Using Ivanti Neurons and MobileIron UEM to Handle the Latest iOS, iPadOS, and tvOS Vulnerabilities Proactively
On Tuesday, January 26, 2021, Apple released version 14.4 of its iOS, iPadOS, and tvOS products that included patches for three security vulnerabilities that affect iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation, as well as Apple TV. According to this Apple support document, an anonymous security researcher reported the vulnerabilities and reserved the following Common Vulnerabilities and Exposure numbers CVE-2021-1782, described as a race condition in the OS kernel that could be exploited by a malicious application and can lead to a privilege escalation. The researcher also filed CVE-2021-1870 and CVE-2021-1871 concerning WebKit browser engine flaws that can permit a threat actor to perform an arbitrary code execution on the Safari browser. Users are encouraged to update to this latest version as soon as possible.
How do Ivanti Neurons, MobileIron Unified Endpoint Management (UEM), and threat defense (MTD) help? Many companies allow bring-your-own device (BYOD) work policies, especially so in today’s pandemic environment. For employees that own their iPhone or iPad and work from home, Ivanti Neurons™ for Discovery provides complete visibility of all devices connected to the corporate network—along with the OS version they are using—so it’s easy to identify the users that need to update.
Within MobileIron UEM, a custom-tiered compliance policy can be enforced by setting a time limit for the user to update to the prescribed OS version. First, a user alert can be sent via push notification and email, then we can allow a specific wait time period for the user to download and install the update. If the user ignores these alerts, more restrictive compliance actions like blocking access to work resources can be applied after specified time periods have elapsed. If the user continues to ignore the alerts, an additional quarantine action can then be enforced on the device by removing or hiding managed work apps and content, as well as corporate VPN connection settings. A final action of selectively wiping all UEM-provisioned corporate management settings, as well as managed apps along with associated enterprise data, can be applied by retiring the device completely from UEM.
For corporate-owned devices, Ivanti Neurons for Patch Intelligence and MobileIron UEM can install critical security updates to managed devices automatically without user interaction. MobileIron Threat Defense (MTD) acts as an additional insurance policy if the user inadvertently downloads malware that seeks to exploit vulnerabilities on both patched and unpatched devices. Sophisticated chained exploits can escape the application sandbox and then potentially elevate permissions to a remote-privilege escalation attack that completely takes over the device without the user ever knowing. As the exploit evolves up the mobile cyber kill chain, a lateral movement onto the connected network can occur as the threat actor seeks out other connected devices for high-value credentials, critical work or personal data, or ever increasingly, to launch ransomware.
MTD provides multiple layers of protection with an on-device and cloud-based threat detection and remediation engine. The solution detects increasingly sophisticated phishing and pharming attacks, malicious and leaky applications, and exploit kits that may lead to compromised devices. MTD is also adept at detecting elevation of privileges, file-system changes, and application tampering.
In an age where the enterprise seldom has little control over the network accessing company data, the solution excels at detecting Man-in-The-Middle attacks (MiTM), IP/TCP/UDP reconnaissance, risky and malicious Wi-Fi, and lateral-movement artifacts like network handoff, internal network access, and gateway changes at the network level.
For current MobileIron Cloud customers that wish to encourage their users to update to iOS or iPadOS 14.4, here are some examples of actions you can take from our MobileIron Cloud platform that can help speed up your deployments. For company-owned devices, you also have the option to specify an update as part of a “Software Updates” Configuration. Similar options are available for MobileIron Core.
Also, we can prevent older versions from enrolling:
Specify an update window to a specific version for supervised (institutionally-owned) devices: