0 Replies
      Latest reply on Jun 6, 2019 4:00 PM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        Question: Is there a way to mitigate HyperThreading vulnerability via MDM versus only NVRAM arguments passed in Recovery?

         

        Answer: No, because if it's available via MDM, it's also available to a potential remote attacker.

         

         

         

        Question: When a macOS MDM device upgrades to Catalina, what requirements does the device need to have in order to be considered Supervised? Is User Approved MDM enough to be considered supervised?

         

        Answer: Ask at the Device Management lab on Friday.

         

         

        Question: Does User-approved MDM provide the ability to run MDM commands available only to supervised Macs?

         

        Answer: Ask at the Device Management lab on Friday.

         

         

         

        Question: One of the bootstrap token criteria states: "The Mac must be enrolled in an MDM solution associated with Apple School Manager or Apple Business Manager."

         

         

        Does this mean that this is for ONLY ABM-based MDM enrollments or does a UAMDM enrolled system whose MDM is also configured in DEP meet this requirement?

         

         

        Answer: Ask at the Device Management lab on Friday.

         

         

        Question: What is the "member:UUID" certificate in the login keychain?

         

        Answer: Yes, it's an Apple-generated certificate. It is harmless, it can be deleted, but it may be regenerated at a future time. I'm looking further into this and will get back to you with more details later.

         

        Note: I went through multiple Apple Security engineers on this question. The first three had no idea and hadn't seen this before, but the ones that checked also saw it on their own Macs. The fourth engineer talked to someone else not at WWDC and gave me the answer below, while the fifth engineer is the one investigating.

         

         

         

        Question: Is it possible to force enable FileVault encryption via MDM on login without user dialogs? If so, what needs to be set?

         

        Answer: Ask at the Device Management lab on Friday.