I'm neither an employee nor a customer, just someone who was following the project on twitter because it looked very intriguing. I just want to say that the comments on this thread are absolutely ridiculous and I expected better. Does anyone actually think the customers would find out at the last minute? That the company would leave its users without any support? It's baseless speculation and my guess is it's totally wrong.
- The company is founded by Blake Mizerany https://twitter.com/bmizerany?lang=en an engineer known for Sinatra and a bunch of other well respected projects.
- The users adopting an early stage startup's product are likely friends/former colleagues who are putting personal trust into the team. Does anyone really think nobody got a heads up, or possible support deals while they migrate?
I think zalmoxes' point was that they may have found out through direct contact from the founders, or a customer-only email 2 weeks ago - rather than just by loading up the homepage today.
Well, no, it's literally not. It's actually a reasonably long lead time for “going out of business”, which basically no one ever announces before essentially all hope of finding a way to keep the business running is exhausted, which intrinsically means there is little runway left.
Yep, it literally is last minute for a platform product used by others during a time of the year when the developers responsible for finding/building a replacement would otherwise have gone on vacation.
If this were a tangible product, a week notice would be fine since it gives customers time to stock up.
> I just want to say that the comments on this thread are absolutely ridiculous and I expected better. Does anyone actually think the customers would find out at the last minute? That the company would leave its users without any support? It's baseless speculation and my guess is it's totally wrong.
Well, it's their baseless speculation and your guess, so a level playing field. You can make the same point without baiting other commenters—in fact you just make your point without baiting other commenters, that's how.
Hi, I'm the author(along with several other developers).
MicroMDM is used in some enterprise environments and was recently mentioned in a number of security presentations regarding Apple's MDM and Device Enrollment Program services.
Do you know if a small business can use DEP features?
Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?
Anyone can use DEP, just need a DUNS number to enroll into the program, and then to purchase devices from apple direct, or from an approved reseller.
Unfortunately you cannot retroactively add devices that were already purchased.
Speaking as a former Apple employee I can say with 100 percent certainty that you can add devices post purchase even before DEP existed. There are a number of ways:
If the device was purchased on or after March 1st 2011 you can do the following:
1. Work with your reseller if they participate in DEP to get the devices enrolled retroactively. Sometimes you have to put the nails on the reseller (they can pretty bad about this. Looking at you Verizon) but it absolutely can be done.
2. If your devices are eligible and were a direct purchase from Apple you should contact Apples enterprise support and they can start the process of double checking eligibility and getting those devices enrolled accordingly. This is pretty straightforward.
3. You can enroll eligible devices via Apple Configurator 2 into DEP using the process described here:
Using Apple Configuratior 2 will allow you to bypass any reseller to enroll into DEP so it’s your best move if you are having issues getting people to do it fast enough. Any eligible device can be enrolled this way
Here’s a relevant help link with phone numbers more
On eligibility and enrolling etc
> purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.
So you need to provide a DEP-authorized account number to the salesperson in an Apple store? Is this possible when buying online from apple.com?
Any idea why Apple does not provide a service to test whether a device serial number is DEP-managed? It would deter attempts to resell DEP-managed devices.
> an attacker that obtains such a serial number ... will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server.
So, the rule is at-most-once enrollment.
And further down:
> some organizations elect not to require user authentication as part of MDM enrollment.
IOW, if you are not enabling authentication, you have only yourself to blame.
Are those the same profiles generated by Apple Configurator 2? I was able to get per-site Safari VPNs added by manually editing XML in the profile, but no success with per-application VPNs.
Commercial MDM providers only whitelist a handful of VPN client apps for per-app VPN profiles. Why are those needed when there is already a native iOS VPN client for IPSEC?
Funnily enough I have been trying to do that today - I don't think you can. You create the per app VPN with a UUID, but the only way to associate an app to a Per-App-VPN definition is through MDM - I think.
I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)
Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.
^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.
Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).
The server is only meant for enterprise deployments. It would be pretty hard to do this on a personal level because you need to apply for an enterprise account with Apple, and request a very specific push certificate option.
You can't even sign up for the Enterprise program if your Apple ID is associated with the Apple Developer Program. You'll get the following error when signing up:
> Your Apple ID is already associated with a Team Agent enrolled in this program
Setting up Mobile Device Management itself is not particularly onerous, it's definitely best practice to create a new Apple ID for that purpose, however. A technical individual can already do this easily enough with the freely-available Meraki MDM. The Device Enrollment Program I believe is more complicated and inaccessible to individuals (haven't dealt with this personally), and is quickly becoming a prerequisite for many of the more invasive and useful capabilities, like the kext signing and deployment mentioned on the MicroMDM homepage.
Hm, guess I missed that...and their offering has a long way to go before I'd consider it worth paying for. An alternative then might be Jamf, they recently started offering a free tier with a handful of devices for their hosted 'Jamf Now' MDM (or at least it's free via their promotions on sites like Daring Fireball).
The code from go kit and [oklog](https://github.com/oklog/oklog) are great examples of idiomatic Go.
Unfortunately the community at large doesn't really follow the "no init"/"no package global vars", which can sometimes lead to bad experiences importing opensource Go libs.
I feel like go-kit is quite antithetical to the Go mindset...it presents a lossy abstraction as a means of future-proofing against eventualities that will almost certainly never be encountered
to be honest it strikes me as the sort of library that excites intermediate developers who tend to over-architect
Your "almost certainly never" is another organization's "certainly inevitable" or "already happened". Go kit's scope and applicability is pretty clearly enumerated in the documentation. And there's nothing lossy about its abstractions.
> the sort of library that excites intermediate developers
I find this true about nearly all microservices in Go. Microservices are much more useful in something like Node that can only take advantage of 1 OS thread per instance. Without containerization and load balancing in Node you wouldn't be able to scale.
Go on the other hand can efficiently utilize a nearly unlimited amount of threads as necessary with its scheduler. You're much more likely to over-architect if you don't keep this capacity in mind.
xenolf/lego arguably has the widest support in the sense of ACME verification methods, but autocert might get other methods too: https://github.com/golang/go/issues/21890
Yeah, I think I will try the simpler approach. I generally just have stuff like
tool [-debug] [-store sqlite] cmd [-opt] [arg]
So, main needs to bootstraps logger and store and then delegate to downstream commands that almost always will consume the store and logger.
I'm currently using PersistentPreRunE to bootstrap the logging and store.. but I'm not really happy with the end result and some things are awkward. Maybe it would be less awkward if cobra had a 'Context' I could stick things in. The last issue was I added a version subcommand, which kept creating the store. I ended up having to do
If you haven't already, join the MacAdmins Slack. https://macadmins.herokuapp.com
It's an open-invite slack team with over 12000 users - sysadmins, MDM developers, security researchers and so on.
We have various ongoing efforts to document and improve the macOS experience for users. If you have a macOS question, you'll likely find the answer there.
Well, I hope the Google Bot (plus whichever one DDG uses) also has an invite to that proprietary, closed, messaging system, or that the "macadmins" owner has set up a channel mirroring system ala IRC web logs, otherwise the system you described isn't contributing to the open body of knowledge.
Related, although mildly off topic, :fu: slack search
Second, Backplane really looked like great tech https://www.youtube.com/watch?v=43wFJBRTHG0