Skip to main content
Question

iOS Security Update

  • April 22, 2020
  • 3 replies
  • 24 views
A
Forum|alt.badge.img+10

Hi Jamf Nation,

Today a security research firm published a report about a potential vulnerability with Apple Mail for iOS. Apple confirmed that the vulnerability is patched in iOS 13.4.5 beta 2 (released April 15, 2020) and will be patched in an upcoming public release. The date for the public release has not been announced.

Every organizationā€™s risk tolerance is unique. If you are concerned about iOS devices in your environment - regardless of whether you manage them with Jamf - the following actions may help mitigate potential risk outlined in this report:

Ensure iOS devices are updated
Running the latest operating system is a best practice to keep devices protected.
- Use mobile device management (MDM) to remotely manage operating system updates as soon as new versions are available from Apple.
- For instructions on how to update iOS devices, see our OS Upgrade Guide.

Temporarily use an alternate iOS email application
Because this vulnerability appears to impact only the Apple Mail client on iOS, using an alternate email app may be a way to mitigate risk.
- To see how Jamf and Microsoft make it easy to deploy Outlook for iOS, check out our blog post.
- Leverage Jamf Self Service notifications or deploy a web clip to guide end users through account setup.

Temporarily turn off Apple Mail
If you are especially concerned about the risk this vulnerability poses, turning off Apple Mail is one more way to help mitigate the risk of this vulnerability.
- End users can turn off mail accounts on their own iOS devices by going to: iOS Settings ā†’ Passwords & Accounts ā†’ Email Account ā†’ Toggle Mail Off
- If a Mail setting is deployed via MDM, IT can remove it to delete the managed email account from end user devices.

If you have questions about how to take the steps outlined above, contact your Jamf representative or post a comment here.

We will update this post with information as it becomes available.

    3 replies

    dan-snelson
    Forum|alt.badge.img+30
    • dan-snelson
    • Honored Contributor
    • April 23, 2020

    Officially confirmed by Apple today: Flaw in iPhone, iPads may have allowed hackers to steal data for years

    "An Apple spokesman acknowledged that a vulnerability exists in Appleā€™s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally."

    Thanks to Microsoft Technical Support for the following information.

    The following may help block the native iOS mail client at the Microsoft Exchange server. (Note: These will block any ActiveSync clients, including Android native mail client. This would not affect Outlook for iOS/Android app.)

    New-ClientAccessRule -Name "Block ActiveSync" -Action DenyAccess -AnyOfProtocols ExchangeActiveSync -ExceptAnyOfClientIPAddressesOrRanges 192.168.10.1/24

    Another option within Exchange online is the New-ActiveSyncDeviceAccessRule to block just iOS but not Android ActiveSync client:

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPad" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPhone" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPod" -AccessLevel Block
      bpavlov
      Forum|alt.badge.img+18
      • bpavlov
      • Esteemed Contributor
      • April 24, 2020

      @Aaron.Kiemele Do you have any comment on this security issue given it's about the Jamf Pro product itself? https://www.jamf.com/jamf-nation/discussions/35488/jamfing-for-joy-attacking-macos-in-enterprise

      By the way, here's what Apple has to say on this iOS issue: https://www.bloomberg.com/news/articles/2020-04-24/apple-finds-no-evidence-hackers-exploited-iphone-ipad-mail-flaw

      E
      Forum|alt.badge.img+21
      • Emmert
      • Valued Contributor
      • April 24, 2020

      I'm pushing out an iOS update today via command, which I should probably just make a monthly to-do item for myself.

      If a device doesn't do it because it's low on space or less than 50% battery/not plugged in, will it try to force install it later, or just do the download and give up?

      I'll probably just clear all pending commands later and send out the command again to cover my bases, but I'm curious what exactly the command attempts. I really just have the wording of how JAMF describes it as my understanding of what many of these MDM things really do specifically.

      Terms & ConditionsCookie settingsAccessibility statement