The release of Apple’s ipadOS presents a security risk for any organisation managing their devices with Azure AD Conditional Access policies.
On 24 September 2019, Apple will be introducing a significant upgrade to their iPad devices.
Previously, the iPad has shared the same operating software with the iPhone (iOS) but following the release of iOS13 (released on 19 September 2019), Apple are also set to launch a variant of iOS that is specifically designed to take advantage of the larger display of the iPad and add powerful new capabilities. This will be called iPadOS.
iPadOS brings many improvements to the iPad and from an enterprise perspective, some of these will make the iPad a compelling device for mobile workers looking to access company resources.
Productivity enhancements include better text editing (new gestures for cut/copy/paste, undo/redo and for text selection; more precise cursor navigation; faster document navigation), multitasking (multiple windows from the same app; improved slide over and split view control) and enhanced file management (zip and unzip capability; new downloads folder; file server connection).
One of the other changes being introduced with iPadOS centres around how some key applications present themselves when accessing a website.
For example, the dominant iPad app for surfing and accessing online services is Safari. On an iPadOS device, Safari will automatically present the desktop version of a website instead of the mobile version. To achieve this, Safari will present itself as macOS instead of iOS.
And that can be a problem for secure access to online resources.
Many organisations already use Microsoft’s Office 365 and Azure to provide productivity services to their users, whether they are office-based or mobile workers.
In order to provide secure, controlled access to these online services, these organisations also use Azure AD Conditional Access (CA) policies to require a second factor of authentication beyond the username and password – such as invoking a multi-factor authentication (MFA) challenge or enforcing device compliance. This is based on the attributes of the user’s device.
If your organisation currently uses conditional access to control access from iOS devices, the introduction of iPadOS opens a loophole that could allow an upgraded iPad to gain access without the requirement for a second factor of authentication.
This greatly increases the risk of unauthorised access if a user has unwittingly had their login credentials compromised (e.g. through a phishing attack).
If your organisation uses Azure AD Conditional Access policies to secure your online services and some of those policies have been configured to apply when an iOS device is detected, you will be affected by this issue.
A conditional access policy that currently applies to an iOS device will not apply to the iPadOS device if the application being used reports itself as being “macOS” instead of “iOS”.
The current scenarios where this iPadOS change could cause the CA policies to be bypassed are:
It is recommended to enrol your iPad and Mac devices into a Mobile Device Management solution, such as Microsoft Intune or JAMF Pro, by using a ‘require a complaint device’ policy action since this is the most secure option when coupled with a managed device compliance policy. If that is not possible, ensure ‘require MFA’ is applied.
iPadOS is released on 24 September 2019, so you should review and update your conditional access policies before then, or as soon as possible afterwards, to ensure your online resources remain secured.
Without wishing to go all “Project Fear”, if you have iOS policies for secure access but don’t have macOS policies, the upgrade to iPadOS could result in open access to your organisation’s resources.
Valid login credentials would still be required but you would no longer have a mechanism in place to challenge for extra authentication and ensure the identity of your iPad users.
Imagine that your Chief Financial Officer has had their shiny new iPad Pro delivered to their office. Whenever they use it to access their Office 365 email and SharePoint Online documents from home, she gets asked to complete an MFA challenge to confirm that it is really her.
So far, so good. But after her iPad receives the latest upgrade on or soon after the launch date, she no longer gets the challenge.
Neither does the malicious attacker who managed to fool the CFO into supplying their user credentials via a website linked from a phishing email, and is now able to access the same email account without verification to learn more about your organisation and gain access to some highly sensitive information.
For more information about the impact of this change, visit the Microsoft website.
If you’re concerned that the iPadOS change might leave you vulnerable, our experts are on hand to advise and assist with any worries you may have about the upgrade to iPadOS and the impact this could have on your current security posture.
Simply get in touch with us and we’ll work with you to ensure your devices remain secure.
Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.Request Vision Call
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.