2FA for Apple ID is available, do it now! (or don’t, see within)

On March 21st, Apple made two-factor authentication available for certain devices running iOS 9.3 or MacOS X El Capitan.

Now, let me save you some time.

If you are following the instructions, but not seeing 2FA available in your iCloud security settings, you probably have two-step verification already enabled.

In order to configure 2FA, you will have to disable two-step verification from one of your devices. This will require you to provide some inane ‘security question’ answers, but don’t worry – you won’t use them a single time.

One other note – if you’re signing into a MacOS X device with your iCloud credential, that goes away as well. You will be required to set a new local password that will be used to gain access if you cannot access your 2FA device(s). This may be a challenge for centrally managed environments, and could violate one of more of your internal policies. So please ask your IT department before doing this on a company-owned or managed device.

Once you’ve disabled two-step verification, you can follow the instructions linked above to configure 2FA. It’s pretty slick!

Here’s the notification I received on my Mac when changing a setting on my iPhone that required iCloud authentication:Screen Shot 2016-05-02 at 6.40.20 PM

An introduction to conditional access in ConfigMgr (current branch)

Do you want to keep non-compliant devices from accessing critical company data and prevent otherwise authenticated end users from opening their Exchange store from a non-compliant device, whether it is hosted or on-premise?

Oh snap, y’all.

Something relatively (but not, really) new in ConfigMgr is conditional access for managed devices. Now, this is not your father’s NAC solution, but rather a way for Microsoft to leverage the integration among its services to give you some push-button protection. I’ll do my best to explain how it all works, but you can read this TechNet article for a primer.

First component to this magic is Office 365. You may already be leveraging the mobile device management features that are built in. They look like this:

office protection center

While that is some really nice functionality, if you have ConfigMgr deployed and are feeling froggy – you can go waaaaaaaaaaaay beyond MDM.

Here’s where the conditional access chickens come home to roost, and your investment in Office 365 gets weaponized.

You see, when your Exchange and Sharepoint services are already in the cloud (remember, the magic IT thing?) and you have a management conduit to those services (a la ConfigMgr service connection points) that enables you to do unicorn-level rocket ship engineering with just a few clicks.

Hint: If you need some background on integrations available with ConfigMgr read this article on TechNet.

Let’s dig a little deeper and see how this works. The following diagram is taken from this TechNet article covering ConfigMgr 2012 R2 and shows the basic workflow for conditional access:

The first thing you’ll notice is that two things are checked before conditional access policy is evaluated:

  1. Am I targeted by a policy?
  2. Am I exempted from the targeted policy?

If you are not targeted or are exempted from that policy, then the device is permitted to connect to the service.

If the device is non-compliant in any way, whether that policy comes from Intune or ConfigMgr, or the device is not joined to an authorized domain it will be denied access to the protected service.

Why is this important?

It’s pretty simple – by combining ConfigMgr with Intune (and EMS!) and leveraging the conditional access feature set you are able to limit or deny access to services and data that properly authenticated end users would otherwise be able to obtain and potentially exfiltrate – with no additional systems or software.

Of course, there are some limitations and gotchas here – depending on the device operating system, whether the device is managed by standalone ConfigMgr or a hybrid implementation with Intune… and the specifics of your Office 365 subscription.

Interested? Make sure you check here ‘before you start’ start any implementation design.

What you don’t know about systems management may kill you

I have seen a lot of endpoint trends come and go over my fifteen-plus years in enterprise technology. From the very first ‘mobile’ devices from Palm and HP (iPaq… the first iDevice!) to VDI and now the wave of constantly iterating MDM and mobile security platforms…

I ask myself, what’s a thoughtful CIO to do here?

In the interest of clarity, I should say that I have really only worked with two technologies throughout my IT career: Symantec’s Altiris technology and Microsoft System Center (the artist formerly known as Systems Management Server). There have been a few other brief flirtations (JAMF Casper, LANDesk, etc) but for the purposes of this article assume the commentary is relevant to what I know best.

Now, back to the question I posed. If you are leading a technology organization, or even running a growing business…do you know:

  • All of the form factors in the hands of your end users?
  • The number of solutions deployed to manage those devices?
  • Your patch compliance across the entire ecosystem?
  • What to do in case of emergency?

My experience tells me that you probably don’t know the answer to any of those questions, let alone all of them. The good news is there’s probably someone that can identify the gaps and assess your risk (hint: it’s me, or another grizzled veteran of the Windows Vista wars).

But before you invest any time in the answers… let me give you a few hard truths:

  1. It’s impossible to manage risk without asset intelligence
  2. There are too many complex tools doing too many things
  3. You cannot secure devices you can’t manage
  4. Operational maturity is measured by how your team reacts to an advanced/persistent threat

With respect to asset intelligence, this is not an argument that your ITAM program is broken (but if you think it is, go look at this). The simple fact is you must know who is using whatwhere they are and if they are using those tools for approved purposes. This is the difference between merely having information and having intelligence.

I am also willing to bet that you have separate MDM, MAM and endpoint management tools. This used to be a necessity, but with the rise of the hybrid architecture (watch out for the Azure Shark!) we can stitch the right tool with the right team to accomplish your systems management mission.

Do you have a single systems management platform?

Finally, when the fudge hits the ceiling fan you’ll find out whether you have asset intelligence that is actionable, enabling you to touch those devices and support your remediation mission. If you are a CISO/CSO reading this and want to have some fun – go ask your desktop guys for a live dashboard showing the manufacturer, model and operating system of every device with access to company IP. Keep in mind that is only a surface-level reading of your exposure.

Did they run away, or just pass out?