The FBI’s 2016 Privacy Red Herring – Despite What You Read in the Media, Corporations Can Unlock the iPhones They Own

I often find myself laughing in regards to the overreactions we make in today’s world, where every opinion can be so easily spread – especially if there is any type of political current. As of late though, my laughing has subsided and I find myself much more concerned. Unfortunately for the majority of us whose opinions’ fall in the middle of the extremes, our voices are typically too quiet and often drowned out.

I write this blog today knowing it’ll probably be read by 10 people, if I’m lucky. But I do it anyway to speak on behalf of the group I feel I fall into and that is the silent majority.

And, because my blog is about Apple in the Enterprise, I want to do my part to inform the businesses that may be unaware, or wrongly informed by the media, that they can indeed get access to the data on the corporate devices they own and assign to employees.

Now, first off, before I get into the method of how to unlock an iPhone, let me express my opinion on this political side of the issue.

I personally believe the FBI’s request to un-encrypt the encrypted iPhone used by Syed Farook, the San Bernardino terrorist, is a red herring. Yes, having access to Syed’s corporate device may prove helpful, but at what cost? The FBI is using this terrorist act as a catalyst to find a way around the iPhone’s encryption for much more than just this single incident. Just look at this article in The New York Times, Justice Department Wants Apple to Unlock Nine More iPhones.

Apple is losing the PR battle on this and they shouldn’t be. This isn’t just about one phone, this is about you and your privacy. Apple is arguing its First Amendment rights regarding this, and we should all be standing behind them.

Think of all of the common individuals, like you and me, that will be put at risk if a backdoor to our personal data were made available by Apple. The FBI will not be the only entity that will eventually have access to such a tool. Even with Apple’s best and brightest working on a solution, nefarious individuals, companies and governments will find a way to use such a backdoor.

Do you remember the LA hospital that was paralyzed by hackers that made the news last week? A backdoor to our phones will only make it that much easier for all of us to have our personal information put at risk and potentially held hostage.

Donald Trump and possibly even Bill Gates disagree with me on this, depending on which report you believe. As for me, I’m against it. In the lexicon of Donald Trump himself, it is such a bad, bad, bad idea.

I place a lot of value on respect – especially regarding my privacy. And I extend that wish for privacy and respect for me, for my family, for my neighbor, for those who also live in the great state of Texas and every other individual that believes in our basic unalienable rights.

The FBI’s use of fear to override our basic rights is not a viable option – especially when the cost is the privacy of millions of individuals. Stewart Brown in his article in The Washington Post titled Has Apple made iPhones illegal in the financial industry? has it wrong, or missed a major piece of the picture. The collateral damage isn’t just a corporation (which can somewhat protect itself), it’s primarily you and me.

The argument here is that the iPhone was issued by the San Bernardino County Department of Public Health and, even although they’re not a financial institution, the law states that all financial institutions “have policies and procedures in place to monitor all electronic communication used by the firm and its associated persons.”

Seriously? We have a law to monitor all electronic communication? Good luck trying to enforce that.

With that, I don’t know the history of the law, nor do I have the full context of the law. It may have good intentions, but it compromises our privacy and puts us at a security risk. Data in motion is encrypted for our own security. We already have enough issues with our data being stolen and misused to think that we should un-encrypt all data so it can be monitored.

Really, this  whole thing is crazy and worrisome. We have laws that make us vulnerable and governments that ask companies to remove what protections we do have. We need to stand up now, before we don’t have the freedoms to protect ourselves any longer.

Luckily for us “commoners,” there are plenty of others that feel the same way we do, both public and private figures.

Now it’s time to discuss how corporations can unlock the phones they own. Apple and Google have put protections in place for corporations, giving them the ability to remotely “unlock a phone.” The caveat is simply that it must be a managed device. Any MDM (Mobile Device Management) vendor can unlock a managed device in seconds.

That’s right, in seconds. My Dad always taught me that with the right knowledge and tools any job can be easy.

Unlocking an iPhone managed by LANDESK Management Suite is literally a two-click process. All you have to do is find the phone in network view, right click on it and select Unlock.  And just like that, the phone’s password, and if applicable, fingerprint protection, will be removed.

MDM Unlock

I understand that not every terrorist is going to use a company phone that should be managed prior to a terrorizing event. However, had the San Bernardino County Department of Public Health not neglected its duty to protect itself by managing the devices it assigns out to its employees, we wouldn’t even be having this conversation. The county would have been able to unlock the phone for the FBI, and the FBI would still be trying to come up with some other excuse to tear down our privacy protections.

As a people, both as public and private individuals, we shouldn’t be attacking Apple for having put in place privacy protections for all of us. We should be focusing on the negligence that is putting us in the tough spot to begin with, in which the proposed solutions steal away your own rights to privacy.

 

 

Deploying Your OS X Image with LANDESK Mac Provisioning

Image deployment, finally!

Hopefully if you’ve arrived to this point, you’ve already built out the necessary preferred package server, built your NBI file, configured the LANDESK Core server with the NBI details, deployed the service to capture the NetBoot request, blessed your El Capitan clients, created and captured your gold image and it’s finally time to reap the benefits.

Watch the how-to video.

Creating an OS X Image Deploy Template

  1. From the LANDESK Console, open Tools > Provisioning > OS Provisioning
  2. From the menu tree, highlight All My Templates from the My Templates folder or the All Public Templates from the Public folder
  3. Click the New Template dropdown button from the Operating System provisioning toolbar and select the Mac Deploy Template
  4. Provide a name and description
  5. Specify the path to save your Mac and Windows image files.  The path should be smb://fqdn/share/filename.dmg for an OS X image or smb://fqdn/share/filename.image for a Windows image.  Just make sure your preferred server credentials have access to the shares.
      • Alternatively you can also use the afp protocol if you want to host it from an OS X server
  6. Add the path to store the profile, leveraging the same format in the previous step
  7. Push the Create button

Edit the Deploy Template

  1. Right click on the template created and select Edit
  2. Ensure the Netboot action has the Server variable set to your PXE rep or OS X server unless you’re using the USB NetBoot environment.  The server URL format should be bsdp://ipaddress to ensure compatibility with El Capitan’s SIP.
  3. If deploying a Mac and Windows image, adjust the partition sizes in the Create Partitions actions under Pre-OS Installation.  You can set the sizes in percentages so the template can work on any HD size.
  4. Set the correct partition identifier on the Deploy image action(s) under OS installation inside the Command-line parameters box.  Make sure you do this for all Deploy Image actions.
      • For convenience, the action can be renamed in the properties panel if you have multiple images being deployed.   
  5. Add any System Configuration actions desired, such as deploy software

Deploying a Provisioning Template

  1. Right click on the template created previously and select Schedule Template
  2. Drag the desired machine(s) to image onto the task created in Scheduled tasks
    • If deploying to an unmanaged machine(s), create a record for the new device(s) in the Network View > Configuration > Bare Metal Server tool.  See the help file for more info.
  3. Right click on the scheduled task created and select Start Now > All

Creating a LANDESK Preferred Package Server

Overview

In order to deploy an image with LANDESK Management Suite, at least one preferred package server must be created.  The Provisioning process within LDMS uses the user account and password supplied for the preferred server to access the share and to write the image files to the shares specified in your capture and deploy templates.

Watch the how-to video.

Create Web Share for Preferred Package Server

Note: This must be done on a server running web sharing services (such as IIS)

  1. Create a folder on the target preferred server that will host your images
  2. For our example we will create the following directory structure:
    C:\Distribution\Imaging
  3. Open IIS Manager, expand the navigation tree, right-click on Default Web Site and select “Add virtual directory”
  4. Enter “Imaging” for the share alias, and navigate to the C:\Distribution\Imaging directory created in Step 1.
  5. After creating the directory, right-click Imaging in the navigation tree and select “Edit Permissions”

    Permissions should be configured as follows:

    Everyone: List Folder Contents, Read
    IUSR: Read & Execute, List Folder Contents, Read
    NETWORK SERVICE: Full Control
    Administrators: Full Control

  6. Enable directory browsing by selecting the ExampleShare folder in the navigation frame and then clicking the “Directory Browsing” icon and clicking “Enable” in the right-hand pane.

Create UNC Share Distribution

  1. Navigate to the C:\Distribution\Imaging directory and right-click on the Imaging share.
  2. Right-click and go to “Advanced Sharing”
  3. Click “Share this folder”.
  4. Click “Permissions” and give a domain account account Full Control access to the share.   This will be the account used when the provisioning process needs to access or write to the share.
  5. Ensure that the same account is also given Full Control on the Security tab.

Configure the Preferred Server in LANDesk Management Suite

  1. Within the LANDesk Management Suite Console click Configure  Preferred Server
  2. Right-click “Preferred Servers” and select “New Preferred Server”
  3. Enter Server Name and Credentials to the newly created Imaging share on the Preferred Server.  This needs to be the same account supplied in Step 4 in the UNC Share area.
  4. Enter the IP address ranges for the clients subnet(s) that this preferred server will serve.

Capturing Your Gold OS X Image for LANDESK Mac Provisioning

Imaging a device has changed dramatically over the years.  In the early 2000’s one would load everything possible on the image in effort to reduce calls the number of software requests the HelpDesk would receive post deployment.

The term bloated is often used for such corporate images.  Not only did it take forever to deploy the gargantuan images, conflicts between unnecessary and unused software applications were extremely prevalent.

LANDESK recommends the complete opposite approach in 2016.  When creating your corporate gold image, leave it as plain and as vanilla as possible.  Build all customizations into your provisioning templates and inject those customizations during the post-provisioning process.

So doing will allow you to easily update and tweak your applications and customizations realtime, ensuring each device configured contains the latest and greatest.

Watch the how-to video.

Prepare Your Machine for Capture

  1. Obtain the latest and greatest machine you have
  2. Create as small of a partition as possible that’ll contain your OS and apps
  3. Install the desired operating system
  4. Install any desired apps
    • Again, best practice will be to keep the image as thin as possible.  Ideally, applications should be deployed
  5. Install the latest LANDESK agent (9.6 SP2 or greater).  Unlike the Windows process, a LANDESK agent is required to be on the gold image.
  6. Make note of the disk identifier for the partition you want to capture as you’ll need it when creating the capture template.  Do this by launching Terminal and running the command below
Diskutil List

Create the LANDESK Provisioning Capture Template

  1. Within the LANDESK Console, open Tools > Provisioning > OS Provisioning
  2. Expand My Templates from the menu tree and highlight All My Templates 
  3. Click the New Template dropdown button from the Operating System Provisioning toolbar and then select the Empty Template
  4. Provide a template name
  5. Select Netboot from the Boot Environment dropdown list
  6. The target OS should automatically change to Mac OS X, if not, select it from the list
  7. Provide a description if desired
  8. Push the OK button to create
  9. Right click on the template created and select Edit
  10. Now, right click on System Migration and select Add Action
  11. Select the Reboot/shutdown action and select OK
  12. Highlight the Reboot/shutdown action generated and change the Action Properties option to NetBoot
  13. Set the Server option to your PXE representative using the format bsdp://ipaddress.  For convenience when NetBooting manually, you’ll likely want to deselect the checkbox for “Stop processing the template if this action fails.”
  14. Right click on the OS installation and select Add Action
  15. Select the Capture an Image action and select OK
  16. Provide the smb:// or afp:// url to where you would like to save the image.  It should be something similar to smb://servername/share/filename.dmg
  17. Hit the Validate button so the command line parameters are generated and then replace the /dev/disk0s2 with the appropriate identifier discovered from your capture machine, it may be /dev/disk1 or something else entirely
  18. Right click on Post-OS installation and select Add Action
  19. Select the Reboot/shutdown action and select OK.  
  20. Select the radio button Shut down.  Like previously, you’ll likely want to deselect the checkbox for “Stop processing the template if this action fails” and hit OK to save the template

Schedule the Image Capture

  1. Right click on the template created and select Schedule Template
  2. From the Network View, find your machine from the Devices menu tree and drag it to the scheduled task created under your My Tasks folder
    • Remember, when capturing an OS X image, the machine must be a managed node with LANDESK Mac agent installed on it, so make sure you pull the machine from the inventory tree list
  3. Right click on the scheduled task and select Start Now > All

Blessing an El Capitan Device for NetBooting

In OS X 10.11 El Capitan, Apple has introduced their new System Integrity Protection feature which affects how you are able to NetBoot devices. If you think you’ll have the need to NetBoot a device anytime in the future, after it leaves your hands, you’re going to need to “bless” it with your sanctioned NetBoot servers prior to it going out the door.

Blessing a device with a NetBoot server is easy and only takes a couple of minutes per device, however, it is very hands on and will be extremely time consuming if you have a ton of devices – especially if they’re already in the field so plan accordingly prior to upgrading to El Capitan.

Watch the how-to video here

  1. Turn on or restart the device to be “blessed”
  2. Press and hold the keys Command (⌘)-R immediately after you turn on your Mac and hear the startup sound. Keep holding until you see the progress bar.
  3. When the device boots into the Recovery Mode, you should see a Mac OS X Utilities toolbar.  If you end up back to your typical login screen, reboot and try hitting the Command (⌘)-R keys again.Recovery Mode
  4. Navigate to the Utilities menu bar item and select Terminal
  5. Type the following command in Terminal to add a trusted server. Change address to the IP address of your NetBoot server (PXE representatives, preferred servers, core servers)
csrutil netboot add address
  1. Repeat step 5 for any additional NetBoot servers (PXE representatives, preferred servers, core servers)
  2. To verify your NetBoot servers have been added, type the following command in Terminal in either the Recovery Mode session or after having booted back into the OS
csrutil netboot list

How to Configure a LANDESK Environment for NetBoot

When a Mac begins the NetBoot process, it sends out a request on the network asking for the details as to the location of the NetBoot Image file.  Somewhere on the subnet, a service needs to respond to this request and provide the path to the NBI.

LANDESK has augmented its PXE Representative service already in use for Windows device provisioning to be capable to respond to this request for all Macs on the subnet.

This PXE representative service is currently a Windows service and will require at least one Windows device with the LANDESK agent to be utilized.  If you’re a LANDESK customer and don’t have any Windows devices on your imaging subnet, you can configure an OS X server to be the NetBoot request representative.  Details around configuring an OS X NetBoot server can be found at https://community.landesk.com/support/docs/DOC-33695

Deploying a LANDESK PXE representative is very straight forward.  LANDESK has bundled with the product a PXE Representative package ready for deployment.  All you need to do is decide what device is going to host the service per subnet.*

Watch the how-to video here.

  1. From the LANDESK Console, open Tools > Distribution > Distribution Packages
  2. From the Distribution packages menu tree, highlight All Packages
  3. Search or scroll to find the PXE Representative Deployment, right click on it and select Create Scheduled Task
  4. Select your specific task properties, such as the targets, task settings, portal settings and when to start the task

*IMPORTANT NOTE: In OS X 10.11 El Capitan, Apple has introduced their new System Integrity Protection feature which affects how you are able to NetBoot devices. If you have need to NetBoot across subnets, you’re going to need to customize the NBI and add in your approved NetBoot server’s IP addresses.  For more information see http://appleintheenterprise.com/2015/11/30/how-to-build-an-nbi-with-os-x-10-11-el-capitan/

 

How to Configure a LANDESK Core Server with a Mac NBI File

In order to image a Mac device, you need to boot it into a pre-boot environment that is capable of making system level changes to the hard drive.  To make these types of changes, the primary operating system cannot be mounted and therefore an alternative boot environment is required for the device.

The alternative boot environment for OS X is called NetBoot.  While you can take a NetBoot Image file, put it on a USB stick and plug that stick directly into a Mac, such a method requires physical access to the device and is therefore not as desirable.

Alternatively, to forgo the need to have physical access to a device, you can create a service on the network that will listen for a Mac client to make a NetBoot request and then tell the client where to download the NetBoot Image file.

LANDESK has built this service into its PXE Representative technology that is also used for booting Windows devices into its equivalent pre-boot environment WinPE.

The steps below will walk you through configuring your core server with the information regarding the location of the NBI file so when the PXE representative service is established, it will be able to appropriately respond with the information the Mac will need to boot the NetBoot Image file.

Watch the how-to video here

  1. Logon to the device from which you created the LANDESK NBI file outlined previously.
  2. Connect to the server hosting your HTTP share.  For information on how to create an appropriate HTTP share, see https://community.landesk.com/support/docs/DOC-6986
  3. Transfer the LANDESK NBI file to the HTTP share
  4. From the LANDESK Console, open Tools > Provisioning > OS Provisioning
  5. On the Operating System Provisioning toolbar, select the Preboot dropdown button and click on the Manage Netboot Image Mappings
  6. Supply the HTTP path to your Netboot image files and then click Browse to select your appropriate NBI.
    • Ensure your HTTP share has been properly enabled to support files with no extensions as outlined in the link in step 2.
  7. Configure any unique device models that will need an NBI file different from the default.  The list of device models will be automatically populated from the LANDESK inventory
  8. Click OK

Hard Drive Encryption for Your Macs is Free From Apple – Why Aren’t You Leveraging its Protection?

2014 and 2015 have been monumental years when it comes to data breaches and the costs incurred by the business entity for those breaches. According to a study released by IBM and the Ponemon Institute, the average total cost of a data breach increased to $3.79 million dollars in 2015.

While Sony Pictures Entertainment, JPMorgan Chase, Target, Ashley Madison, and the U.S. government are high-profile customers, it only takes one forgotten laptop in the back of taxi cab or left in the airplane back pocket to put you in the sites of a possible attack.

Now, data breaches have many causes. Hacking, whether by brute force or social engineering (think skimming or phishing attacks) incidents are by far the most popular means for getting to your personal or corporate data. However, in second place, coming in at 15% of all data breaches, is the category of employee negligence – of which is included lost/stolen devices.

What’s crazy is that while you can’t prevent people from being forgetful, or prevent humans from stealing from one another, you can prevent your data from being accessible if one of your devices ends up in this situation.

So how is that done? It’s done by encrypting the hard drive so it’s contents cannot be read without the decryption key; which is your logon password, so it’s not like your end users have to remember anything unique. And, conveniently for you, built directly into OS X, for free, is FileVault – the premier hard drive encryption tool for your Mac. All you have to do is enable it and reap the benefits of its protection.

Without an encrypted drive, all one would need to read all of the data from a stolen/lost laptop would be a screw driver, a $20 hard drive enclosure, a computer and about 30 minutes of free time. Do you know of anyone that might have all four of those ingredients?

We all do, right? Retrieving data from a device is not rocket science.

Okay, knowledge of why you need to encrypt your hard drives is only going to take you so far. How to encrypt every Mac you have is just as important, if not more so. Built into LANDESK Security Suite 2016, released on Friday, February 5th, is the capability to not only enable FileVault remotely, but to capture the backup encryption key just in case your users forget their logon password—and we all know that for some people, remembering their password is as complicated as rocket science.

Follow the brief steps below or watch this walk through video to learn how to leverage LANDESK to encrypt your Macs and manage your FileVault keys. Then, sit back and rest a bit easier knowing when the next laptop from your corporation is lost or stolen, you’ll know the data is encrypted and safe from prying eyes.

  1. Launch the LANDESK Console
  2. If not yet done, upgrade the Mac agent to the 2016 LANDESK agent
  3. Select Security and Compliance and then open the Patch and Compliance Window
  4. For convenience, change the ‘All Types’ dropdown button to Security Threats
  5. Find the security threat ‘FileVaultActivation-10 ID’, right click on it and create a Repair task
    • Note: Ensure you’re downloading Apple Mac Security Threats in the “Download Updates” portion of the patch manager tool if you don’t see the FileVaultActivation-10 ID.
  6. Apply your desired task settings, decide if you’re going to make it required or make available via LANDESK Workspaces, add your targets and schedule the task.
  7. Once the client devices receive the task, a prompt will display letting the user know encryption has been enabled asking the user to restart so that the process can commence at the next login event.  FVEnablementOnly
  8. At the next login event, the active user will be enabled for FileVault. The machine will then restart.EnablingFVOnly
  9. Login to the pre-boot screen with the authorized account.
  10. The authorized user can now use the machine, however it may be a bit slow as the encryption processes finishes. Status can be seen by going to Settings > Security & Privacy and clicking on the FileVault tab.
  11. If additional users on the device need to be enabled, the first FileVault authorized user will need to enable the accounts by clicking on the Enable Users button on the FileVault tab in Security and Privacy. The account passwords for the additional accounts will need to be entered to complete this step.
  12. If desired, run an inventory scan to see the updated FileVault status in inventory. This step is optional as the regular inventory scanner schedule will send the updated status change automatically.
  13. Return to the LANDESK Console and go to Configuration > Client Data Storage to view the key stored for the client.CDS