On macOS, DEP (Device Enrollment Program) and MDM (Mobile Device Management) are the recommended methods for automating the initial setup & configuration of new devices. MDM can offer sophisticated system configuration options, including privileged operations such as adding new trusted root CA certificates to the System Keychain. Apple's MDM implementation has gained popularity in the enterprise world recently due to their richer feature set.
The recent introduction of User Approved MDM and the continued enhancements to security technologies such SIP, Gatekeeper and others is evidence of Apple's ongoing commitment to MDM. Some operations, such as whitelisting of allowed kernel extensions, are now only supported if the device is enrolled in a trusted MDM. Under the hood, the DEP & MDM implementation involves many moving parts. Within macOS, several daemons are involved in the process of bootstrapping the trust necessary to bring a new up device to a fully provisioned state. If an attacker can identify vulnerabilities within the bootstrapping process and effectively exploit them, they may be able to make use of this trusted process to compromise a device as it first boots.
Our talk walks through the various stages of bootstrapping, showing which binaries are involved, the IPC flows on the device, and evaluates the network (TLS) security of key client/server communications. We will follow with a live demo showing how a nation-state actor could exploit this vulnerability such that a user could unwrap a brand new Mac, and the attacker could root it out of the box the first time it connects to WiFi.