Ntiva Live: Apple for Business

Apple MDM Enrollment, M1 Macs, and XCodeSpy Malware
March 23, 2021

Episode Overview

In this episode, we discuss Apple Device Enrollment, M1 Macs, and XCodeSpy

  • Apple Device Enrollment, and how MDM affects your privacy
  • M1 Macs and the on-going issues with VMWare
  • XCodeSpy, the latest malware affecting Apple devices

 

Sign Up Today

Complete the form to register for the Ntiva Apple for Business Livestream series. You’ll get an email reminder before each livestream, plus an email with a link to the recording in case you miss any of the live events.

Episode Transcript

Ben:

Let's officially get started. Today is Tuesday, March 23rd. This is the Apple Business livestream here at Ntiva I'm Ben Greiner, your host I'm director of Apple technology at Ntiva, I've been focused on the Apple platform since 1998. With me today is Chad Calease, our cyber resilience lead. And Chad spans all platforms, but he helps us a lot on the Apple platform, and he's our co-host.

Ben:

Today, we're going to talk about this phase two of our methodology for supporting Apple devices, that's the enrollment phase, we'll talk about what that means. Now we're going to talk a little bit more about M1 Macs, some of the pros and cons of the M1 Mac. You've heard us talk about it before, but everyone's interested in what we're learning as we learn more about M1, we're going to talk a little bit about relevant news, including a recent security headline from a few days ago, and we're going to talk about Big Sur.

Ben:

So we're going to try to get through all of that and very quickly. While we're talking, if you have any questions at all, please put them in the chat, we'll try to get to those questions, and if we don't, I apologize, we'll get to them next week. I want to share my screen and mention, because I switch platforms so often... Okay, share screen. I got to find my share screen button. So I just want to remind everyone, those of you who are here obviously know how you got here.

Ben:

But if you go to in ntiva.com resources, there's Apple livestream, and we have a page. I want to show this to you because if you missed any previous live streams, if you scroll down to the bottom, you'll see the past ones here, you'll view even more here, and if you know of anyone who wants to sign up, sign up here, you can get the recording after the show if you miss it. I think we have that working now, if we don't let us know. If something isn't working with the signup or the reminders, either pre-reminder or post-reminder, please let us know.

Ben:

Last week I mentioned I wanted to, over the next several live streams, talk briefly about this methodology, because this methodology is the foundation upon which all of our service runs off of. And it's really important that clients have this foundation so that we can build upon it. And we talked about setup last week, we talked about what you needed for set up. And if you don't have that, reach out to us, you need to know where you're purchasing, you need an Apple business manager account and you need to be enrolled in our system. Enrollment, that's phase two. What does that really mean? Can you still see my screen, Chad, I had to move this over.

Chad:

Yeah. I was waiting for a moment to see if you were going to say, I still see the landing page for Apple, for business live streams, and that's still the-

Ben:

You do?

Chad:

Yeah. I'm not seeing the framework yet.

Ben:

This is one of our frustrations that I've had recently. I don't know if it's a Big Sur issue, it appears to only happen in Zoom where my screen is not catch-up. And Chad-

Chad:

Just refresh. Yeah, we were just talking about stuff like this.

Ben:

We were talking about network issues and what we believe to be macOS 11 Big Sur. I don't know if anyone out there has run into this, couldn't tell you for sure why I'm running into it. I've been sharing my screen in Teams and Zoom, sometimes it works, sometimes it doesn't. So you're not seeing it. I'm going to stop sharing and just go back into it though. That would probably get me back to the the screen.

Chad:

Cool. Good idea.

Ben:

And share.

Chad:

I have better luck sometimes sharing an actual display. Everybody's set up is different.

Ben:

The full display.

Chad:

Yeah, not the main one, but a secondary one. And then I put all the schwag I want to share on that display, but there's no one silver bullet for this. No matter how much experience we have with the stuff, it tries our patience.

Ben:

Do you see my full screen?

Chad:

I just see a blank screen right now, that's what I see. It's just a-

Ben:

Well, I'm going to stop sharing. Let me just go back to the single window again and see if that works. Share. Okay. Tell me if you see anything.

Chad:

It says you have started, but I don't actually see anything.

Ben:

I'm going... Chad, why don't you try sharing your screen? I'd be curious.

Chad:

Well, let me pull that up. Let me... Oh, there it is.

Ben:

There it is.

Chad:

It just popped up.

Ben:

Yeah. Just super slow. I don't know why, we'll have to troubleshoot that.

Chad:

And you're you plugged in too, you're not using wireless, Wi-Fi or anything.

Ben:

Yeah, I'm plugged into ethernet, everything's been working. But this happened last time we did this, two weeks ago, in Zoom. And I know I've been sharing my screen in Zoom, unless no one's told me, everyone's been so polite as I rattled on.

Chad:

It's possible. I don't think so, not last time.

Ben:

They couldn't see my screen as I gave an hour-long presentation.

Chad:

Please, if no one's seeing anything, let us know, because sometimes that's helpful.

Ben:

Raise your hand, say something in the Q&A screen. So I to talk about enrollment because there are a lot of questions around this, what does that mean? First of all, what does enrollment mean? Enrollment means we want to enroll a device, whether it's iPhone, iPad, Apple TV, Mac, Notebook, desktop, we want to enroll that into the mobile device management system, the MDM system. That's the tool that we as a team use to support our clients.

Ben:

And what does that involve? Oftentimes, when I say that, to be honest with you, some people, they freak out a little bit. They're like, "Are you going to start spying on me?" No, we're not going to start spying on you. This is a fleet management software, it's a way for an organization to always know the status of their devices from a security and privacy standpoint. Apple very much errs on the side of the individual, meaning Apple does not allow security and privacy issues, does not allow IT access to that, meaning when your device is enrolled, do we know the websites that you visit? No, we do not. Do we know-

Chad:

We don't have that time.

Ben:

No, we don't have that time.

Chad:

Even if we did, we wouldn't have that time. So there's a lot of layers protecting you from that kind of stuff.

Ben:

Yeah. But I do want to mention that, because a lot of people, that is a concern, and rightfully so. You don't want someone spying on you unless you've given them explicit permission to do so. So really, this is device management. This is, I want the device to check in to the server, tell me what it looks like and tell me if it needs to do anything. And what would it do? It might run software updates, there might be a security patch that's super critical, and we want to make sure that patch gets applied. There might be a security policy that says upon enrollment, "Oh, I see that you don't have a passcode or you have a passcode that..."

 

Ben:

... that you don't have a passcode or you have a passcode that's four digits long and could easily be hacked. And we need that to be-

Chad:

Especially if you have compliance requirements, things like that. There are certain things that need to be in place and it makes that easy for everyone. You don't have to worry about it or click this, or how do I do that? It all takes care of it for you behind the scenes.

Ben:

Yeah. So there are two ways to enroll. There's the zero touch enrollment, which I'm big on. Which is you buy something from Apple or an Apple reseller out of the box, it gets enrolled. That's easy, that's zero touch. But a lot of us have devices that are already out in the field that have to be enrolled. And that typically is as easy as sending an email link to ask your employees, to click the link and enroll the device. That being said, how many times Chad, if we ask our employees to not click links?

Chad:

We don't say that. We do say trust, but verify, but it's our job to click on them. It's everybody's job to click on links. That's a touchy one for another episode, maybe.

Ben:

Yeah. So, there are ways to send links out. Ask your team to click on it, ask them to enroll the device. But what's super important in all of this is communication. Communicating about why the tool is important, what the tool will do, what the tool will not do and why we need you to click on the link to authorize the enrollment of the device. And that's why Apple builds zero touch because they know it's a challenge to click on the link. They know we can't as it professionals in a national, global, or even during the pandemic, go to every single computer and do that for people.

Ben:

So we want to make it easy for the organization. We want to make it easy for the individual. And that's really what phase two is all about, getting the devices enrolled. And actually when we encounter a new client, we enroll in what we call inventory only. So the main goal of the tool is to enroll, to get those instructions that I mentioned, like security policies, patching, block software, install software, give teams the tools they need to do their job, protect them from the tools that they don't need or not sanctioned. But the point of that was ... What was my point of that, Chad?

Chad:

Just the inventory only. We start with [crosstalk 00:10:32].

Ben:

Inventory. Thank you, yes. But in the beginning, because we don't often know the repercussions of doing any of that, even though we can pretty much guess based on experience what will happen, we want to do inventory only. And inventory only is just like it sounds, I just want to know what the inventory status of the machine is. What is the age of the machine? What is the operating system? What are the applications that are installed? And then from that information, we can determine what to do next. Maybe we need to patch. Maybe we need to upgrade. Maybe we need to replace maybe.

Chad:

Yeah, in some cases.

Ben:

Maybe we see failed batteries, failed Ram, full hard drives, all that information. So enrollment is, "Let's start with something we know, so we can make informed business decisions." Super important. If you don't have a system right now that gives you information on your fleet of devices, I recommend it. Especially as you grow. For us, typically 10 users and above is where it starts to get hard to wrangle those devices. If it's just you or you and a partner, you can probably manage it without anything fancy like this.

Ben:

Okay. So, that's phase two, enrollments. And I don't see any questions about that. We'll keep going. I wanted to touch on Apple's M1 Macs, Chad. We talked about this before Apple has a two year plan to get all their Macs running M1 chips, that's Apple's processor. Apple started the processor in the iPhones. They moved it to the iPads. I think they use the Apple TV too. It may not always be called an M1 chip, but M1 is Apple's name for their chip as opposed to Intel. Back in the day, Apple ran Power PC, they made the move to Intel and they did so using an application called Rosetta, which emulated the Power PC chip on an Intel chip. They now have Rosetta 2, which emulates an Intel chip on an M1 chip. And there are a couple of new things that we've discovered in working with M1s that maybe I personally wasn't aware of and I wanted to share with all of you to make sure you're aware of it.

Ben:

Because it's very tempting to say, "I want the latest and greatest. I'm going to get the M1 chip." But you have to be prepared that it's still early days. We're about a half year into Apple's two year plan of migrating everyone to an M1 chip. Not all applications work we showed you, I think during the last live stream. You can go to the website. We'll show you what apps are optimized for M1. But we've also learned for anyone who relies on virtual machines, you cannot run a virtual machine on an M1 Mac. Chad, could you explain what a virtual machine is and why we can't run one on an M1 Mac?

Chad:

Sure. Virtual machines are very important to a lot of us. We'll call them VMs for short, virtual machines. They're important because they help us simulate the behavior of some of our tools. So before we make any changes to a client's device, for example, we'll test those tools or those scripts or whatever the case may be on a virtual machine that emulates maybe Catalina or maybe Mojave different kinds of hardware profiles, for example. And right now, it's tricky. With some hacking, we can run VMs and ARM architecture. So the M1 chip uses a new architecture called ARM. And that's a very power friendly architecture. There's a lot of real awesome pros to it. But right now, it's really challenging.

Chad:

We can't spin up Intel based virtual machines or VMs for our work. I use it in my security work like Sandbox, Malware Samples, for example, and a lot of other things that won't affect my real system. So that kind of abstracts them or keeps them separate. So VMs are really important for a lot of that work. A lot of security researchers use VMs all the time. There's just a lot of practical use for them. And right now, it's not very practical to have an M1 machine because it just doesn't support all the tools that we use every day.

Ben:

So I hope eventually we'll get the ability to have virtual machines on an M1 chip. It's just early days right now.

Chad:

Yeah, it's everyone. It's not just VMware, it's not just Parallels, it's everyone. So we're waiting patiently and that'll come in time. But to your point, Ben, that's what comes along with living on the bleeding edge of technology.

Ben:

Yeah. Yeah. And by the way, I changed my web browser to show Apple's M1 page. Do you see that?

Chad:

I see that. Yep.

Ben:

Okay, that's good. And I would like you to test, Chad before we leave, maybe we can have your test or maybe offline, we'll do some testing. That might be better. The other thing with the M1 chip, at least with the current iteration, and I try to remind people all the time that Apple introduced the M1 chip in their entry level machines. Entry-level machines typically targeted towards students and home users, not business professionals. And yeah, these Macs today can technically only support one external display. So, if you have two-

 

Ben:

One external display. So if you have two external displays, you cannot connect two displays at once to an M1 Mac. Now I have seen some talk of hacks out there where people have been able to overcome that limitation, so maybe it's not completely a hardware limitation, but-

Chad:

Again, it's how much time you want to invest and is it stable? like I said, we can also run ARM based VMs, but it's not stable and so it's a risk because you may lose some productivity. That's the challenge. Is it worth it? It's a personal choice.

Ben:

I mean, we had a client who did buy an M1 chip and I can't... Maybe, you know this Chad.

Chad:

And they returned them. Are you going to tell that story?

Ben:

Yeah. Yeah. Yeah. Apple does have a return policy. I don't know. Is it 15 days or?

Chad:

It's short, but it's decent. I mean, it's like you have a week and in a week you can't really do what you need to do. That's a tough choice, but we did have a client who returned them, said, "Nah, it's not for us," so keep an open mind.

Ben:

Do you remember what it was that stopped them from proceeding with the M1? Do you know if-

Chad:

It was an app. I mean, I'll be discreet. It was an app that wouldn't play nicely. Mm-hmm (affirmative).

Ben:

Okay. They returned it. Got an Intel chip and they're back in business. So be prepared for that. Also, wanted to touch on some recent news. Chad, we mentioned there was a Xcode malware.

Chad:

XcodeSpy. Yeah. It's just something to be aware of. I mean, there's nothing new in the rest of the world, certainly the Windows world and the Github world. Any time we share code repositories, a lot of folks are amazing with the tools that they share with the larger community and Github has come under this because if you build an application that uses open source tools or something that's maintained by a third party somewhere, it's important to inventory those things and keep track of all of those repositories. And over time, some of them may stop being developed or... there's a number of reasons why and this week or last week, it's important in the Mac community, the Apple community because this is the first time that we've seen Xcode projects shared, Xcode projects be weaponized in that way. And so we just need to not think that we're special as Apple users anymore. We're vulnerable to all the same things, viruses, malware, and certainly now shared code repositories. Yeah.

Ben:

Yeah. I think the real takeaway here is as the Apple install base grows, we're going to see more of these types of threats, right? I mean, these bad actors are opportunistic and of course they've focused on the Windows world for a long time because that's the dominant number of devices out there. But-

Chad:

But the good news is... Well, I'm sorry to interrupt you. I didn't want to leave out the best part. The good news is if you don't know if you use shared code repositories or not, it doesn't make any sense, then you're probably okay. You probably don't have to worry about this. It's really for folks who are actively developing applications and tools and code and kind of that more geeky nerd out on some of that stuff. And if you're like, "What is that," you're cool. You don't have to worry about it.

Ben:

Yeah. But it is important to be aware that just because you're on an Apple device, you're not immune to this stuff. So building security awareness within your teams so that they know not to click on something or install something that they don't know the full details of, they have to be aware of that. And you need some layers of protection. Chad and I often talk about defense in depth, having layers of protection in your network, on your computer, in your entire IT infrastructure, similar to how cars have multiple layers to protect us, the analogy of seatbelts, airbags, anti-lock brakes. Those have all been built over time to make driving safer.

Chad:

Yeah. And we don't rely on just one of them right? When we walk out to our car, we don't think about just the seatbelt protecting us or the airbag or the sensors. We know that there's an entire symphony of things there minimizing our risks and the same analogy applies in technology and we don't want to do just this one thing or rely on just anti-malware antivirus, we want to a very rich fabric of layers that keep us all safer.

Ben:

So Chad, I went to the Ntiva blog. Can you see this? Do you see the blog page?

Chad:

Yes. It's refreshing. [inaudible 00:21:01].

Ben:

And Chad, you wrote a small article about MacOS malware, XcodeSpy last week. You posted that here. We just yesterday released this piece about upgrading the MacOS 11 Big Sur. And so I want to talk a little bit about Big Sur. Feel free to read the article. We imply here that we're still cautious, but it maybe time to consider upgrading to Big Sur. We're now at 11... just checking 2.3. Yes. Oh, it even says here, it's the latest. Once again, I would say cautious is the key word because prior to getting on this presentation, Chad and I were just talking about a few frustrations we've had that as far as I can tell, have introduced themselves since upgrading to Big Sur. For me, it's an issue with my Bluetooth mouse. This is an Apple mouse. I have tried resetting it, repairing it, trashing preferences, charging it all the way.

Ben:

I tried all the simple things, including... What is it? NV RAM reset. There are a couple of things you can do on a Mac to restart and kind of refresh it without destroying data. I tried all of that and I've seen people online talking about it. I have not been able to put my finger on why it's having a problem, but occasionally my mouse will just feel like I'm pushing it through sand, sluggish like not quite there and it'll speed back to life. It's just annoying enough to make me think that what is going on here and then of course it springs back to life and I get back to work and I never take time to actually figure out what it is. If this were a client having this issue, I'm sure we would figure it out much more so than me, but it is frustrating and that's the type of thing that Chad and I were saying with the previous iteration of the operating system, Catalina 10.15, like we knew that really well. It was really solid. And yeah, we're excited about the changes in Big Sur, but it's still a little rough around the edges. The other piece jab that you were experiencing though is just some network issues, which might be also related to what I'm seeing with my screen sharing.

Chad:

Yeah. It's a bummer because I'm wired, right? I don't use wifi on this particular machine. It's plugged in and for reliability reasons right? It's plugged into ethernet. And even last week, Monday, I was presenting early in the morning to a couple of middle schools for the PTA and about security and stuff and my connectivity dropped out in the middle of it. And that's very frustrating. That's something that's new, but we're almost there. We're at .2, .3 which is great. When we get to .3, so 11.3, things usually improve big time from then right Ben?

Ben:

Yeah. 11.3, I would start to feel even more confident-

 

Ben:

11.3, I would start to feel even more confident in most of the bugs being squashed. But right now proceed cautiously and know that if you do buy a new machine, it is going to come with Big Sur. If you buy an M1 machine, which we we're not really recommending, it will definitely come with Big Sur. If you buy anything else, depending on where you buy, you might get lucky and get an older operating system. Especially if you buy from like a CDW who had a bunch on the shelf. I would guess if you buy directly from Apple, you're not going to see anything but Big Sur. And it's nearly... I won't say it is impossible to downgrade. Well, it's impossible to downgrade an M1 Mac. An Intel Mac, you might be able to downgrade it. But Apple is making it harder and harder to do so. And it's not something we recommend anymore.

Ben:

There used to be a time where we had a window of opportunity where we could buy a computer and no matter what operating system it shipped with, we could wipe it and put an older one on. And that's really not something I would recommend these days. So if you do have to get a new computer, be prepared for Big Sur. Try to do a beta test, pilot program or something with a Mac in your environment. Definitely reach out to us for support on that. Both on buying a product, making recommendations. I still see a lot of people buy computers and they don't upgrade the RAM. And it used to be that they would upgrade the RAM later. But Apple is doing more and more RAM installs that can not be upgraded later. Because it's tied to the chip. So you need upgrade the RAM at time of purchase. That's the one and only time you can do that.

Chad:

And that's another limitation of the M1 is, they tap out at 16 gigs, I think right now for RAM.

Ben:

I think so.

Chad:

So that'll change as time goes on. So if you don't absolutely need a new computer and you can wait, there might be some value in that too, depending on what your situation is.

Ben:

Yeah. It really depends. I mean, if Apple is going to stick to their two year cycle it may be difficult to wait. It's a case by case situation.

Chad:

It's a timing-

Ben:

Reach out to us. Yeah, we can help you evaluate your needs and if you should wait or not. But I do find, I think what happens Chad is the Apple computers, Apple does a good job of presenting a relatively simplified view of devices. Especially compared to the Windows world where you have so many options.

Chad:

True.

Ben:

But even Apple, when you choose a model, they have different tiers and different levels. You can upgrade the RAM, you can upgrade the graphics card, you can upgrade the hard drive. So they have all these different components. And especially once again, coming from the Windows world where you can even build your own, at least you used to be able to build your own. You really only have that one opportunity to build it at Apple or to buy it from a reseller with the exact specs you want. Because later it's going to be very difficult. It's not user swappable, even authorized service providers can't just sell you a better graphics card-

Chad:

No, they're shipping them back to Apple. They're shipping them back to the depot, they call it, they'll ship it to the depot and sometimes it's a couple of weeks. So it's worthwhile to buy the best machine that you can at that time. Because it's really challenging to make changes to it later.

Ben:

Yeah it'll last longer. It'll have higher resale value when you are done with it. Which is also a great thing with the Apple's devices. They do tend to resell at a higher price. But I am talking mostly about notebooks. iMacs have, in some models, I think only the higher end bigger 27 inch models, have some user replaceable or upgradable parts.

Chad:

That's true.

Ben:

And then of course Apple does have, I think they still have the higher end. Let's go here, make sure. Can you see my screen changing?

Chad:

Yeah it's zippy.

Ben:

Yeah. They still-

Chad:

I'm liking the browser.

Ben:

Yeah. The Mac Pro is the most user exchangeable, but it is also the most expensive-

Chad:

A nice car. A good used car.

Ben:

Yeah, starting at $6,000. So if you're a video user or somebody with high-end needs, that's a great machine. But most of us are not living on a Mac Pro these days. A few more minutes or a couple more minutes, and I see there's one question that came up earlier that I missed is, "Can you explain if the MDM solution that we use or any MDM solution really works for both corporate, owned devices and BYOD devices?" And BYOD is bring your own device. And Apple actually does have a really nice page. And yes, the answer is yes. Business... Let's go here, if my page refreshes. This is the network issue I was talking about Chad, where in certain browsers it'll just stall and then I'll just have to-

Chad:

Refresh?

Ben:

Refresh it and-

Chad:

No it's not the browser.

Ben:

It's not wanting to come up. There we go. Apple Business, IT, do you see this page Chad?

Chad:

Yep. Working great now.

Ben:

Says Ready. Set. Done. Okay, so this is apple.com/business/it. And there's a really great graphic here that summarizes corporate owned devices, corporate owned devices where IT has control over the device and personal owned devices for bring your own device where there are limited functionality for IT. And the one I like to call out is, IT can no longer, with this type of enrollment, can no longer remotely wipe the entire device. People always get a little freaked out with the old BYOD format where IT had the ability to do that. Granted, we never wanted to do that without explicit instructions and authorization to do so. But it was also, I personally, as an IT provider, didn't like the responsibility of knowing that, if the client asked me to do something and there was some even small misunderstanding and we did the wrong thing, what the repercussions were. So I like the fact that we don't have the ability to do that. We can't even goof that up. So that's a great thing about BYOD. That brings us to the half hour. Any other questions or comments Chad that you have?

Chad:

Like others, they probably have a thousand, but we're out of time.

Ben:

Well I forgot, our next in two weeks, we're going to have a special guest.

Chad:

Yes, that's right, Thomas Reed.

Ben:

Thomas Reed from Malwarebytes. So we're going to start to introduce guests to the series. And the first one is Thomas Reed from Malwarebytes. And Malwarebytes is the endpoint protection, the modern day antivirus that we use and recommend on our own computers and in many of our client organizations. And yeah, we're going to see what he has to say. So I'm looking forward to that and I hope everyone can join us in two weeks, we'll see you soon.

Chad:

Yes please, it'll be good.

Ben:

Thanks.

Chad:

Yeah.

Ben:

Bye.

Chad:

Yeah. thanks for listening, bye.

About the Ntiva Apple for Business Livestream

Ntiva’s Ben Greiner and Chad Calease host the Ntiva Apple for Business livestream every other Tuesday from 12:00 to 12:30pm CT. These live events, presented by the Ntiva team of Apple experts, are sharply focused, easily digestible, and cover topics including the latest Apple/macOS/iOS technology updates, cybersecurity, data privacy, MDM and BYOD policies, and more! We take questions from the audience and share what's working—and not working—for us and others in the industry.

VIEW MORE LIVESTREAMS