Search K
Appearance
Appearance
Other ways to support HackTricks:
To learn about macOS MDMs check:
Mobile Device Management (MDM) is utilized for overseeing various end-user devices like smartphones, laptops, and tablets. Particularly for Apple's platforms (iOS, macOS, tvOS), it involves a set of specialized features, APIs, and practices. The operation of MDM hinges on a compatible MDM server, which is either commercially available or open-source, and must support the MDM Protocol. Key points include:
The Device Enrollment Program (DEP) offered by Apple streamlines the integration of Mobile Device Management (MDM) by facilitating zero-touch configuration for iOS, macOS, and tvOS devices. DEP automates the enrollment process, allowing devices to be operational right out of the box, with minimal user or administrative intervention. Essential aspects include:
It's crucial to note that the ease of enrollment provided by DEP, while beneficial, can also pose security risks. If protective measures are not adequately enforced for MDM enrollment, attackers might exploit this streamlined process to register their device on the organization's MDM server, masquerading as a corporate device.
โ
Security Alert: Simplified DEP enrollment could potentially allow unauthorized device registration on the organization's MDM server if proper safeguards are not in place.
cloudconfigurationd
binary is responsible for communicating over this API.DEP "cloud service" API
Apple devices manufactured after 2010 generally have 12-character alphanumeric serial numbers, with the first three digits representing the manufacturing location, the following two indicating the year and week of manufacture, the next three digits providing a unique identifier, and the last four digits representing the model number.
The file /Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd
exports functions that can be considered high-level "steps" of the enrolment process.
This part of the process occurs when a user boots a Mac for the first time (or after a complete wipe)
or when executing sudo profiles show -type enrollment
CPFetchActivationRecord
cloudconfigurationd
via XPC. The "Setup Assistant" (when the device is firstly booted) or the profiles
command will contact this daemon to retrieve the activation record. It follows a few steps to get the Activation Record performed by MCTeslaConfigurationFetcher
. This process uses an encryption called Absinthe
NACInit
) IOKit
)NACKeyEstablishment
){ "action": "RequestProfileConfiguration", "sn": "" }
NACSign
)The response is a JSON dictionary with some important data like:
CPInstallActivationProfile
Typically, activation profile provided by an MDM vendor will include the following payloads:
com.apple.mdm
: to enroll the device in MDMcom.apple.security.scep
: to securely provide a client certificate to the device.com.apple.security.pem
: to install trusted CA certificates to the deviceโs System Keychain.CheckInURL
)ServerURL
) + APNs topic to trigger itCheckInURL
mdmclient
CheckInURLPinningCertificateUUIDs
ServerURLPinningCertificateUUIDs
mdmclient
ServerURLPinningCertificateUUIDs
for pinning requestIdentityCertificateUUID
for TLS client certificateAs previously commented, in order to try to enrol a device into an organization only a Serial Number belonging to that Organization is needed. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations and so on.
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected:
Other ways to support HackTricks: