A Deep Dive into macOS MDM (and How it can be Compromised)

Conference:  BlackHat USA 2018



The presentation discusses vulnerabilities in the MDM and DEP systems on Mac OS and provides recommendations for improving security.
  • MDM and DEP systems on Mac OS have vulnerabilities at the intersections or borders between different threat models
  • Recommendations for improving security include documenting the entire security model for DEP and MDM, providing more granular control over MDM settings, and improving the security of configuration profiles
  • An anecdote is provided to demonstrate how a malicious package can be installed on a device through a man-in-the-middle attack
  • Tags: Cybersecurity, DevOps, Mac OS, MDM, DEP
The presenters demonstrate how a malicious package can be installed on a device through a man-in-the-middle attack. They show how a package can be installed to the system-wide launch agents folder, which means any user that logs in will have the calculator started. It is important to note that even though the package was launched in a user context, the device is fully rooted at first boot.


On macOS, DEP (Device Enrollment Program) and MDM (Mobile Device Management) are the recommended methods for automating the initial setup & configuration of new devices. MDM can offer sophisticated system configuration options, including privileged operations such as adding new trusted root CA certificates to the System Keychain. Apple's MDM implementation has gained popularity in the enterprise world recently due to their richer feature set.The recent introduction of User Approved MDM and the continued enhancements to security technologies such SIP, Gatekeeper and others is evidence of Apple's ongoing commitment to MDM. Some operations, such as whitelisting of allowed kernel extensions, are now only supported if the device is enrolled in a trusted MDM. Under the hood, the DEP & MDM implementation involves many moving parts. Within macOS, several daemons are involved in the process of bootstrapping the trust necessary to bring a new up device to a fully provisioned state. If an attacker can identify vulnerabilities within the bootstrapping process and effectively exploit them, they may be able to make use of this trusted process to compromise a device as it first boots.Our talk walks through the various stages of bootstrapping, showing which binaries are involved, the IPC flows on the device, and evaluates the network (TLS) security of key client/server communications. We will follow with a live demo showing how a nation-state actor could exploit this vulnerability such that a user could unwrap a brand new Mac, and the attacker could root it out of the box the first time it connects to WiFi.