Don’t you need to be signed in to the same iCloud account on both your laptop and phone to use this feature? That would mean that in order to encounter this issue you already need to be using a work account on a personal device, or vice versa.
Since that’t the case I fail to see how this is a large vulnerability. The article
doesn’t seem to address this point (possible I just missed this).
A shocking number of people login to their personal Apple IDs (and email accounts and banks and etc. etc. etc.) on their work computer. I personally do not, but lots of people do.
I’d say generally for most people, at least anecdotally, their work laptop is their only laptop because they’re expensive and have good specs. Especially for Apple products (which is the majority of the share of hardware in this anecdote), it’s natural to want and expect the continuity between devices.
Employers usually allow this or don’t explicitly forbid it, and most employees aren’t exactly security conscious or willing to sacrifice convenience. So it’s not that shocking to me, but it is weird that there isn’t more education or rules around it.
This is true for me. I have a personal desktop, but for mobility (laptop) my work issued MacBook M1 Pro is the only thing I have. There's no reason at all to purchase a personal laptop since my company is fully remote and they purchased the laptop from apple and had it directly sent to me, and have never required me to install any kind of monitoring software or control software on it at all.
Good luck when your laptop gets scooped up in discovery/litigation. After having been through lawsuits at work there is ZERO chance of me ever putting anything personal on work equipment.
I would qualify that "tech companies that don't know what they're doing wrt IT". Apple does have some features to allow a bit of flexibility, but unless you do all of your work via VDI or similar, I'd consider non-MDM devices to be a huge red flag,
MDM does not imply surveillance. I wouldn't use it if it did. It does mean I can enforce full disk encryption and remotely wipe a machine if it is stolen, though.
I'll use my work computer to check personal email and do other personal stuff from time to time. I use a separate browser profile that clears its cache and cookies when I'm done. I don't recommend it necessarily, but I don't have any endpoint monitoring on my machine so I feel reasonably OK doing it.
Depends on what you mean by "IT". If you're thinking like fleet management for thousands of desktops, then it's probably not a bunch of people having a good time. On the other hand, trying to do fleet management for Windows desktops isn't much fun either.
As a consultant, I work with Linux, macOS and Windows. Depends on the client and the project.
I can't remember last time I even heard about a malware in someone else's Windows machine, let alone my Windows machine. I don't know what you mean by debugging installers.
Sounds like an outdated opinion. Just like those "lol PHP bad" regurgitations and linking outdated articles about it.
The sysadmins at my job frequently find malware artifacts on our servers, because we exclusively use Windows server. And the expectation is you RDP in to get stuff done, which means there's a big potential for human failure.
Also most Windows software is just taken off the web and installed with administrator privileges. Sure, there are package managers. In practice, they're rarely used on Windows.
From a technical standpoint, Windows isn't "that bad" at allowing malware. From a culture standpoint, almost nothing has changed since the 90s. Linux and Mac have a different culture.
macOS used to have a decent security story until some QoL started requiring disabling SIP.
They gutted the OS so much that users start disabling security features.
And don't get me started with atrocious window manager from macOS. Took a decade to improve it slightly. Still far away from some Linux DE and Windows. I don't enjoy having to buy apps to fix macOS. There are some open source tools for some things but for others it's cost effective to just buy.
> If your Mac asks whether to require Mac login to access your iPhone, choose Ask Every Time or Authenticate Automatically. You can change this later in iPhone Mirroring settings on your Mac.
Seems its an app setting to have this protected or not ?
This setting is to establish a new mirroring session, but presumably that iOS app install metadata is collected at the very first connection and then cached on macOS.
You must be signed in to the same iCloud account on a personal device and a work device in order to use a feature? Operational security isn't worth the hassle: most people will just do whatever it takes to do the thing. And when they are finished, it's not as if they are likely to sign back out on either device.
I was just discussing this with a friend. The one place where I’m willing to fudge things (corporate policies permitting) is putting my personal calendar on a work machine, work calendar on my personal systems, mostly because it makes dealing with the interface between the two simpler (plus then I get meetings showing up on my watch).
Depending on your calendaring system(s), you can subscribe to your work calendar on your personal account, and vice versa. Although you should be careful about the latter!
My life is simple enough that I just dupe the occasional MTWTF personal events as "reserved blocks" onto my work calendar, and maintain my off-hours and SS personal calendar separately.
I always take both devices when I need both. The M3 is annoyingly heavy, and I have to treat it better than I do my personal device, but it's not a major hassle.
There also seems to be a bug in the VPN that requires sending all traffic when the VPN address is on a different subnet. It should be possible to manually specify subnet mask, but it seems to be ignored. I’m not sure if the VPN is advertising this incorrectly, but it worked fine before upgrading.
I miss out on a lot of nice MacOS features because I refuse to sign into my personal iCloud account on my work mac, even though we are allowed to do so.
So the threshold of concern by a "security" company is "they might audit your apps and find out you're gay!"
Yet not a single concern about tethering an iPhone (with an external connection) to a PC on the company's internal network, bypassing all firewalls, proxies, and other protections. That is grounds for immediate dismissal at some places.
I expect security people to think more like network engineers and less like teenagers gossiping in the canteen.
What do you mean by "tethering an iPhone to a PC"? iPhone Mirroring does not grant the iPhone any privileges to data on the Mac, as far as I know.
Also, there are two orthogonal concerns at play here: Companies generally don't want personal devices (at least those not covered by MDM) to hold company data, but companies also might not want to inadvertently hold personal data of their employees.
This isn't about tethering. It's about mirroring which requires the iPhone and Mac to be on the same WiFi. And you can't route data from the Mac through the phone via mirroring
I don't think iPhone Mirroring requires both devices being on the same (or in fact any) Wi-Fi network. It does however require them to be signed in to the same iCloud account.
Interesting that it works no matter the WiFi. But it’s still not tethering.
Lots of people who are entitled to a corporate smartphone also have a single phone with two sims for work/personal, because of the same reasons: cheaper, more convenient, large data plans on corporate device. These devices are MDM enrolled and the company will at least check what apps are installed.
Speaking of iPhone Mirroring: Doesn't this effectively downgrade two-factor authentication to a single factor for flows like "tap 'yes' on your phone to login"?
I've been wondering if there is a way for iOS authenticator apps to opt out of mirroring, but haven't found anything so far.
Don’t think so. Push notification flows like this fall into the “something you have” category (which you still do when using mirroring) and additionally when done properly, they require biometrics verification to respond to the “tap yes”.
It's incredible to me how many people log into personal account on work devices. People should really research the amount of data security tools harvest.
It certainly sounds foolish at first, but what's the real risk? Is your employer really going transfer themselves your balance or snoop on your utility bills?
Now if you loaded a crypto wallet on your work device, that would be another story..
I know there are bad actors trying to get into my company's network. They are a high visibility target and have fallen victim to ransomware attacks before. Even if I trusted my employer, I don't trust what else may be lurking there.
You will probably find that your corporate TLS MitM proxy excludes financial institutions so that employees can do their banking without any doubt that their own company would respect the confidentiality of their finances. If not, your cybersecurity team needs some help.
If your employer isn't requiring you to log in with a personal account on a work device (and they're not), and your personal data doesn't have anything you'd mind your employer seeing, then why not?
Because then there's no slippery slope and you're making a conscious choice. A lot of people lead really boring lives and just want the convenience of using their personal e-mail on the work device. Their employer knowing that the kids need to be picked up from soccer at 6 is a non-issue.
Obviously, if you do have things it's important that your employer/police/government/etc. not know, then don't, a million times.
But if you don't care, then let people make that choice.
> Their employer knowing that the kids need to be picked up from soccer at 6 is a non-issue.
That's great and fine, until anything non-trivial in your life happens. Illness, relationship drama, recruiter conversation, off-hand low-context remarks to/from friends...
The corporate suckware hoovers up the data, and a) exposes you professionally to the company's whims of self-protection, and b) exposes the company legally to your personal imperfections.
Don't forget you don't own your work device and could lose access to it with zero notice.
It's a personal pet peeve of mine that MacOS has no way to install with a "forget everything about iCloud" option. I love it for my personal devices but on a work device you quickly notice how it's got it's little hooks all over the OS.
I worked with someone who uploaded private git repositories to his email before quitting. People are not very smart.
It's best to completely remove that avenue / temptation anyway, IMO. You can handle personal stuff on your phone. Logging in your work PC is asking for trouble.
It's been quite a few years since I did anything in this space, but back in the day you could get quite a lot of information simply by wrapping things in sandbox-exec [0] and progressively adding allow rules as the application inevitably blew up. It's a fair bit of manual effort, and I wouldn't be surprised if someone has written a wrapper around it that automatically figures it out, but last I checked this was the most reliable way to explicitly see what a rogue application does.
In my case I "lend" my personal device for work (Git, Slack, Figma, Miro... use one Chrome for work and Chrome Beta for personal). So I suppose there's no software running behind the scenes. Should I still worry in this case?
Don’t you need to be signed in to the same iCloud account on both your laptop and phone to use this feature? That would mean that in order to encounter this issue you already need to be using a work account on a personal device, or vice versa.
Since that’t the case I fail to see how this is a large vulnerability. The article doesn’t seem to address this point (possible I just missed this).
A shocking number of people login to their personal Apple IDs (and email accounts and banks and etc. etc. etc.) on their work computer. I personally do not, but lots of people do.
I’d say generally for most people, at least anecdotally, their work laptop is their only laptop because they’re expensive and have good specs. Especially for Apple products (which is the majority of the share of hardware in this anecdote), it’s natural to want and expect the continuity between devices.
Employers usually allow this or don’t explicitly forbid it, and most employees aren’t exactly security conscious or willing to sacrifice convenience. So it’s not that shocking to me, but it is weird that there isn’t more education or rules around it.
This is true for me. I have a personal desktop, but for mobility (laptop) my work issued MacBook M1 Pro is the only thing I have. There's no reason at all to purchase a personal laptop since my company is fully remote and they purchased the laptop from apple and had it directly sent to me, and have never required me to install any kind of monitoring software or control software on it at all.
Good luck when your laptop gets scooped up in discovery/litigation. After having been through lawsuits at work there is ZERO chance of me ever putting anything personal on work equipment.
Duplication and backups are a requirement of life IMO.
"Directly from Apple" does not preclude monitoring and control, but it would've notified you on first boot if it were MDM enrolled.
Most tech companies (except some really big ones or those with compliance requirements) are quite flexible around this issue.
I would qualify that "tech companies that don't know what they're doing wrt IT". Apple does have some features to allow a bit of flexibility, but unless you do all of your work via VDI or similar, I'd consider non-MDM devices to be a huge red flag,
It's called trusting your employees, especially if they are engineers. Maybe that's why "nobody wants to work anymore".
MDM does not imply surveillance. I wouldn't use it if it did. It does mean I can enforce full disk encryption and remotely wipe a machine if it is stolen, though.
Found the system admin
[flagged]
I'll use my work computer to check personal email and do other personal stuff from time to time. I use a separate browser profile that clears its cache and cookies when I'm done. I don't recommend it necessarily, but I don't have any endpoint monitoring on my machine so I feel reasonably OK doing it.
People got really angry at IT not allowing them personal Apple ID logins in several large companies I've been at :/
IT in companies using Apple devices must be an absolutely miserable position.
Depends on what you mean by "IT". If you're thinking like fleet management for thousands of desktops, then it's probably not a bunch of people having a good time. On the other hand, trying to do fleet management for Windows desktops isn't much fun either.
I've worked IT for Mac only shops my entire career, I wouldn't say any of it has been miserable
Why, because there’s not as much work to do debugging installers and malware as there is with Windows?
As a consultant, I work with Linux, macOS and Windows. Depends on the client and the project.
I can't remember last time I even heard about a malware in someone else's Windows machine, let alone my Windows machine. I don't know what you mean by debugging installers.
Sounds like an outdated opinion. Just like those "lol PHP bad" regurgitations and linking outdated articles about it.
The sysadmins at my job frequently find malware artifacts on our servers, because we exclusively use Windows server. And the expectation is you RDP in to get stuff done, which means there's a big potential for human failure.
Also most Windows software is just taken off the web and installed with administrator privileges. Sure, there are package managers. In practice, they're rarely used on Windows.
From a technical standpoint, Windows isn't "that bad" at allowing malware. From a culture standpoint, almost nothing has changed since the 90s. Linux and Mac have a different culture.
macOS used to have a decent security story until some QoL started requiring disabling SIP.
They gutted the OS so much that users start disabling security features.
And don't get me started with atrocious window manager from macOS. Took a decade to improve it slightly. Still far away from some Linux DE and Windows. I don't enjoy having to buy apps to fix macOS. There are some open source tools for some things but for others it's cost effective to just buy.
From here : https://support.apple.com/en-us/120421
> If your Mac asks whether to require Mac login to access your iPhone, choose Ask Every Time or Authenticate Automatically. You can change this later in iPhone Mirroring settings on your Mac.
Seems its an app setting to have this protected or not ?
- iPhone Mirroring system requirements
-- Your iPhone and Mac are signed in to the same Apple Account using two-factor authentication.
This setting is to establish a new mirroring session, but presumably that iOS app install metadata is collected at the very first connection and then cached on macOS.
This is a nice feature of the apple ecosystem to be fair, but I do think the issue is with connecting work and personal accounts/devices
It goes both ways.
You must be signed in to the same iCloud account on a personal device and a work device in order to use a feature? Operational security isn't worth the hassle: most people will just do whatever it takes to do the thing. And when they are finished, it's not as if they are likely to sign back out on either device.
Duh, don't mix work and private devices / data
I was just discussing this with a friend. The one place where I’m willing to fudge things (corporate policies permitting) is putting my personal calendar on a work machine, work calendar on my personal systems, mostly because it makes dealing with the interface between the two simpler (plus then I get meetings showing up on my watch).
Depending on your calendaring system(s), you can subscribe to your work calendar on your personal account, and vice versa. Although you should be careful about the latter!
My life is simple enough that I just dupe the occasional MTWTF personal events as "reserved blocks" onto my work calendar, and maintain my off-hours and SS personal calendar separately.
You can share the free/busy information only.
Right. I don't even let my work laptop onto my home LAN. It's hardwired into its own /30 VLAN and can only see the gateway and internet.
So it is on your home LAN, just on a different VLAN than your infra. (which makes sense)
Right, shares the same PHY/layer 1, but logically separated at layer 2. :)
Unless you believe your employer to be malicious I doubt this brings any real world benefit
Two phones all the way. For most knowledge workers the cost of an mid tier iPhone is inconsequential anyway
The PSA should just be don't mix your personal and work devices.
Not that easy. I use my personal device for work - and if I didn't I would wish I did, when travelling...
I always take both devices when I need both. The M3 is annoyingly heavy, and I have to treat it better than I do my personal device, but it's not a major hassle.
There also seems to be a bug in the VPN that requires sending all traffic when the VPN address is on a different subnet. It should be possible to manually specify subnet mask, but it seems to be ignored. I’m not sure if the VPN is advertising this incorrectly, but it worked fine before upgrading.
I miss out on a lot of nice MacOS features because I refuse to sign into my personal iCloud account on my work mac, even though we are allowed to do so.
Oh well. Gotta draw the line somewhere I guess.
So the threshold of concern by a "security" company is "they might audit your apps and find out you're gay!"
Yet not a single concern about tethering an iPhone (with an external connection) to a PC on the company's internal network, bypassing all firewalls, proxies, and other protections. That is grounds for immediate dismissal at some places.
I expect security people to think more like network engineers and less like teenagers gossiping in the canteen.
What do you mean by "tethering an iPhone to a PC"? iPhone Mirroring does not grant the iPhone any privileges to data on the Mac, as far as I know.
Also, there are two orthogonal concerns at play here: Companies generally don't want personal devices (at least those not covered by MDM) to hold company data, but companies also might not want to inadvertently hold personal data of their employees.
This isn't about tethering. It's about mirroring which requires the iPhone and Mac to be on the same WiFi. And you can't route data from the Mac through the phone via mirroring
I don't think iPhone Mirroring requires both devices being on the same (or in fact any) Wi-Fi network. It does however require them to be signed in to the same iCloud account.
Pairing requires bluetooth, streaming requires WiFi,
https://support.apple.com/en-us/120421
Under iPhone Mirroring system requirements
Your iPhone and Mac are signed in to the same Apple Account using two-factor authentication.
Your iPhone and Mac have Bluetooth and Wi-Fi turned on.
Your iPhone is not sharing its cellular connection (Personal Hotspot is not in use).
Your Mac is not sharing its internet connection or using AirPlay or Sidecar.
Wi-Fi needs to be turned on, but the connected network is irrelevant, similar to AirDrop.
Interesting that it works no matter the WiFi. But it’s still not tethering.
Lots of people who are entitled to a corporate smartphone also have a single phone with two sims for work/personal, because of the same reasons: cheaper, more convenient, large data plans on corporate device. These devices are MDM enrolled and the company will at least check what apps are installed.
I’ve noticed this as well, but actually not sure how the feature works if not over the LAN. Is it bluetooth? Or synced over icloud?
It's direct peer-to-peer wifi
Speaking of iPhone Mirroring: Doesn't this effectively downgrade two-factor authentication to a single factor for flows like "tap 'yes' on your phone to login"?
I've been wondering if there is a way for iOS authenticator apps to opt out of mirroring, but haven't found anything so far.
Don’t think so. Push notification flows like this fall into the “something you have” category (which you still do when using mirroring) and additionally when done properly, they require biometrics verification to respond to the “tap yes”.
Anyone who uses their personal iPhone and/or iCloud account for work is a moron.
It's incredible to me how many people log into personal account on work devices. People should really research the amount of data security tools harvest.
I sometimes see my coworkers with banking tabs open when they screen share. The level of trust is astounding.
It certainly sounds foolish at first, but what's the real risk? Is your employer really going transfer themselves your balance or snoop on your utility bills?
Now if you loaded a crypto wallet on your work device, that would be another story..
I know there are bad actors trying to get into my company's network. They are a high visibility target and have fallen victim to ransomware attacks before. Even if I trusted my employer, I don't trust what else may be lurking there.
You will probably find that your corporate TLS MitM proxy excludes financial institutions so that employees can do their banking without any doubt that their own company would respect the confidentiality of their finances. If not, your cybersecurity team needs some help.
Yes, when I was in charge of security at previous places we did not MITM a whole category of websites including banking, health, etc.
If your employer isn't requiring you to log in with a personal account on a work device (and they're not), and your personal data doesn't have anything you'd mind your employer seeing, then why not?
Because then there's no slippery slope and you're making a conscious choice. A lot of people lead really boring lives and just want the convenience of using their personal e-mail on the work device. Their employer knowing that the kids need to be picked up from soccer at 6 is a non-issue.
Obviously, if you do have things it's important that your employer/police/government/etc. not know, then don't, a million times.
But if you don't care, then let people make that choice.
> Their employer knowing that the kids need to be picked up from soccer at 6 is a non-issue.
That's great and fine, until anything non-trivial in your life happens. Illness, relationship drama, recruiter conversation, off-hand low-context remarks to/from friends...
The corporate suckware hoovers up the data, and a) exposes you professionally to the company's whims of self-protection, and b) exposes the company legally to your personal imperfections.
Don't cross the streams. It would be bad.
Don't forget you don't own your work device and could lose access to it with zero notice. It's a personal pet peeve of mine that MacOS has no way to install with a "forget everything about iCloud" option. I love it for my personal devices but on a work device you quickly notice how it's got it's little hooks all over the OS.
There is an MDM option to disable iCloud, but I'm not sure if its possible to toggle without enrolling macOS into a managed system.
One reason is that if your employer is sued your personal data/devices can get tied up in the discovery process.
How often does that really happen though, I’ve heard this argument so many times but not really the real impact it has from a real incident.
I worked with someone who uploaded private git repositories to his email before quitting. People are not very smart.
It's best to completely remove that avenue / temptation anyway, IMO. You can handle personal stuff on your phone. Logging in your work PC is asking for trouble.
HN readers seem to be very concerned about spies and perverts that might get caught because they naively used X tech.
Where is a good place to start this research?
We have crowdstrike falcon at work, and I would love to know what they are monitoring.
It's been quite a few years since I did anything in this space, but back in the day you could get quite a lot of information simply by wrapping things in sandbox-exec [0] and progressively adding allow rules as the application inevitably blew up. It's a fair bit of manual effort, and I wouldn't be surprised if someone has written a wrapper around it that automatically figures it out, but last I checked this was the most reliable way to explicitly see what a rogue application does.
[0] https://www.karltarvas.com/macos-app-sandboxing-via-sandbox-...
It's not just data security tools - let your company get involved in litigation and now all your personal stuff is exposed to discovery too.
Just dumb to mix personal and work - computers are no longer exotic.
In my case I "lend" my personal device for work (Git, Slack, Figma, Miro... use one Chrome for work and Chrome Beta for personal). So I suppose there's no software running behind the scenes. Should I still worry in this case?