Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Macs in Enterprise Can Be Hacked on First Boot

Hacking Macs in the enterprise via MDM

Hacking Macs in the enterprise via MDM

Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.

MDM is designed to allow system administrators to send management commands to managed macOS and iOS devices, including to install or remove applications, monitor compliance with corporate policies, and securely erase or lock a device.

When a device is enrolled in MDM, it receives a Configuration Profile, which can either be installed manually or ​automatically using the Device Enrollment Program (DEP). If DEP is used on macOS, the device automatically checks in with the MDM server during the initial setup process or after the system has been reset to factory settings and the operating system has been reinstalled.

The DEP profile received by a device during this process is delivered by Apple but populated by the MDM server. The profile includes information such as the MDM server’s URL, pinned certificates, and which screens should be skipped during the setup process.

One of the most popular MDM commands used during the initial setup process is InstallApplication, which allows administrators to install a specified application package. The command relies on a manifest URL that returns an XML file containing all the information needed to install the app.

Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, showed this week at the Black Hat security conference how a threat actor could compromise the retrieval of the manifest and install a different application than the one intended by the victim.

Exploitation involves a man-in-the-middle (MitM) attack, which makes it difficult for unsophisticated cybercrime groups. However, a sophisticated state-sponsored actor or a malicious ISP may be able to carry out such an attack and infiltrate devices in a targeted organization.

According to Bélanger and Endahl, an attacker could use this method to take full control of Mac computers right after they are unboxed, as soon as they connect to the organization’s Wi-Fi network.

The researchers disclosed their findings to Apple in late April and the tech giant acknowledged their findings on May 2. The company implemented a fix on July 9 with the release of macOS 10.13.6.

Apple addressed the issue by implementing a new MDM command named InstallEnterpriseApplication​. This command allows MDM vendors to provide specific certificates to pin the request to the manifest URL.

“It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem,” the researchers wrote in a paper.

Related: Attackers Target iPhones Using Open Source MDM Solution

Related: Apple Boosts Security in iOS 12, macOS Mojave

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.