP during the Setup Assistant or Settings (within the 30 days)
  • Both during and after the provisional period all DEP features are available

In Apple Configurator 2, when selecting “Prepare” - option to add device to Device Enrollment Program

DEP

  • Unsupervised is deprecated
  • Optional MDM is deprecated

Apple School Manager

appleschoolmanager.png

 

Security enhancements for MDM

  • In iOS 10.3, Certificate partial-trust was enabled for manually installed certificates and certificate  profiles
  • A certificate has partial-trust for all purposes except for SSL
  • Automatic installation: Full trust
  • Manually installed then it receive partial trust at first. The users can go to Settings -About-Certificate Trust Settings and enable full trust. This provides an appropriate additional warning.
  • If a certificate is manually installed by a profile and contains an MDM payload then that certificate is given full trust

ATS

In 2018, MDM’s will require “App Transport Security" (ATS) - set of security requirements for secure communication.

  • ATS requires additional security protocols to enhance security communications
  • If ATS is not supported by MDM then the client will refuse to communicate with it

In 2018 APNs Service tokens will increase in size. MDMs must support up to 100 byte APNs tokens


macOS

  • Certificate pairing - checks the server URL and for the check-in URL
  • Hard revocation checking of pinned certificates - trust evaluation fails if the device can not get a positive response from the Revocation server for any reason

Best practices for Admins

  • Shared iPad - Enable diagnostics submission command
  • Shared iPad - User storage quota on APFS - A user quote sets a maximum amount of users that can store data on the device. Ensures users are not consuming too much space which would crowd out other users - The upgrade to iOS 10.3 the storage quota was disabled - require admins to enable storage quota 

* User profiles command line tool for startup profiles - in the man page for “profiles” command

Troubleshooting Tips

  • Get logs using Console or Apple Configurator 2
  • For iOS filter the logs by:
  • Profiles and certificate installation: profiled
  • Restrictions: profiled
  • MDM: mdmd, dmd
  • Apps: mdmd, mdm, appstored (installs and removes apps), itunesstored( (if the apps come from iTunes)

macOS - don’t filter results by processes but by subsystem com.apple.ManagedClient


Distribution

Apple School Manager

VPP integrated in Apple School Manager

  • Integrated, updated UI
  • Easier management of purchases
  • License transfer between locations. Content managers will no longer need to share credentials

VPP in Apple School Manager - purchases associated with location

  • Content Managers buy for location
  • Single token needed for each location
  • Content Managers manage all licenses at location

Licenses can be transferred from one location to another

  • Apple School Manager now shows number of available licenses
  • Available licenses that are currently available and not assigned can be transferred - licenses already assigned can not be transferred - must revoke licenses to transfer

Release of new VPP features later this summer

tvOS

  • Enterprise apps can be installed
  • Managed app configuration


Management

iOS
The enrollment and app profiles take a significant amount of Wi-Fi resources

  • To solve - new option for all MDM commands allowing the admin specifying the device can be connected to a wired network like Internet Sharing or USB or an ethernet connection to perform a command
  • Combined with “Content Caching” in macOS should improve the setup experience for iOS

MDM already has the ability Have to install software updates on DEP devices without a passcode
Added support:

  • Passcode locked Supervised devices
  • Non-DEP Supervised devices
  • Preserve data plan when erasing devices
  • The deletion of system app removal

Data Protection

  • Join only Wi-Fi networks configured by policies
  • Exemption of carrier profiles (Supervise)
  • Diable users from creating their own VPN (Supervise)
  • Exchange and mail - Control S/MIME signing and encryption independently

Classroom Manager for Supervised devices

  • Unprompted screen observation
  • Unprompted app and device lock
  • Automatic joining of classes

AirPrint

  • Custom port
  • Require TLS
  • Disable iBeacon discovery for printers (Supervise)
  • Disable AirPrint credentials being stored in Keychain
  • Disable AirPrint

Networking

  • DNS proxy extension (Bundle ID) (Supervise)
  • Internet Protocol version(s) for cellular connections


macOS

Setup

  • System Migration Payload can be configured to select customer migration paths from Windows to Mac
  • Smart card configuration
  • Ability to provide a default configuration for any 802.1x Ethernet config for ports that do not have an explicit configuration
  • Software update delay for up to 90 days (Supervise)
  • Deferred updates query info (Supervise)

Firmware

  • Firmware passwords are analogues to Activation Lock on iOS
  • The Firmware password can be completely managed using an MDM server
  • Admin can set password
  • Query password status
  • Verify password
  • Must restart is required when Firmware password is changed

Account Management

  • Querying List of Users
  • Delete user accounts
  • Unlock user accounts

Data Protection

  • New Extensions payload can used to configure white and black lists of extensions
  • Disable all extensions
  • Query active extensions for a user
  • Escrow FileVault personal recovery keys to a custom server
  • Recover recovery key using MDM server
  • Disable iCloud desktop and documents

tvOS

  • Erase device (using Configurator or MDM)
  • Enroll Apple TV into DEP
  • Specify TV name
  • Modifying TV Name
  • Show/Hide apps
  • Home Screen Layout

Conference Room (Supervise)

  • Display custom message on screen
  • Restrict users to only access Apple TV to share their displays
  • AirPlay Security - 1 time passcode, passcode each time, a custom passcode

Kiosks and Dashboard

  • Single App Mode
  • Disable remote app pairing
  • Disable AirPlay

iOS, macOS, tvOS - Shared

  • VPN IKEv2, Wi-Fi-min/max TLS versions
  • Installed app list consistent
  • Restart (Supervise)

Assessments

  • Activity continuation
  • Universal Clipboard
  • Dictation
  • Smart punctuation
  • Classroom screen observation

Restriction starting in 2018 - only enabled for Supervised

  • App installation
  • App removal
  • FaceTime
  • Safari
  • iTunes
  • Explicit content
  • iCloud documents and data
  • Multiplayer gaming
  • Add GameCenter friends


Tools Update

  • Apple Configurator 2.5
  • Profile Manager in Server 5.4
  • Classroom
  • Content caching
  • Roster Simulator

Classroom 2

  • Teacher created classes
  • Document transfer between teacher and student
  • Mute devices

Classroom 2.1

  • Managed class behavior for teacher-created classes on supervised devices
  • Student activity view

Caching Service is no longer relegated to the macOS Server

  • “Content Caching” is built-in to macOS 10.13 High Sierra

Tethered caching UI

  • Introduced in Spring 2017 with macOS 10.12.4
  • Consists of the three main pieces
  • It provides a wired internet connection to all connected iOS USB devices
  • Provides “Content Caching” service on the Mac
  • Funnels all network traffic from the tethered devices through the “Content Caching” service when downloading catchable Apple content

To enable this feature:

In System Preferences click “Sharing”.

Click “Content Caching” currently only on macOS 10.13 Beta.



Select “Share Internet Connection” which states: Share this computer’s Internet connection and cached content with iOS devices connected using USB.

Clicking "Options" provides a UI that is similar to what is found in macOS Server

 


iOS devices can be plugged in any time during the process

When an enrolled MDM iOS device becomes tethered it automatically checks-in to the MDM server to check if there are any commands to process
If a command requires the network it will use the USB interface instead of Wi-Fi
USB and Wi-Fi connections are required to process the download command
The asset needs to download from the internet and then is pushed to the device via USB  

Questions I had regarding "Content Caching" is once the content is cached then Wi-Fi is no longer used?
Is Wi-Fi required for the first download to begin of the app? What about subsequent downloads?