Then the attacker would need to trick the users of those devices to install a malicious configuration profile. This wouldn’t be hard to do either, because most enterprise users are used to installing such profiles. They are typically used to deploy VPN, Wi-Fi, email, calendar and other settings.
The malicious configuration profile distributed by the attacker would install a rogue root certificate and would configure a proxy for the device’s Internet connection. This would route the device’s traffic through a server under the attacker’s control and would enable the man-in-the-middle attack.
Security can't address social engineering 100%. If people do things they shouldn't, what can one do? Education is the best thing you can do. Similar to how one would train people to avoid scams other forms of social engineering whether through email, phone calls, in person, etc.
