Warning: tying domain macOS devices and CVE-2021-42287

Vulnerability Details:

In autumn 2021, Microsoft discovered a security issue in Active Directory Domain Services (ADDS) called CVE-2021-42287.This vulnerability could allow a potential attacker to emulate a domain controller. The issue is a security bypass vulnerability that affects Kerberos Privileged Attribute Certificates (PACs).

While Microsoft provided more detailed information about the issue, as well as remediation instructions on its support site, administrators immediately noticed a subsequent problem as a result of taking corrective action: the fixed server no longer allowed macOS to bind to Active Directory.

Immediate steps to take:

  • Assess your environment: if your organisation does not require its macOS to bind to Active Directory domain controllers, no further action is required. However, many organisations with shared devices make them bind to AD for centralised user account management.
  • Take steps to protect Active Directory: In Microsoft’s remediation steps above, set the registry entry for PacRequestorEnforcement to “1” and test that the macOS device is able to communicate with the domain controller.
  • Submit feedback to Apple: If your workflow requires devices to bind to AD, submit feedback to Apple clearly identifying the number of affected devices, use cases, and impact on your organisation.
  • Future plans: Microsoft will begin implementing domain controller validation on 12 July 2022. During this time, domain controllers will enter the implementation phase, which may result in inaccessibility to macOS devices that rely on ADDS authentication, depending on your organisation’s infrastructure. Organisations are advised to find alternative solutions for ongoing business operations.
  • A non-binding future: whatever actions Microsoft may take, changes to binding implementations may make it more difficult to get support for workflows. At the same time, the adoption of remote and hybrid work environments is clear, with many organisations moving to cloud-based device management, applications and services, access and identity services. Migrating organisations, resources and infrastructure to the cloud makes tying into domain-provided functionality increasingly unnecessary.

Learn how cloud identity is changing Mac security and discover the important role Jamf Connect plays in facilitating the process.

JamfConnect enables Apple computers running macOS to provide user accounts with cloud identity credentials, secure account access by centrally managing permissions, and keep credentials in sync both on and off-premises without the need to bind to an AD.

When working remotely, users can log in to the Mac using their organisational credentials-the same familiar username and password they use locally. the IT administrator decides who gets local account administrator privileges through the power of the Identity Provider’s (IdP) cloud-based directory service. Because single sign-on (SSO) requires users to remember only one password for all hosted devices and services, the help desk receives fewer calls about forgotten passwords.

If working in the office, Jamf Connect uses the same credentials to obtain Kerberos certificates without having to bind to Active Directory. the Kerberos ticket then allows seamless, secure access to internal shared resources.

Restrictions:

Managed users or MDM-enabled users

Removing bindings requires planning. Administrators should consider that all users who authenticate to a Mac with an AD account have access to the user channel profile. Without bindings, only the first local account created during automatic device enrolment or a user who enrolled a device in MDM during a user-initiated enrolment process will be able to take advantage of user-level profiles.

To determine which profiles are scoped to the user level, view the full list of profiles that apply to your organisation in the MDM server.

Evaluate how these profiles are used in your organisation. If the device assignments are 1:1, then there should be little concern if the profiles are applied at the computer level. In other words, if you are the only one with car keys and your driver’s licence is in your car or purse, does it make a difference? No, as long as you meet the criteria for having one.

802.1x RADIUS network

With Jamf Connect, the login screen requires a network connection in order to authenticate against the cloud-based IDP. In this case, user-based 802.1x RADIUS access, either with a username and password or a certificate, is not possible.

The login screen is owned by the root user. For security reasons, root has no storage space and no macOS keychain to securely store credentials or certificates, so user-level credentials cannot be used.

Hosted devices should use hosted credentials to access the hosted network. In this case, administrators should configure a computer-level application profile and use machine-based SCEP certificates to access the RADIUS network. This allows for an added layer of security, ensuring that administrators and MDM commands always have access to the device, even if no user is currently logged in.

Not sure of your next step? We can help!

Contact us to discuss the best plan for getting your Mac army migrated to cloud authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>