There's been a ton of ink spilled over the last several days regarding Apple's (justified, in my opinion) refusal to create a 'one-time' backdoor giving the FBI access to encrypted data stored on an iPhone 5c owned by San Bernardino County. And there are far smarter minds than mine already arguing the whys and wherefores of whether Apple should or should not bow to the demands of the FBI, Justice Department and Magistrate Court.
But there is another, larger question that needs answering. A question regarding this phone in particular and any device owned by or accessing data belonging to every government, business or educational entity:
- How is it that Syed Rizwan Farook's iPhone, which was issued to him by San Bernardino County, and which was being used for county government purposes, wasn't secured, managed and maintained using some type of Mobile Device Management (MDM) service?
- Why wasn't San Bernardino County in control of the device?
- What other of its devices are in day-to-day use, containing potentially sensitive data, that it has no control over as well?
How do I know San Bernardino County wasn't (and likely still isn't) using any kind of MDM to secure their devices?
Because if it was, it would have been able to clear the device's passcode in a matter of seconds. Take note of rob53's comments on this Macworld article. Emphasis mine:
This isn't Apple's fault, it's the County's fault. If the County had done their job, it would be an easy task to open up the iPhone since the MDM software is the equivalent of a legal backdoor. -rob53
That? Is 100 percent correct.
Every managed device has a legal back door.
Baked into every managed iOS device - whether you're using Apple's Server app's Profile Manger, JAMF Software's Casper or any other MDM service - is the ability to remotely clear the passcode.
Forget about the unnamed IT employee who reset the password for the Apple ID used on the phone.
Disregard the assertions that Apple is 'letting the terrorists win' if it doesn't create a backdoor to this device.
Pay no attention to the likelihood that any conversations Farook may have had in the weeks preceding this attack would have taken place on the personal phone he destroyed and not the phone his employer issued.
Why wasn't a device owned by a government entity being managed by that government entity?
The question isn't why Apple doesn't want to unlock the device; it's why wasn't this device managed? Why wasn't a device owned by a government entity being managed by that government entity? And, to personalise this a bit, what are you doing to take control of your devices?
Sign up for MIS Asia eNewsletters.