MacTech is a conference for the Mac engineer and developer. And at JAMF Software, whether you prefer the Casper Suite or Bushel, we love to hang out with engineers and developers. So we’ll be at MacTech this week, in Southern California, hanging out to meet you, answer any questions you might have, and maybe have people from product management ask you lots of questions. If you’ll be there, come find us. For more on MacTech, check it out at:
A common question we get in the media is whether or not an employer can look at email on an employees device. The answer is that an employer cannot use Bushel to see mail or content on a device. This isn’t to say that you can’t use your Exchange, Office 365, or Google Apps administrative accounts to view your email. But Bushel doesn’t have anything to do with that.
Apple has a strong sense of privacy around devices. Devices should be able to be used to access your data (email, app content, etc) in such a way that you have no concern about the privacy of that data. You cannot view what someone is doing on a device unless that user specifically AirPlays their display to another device. You cannot see data as it’s being transferred to devices. You cannot see what Apple ID is used on a device.
But you can secure the data. You can silo your organizations data using Managed Open-In. This allows you to flag all data coming through mail accounts and apps that your organization gave a device so that those files cannot be copied to mail accounts and apps that your organization did not give a device. This doesn’t mean you can see those files, or access them. Only that you can control how they move within devices.
Overall, the privacy controls for iPads and iPhones are the most well thought out and well orchestrated security controls in the industry. A user can have a solid sense that their data is only able to be viewed by them, without concern that prying eyes are creeping on their devices. And an employer can have a sense of security that their data can be pulled from devices they own and BYOD devices, in the event that there is turnover or a device falls outside of their control.
There are a number of tools that you can use to encrypt a Mac. Many of these cost around $100 per year, per system. And these days, most of the tools for the Mac simply use the built-in options in OS X, which leverage a technology called FileVault. These options include enabling the encryption process, defining a place to put keys to decrypt a drive if you need them, and configuring basic options for the keys.
Did you know Bushel can do much of this for you? The way Bushel does this is pretty straight forward. You simply enable the Disk Encryption toggle on the Device Security tab of the Settings page.
Then, any device that hasn’t already been encrypted will start the encryption process and save the key back to your Bushel account. That key is available in the device page for any device in the account where Bushel enabled encryption. If there are devices that had FileVault enabled before they were added to your Bushel account, if you want those keys escrowed in Bushel, you will need to disable FileVault on the device (which requires about an hour or two hour decryption process that doesn’t hamper a user’s ability to work) and then re-enable FileVault through Bushel. Once done, you’ll see the keys for the device.
Overall, encryption is a very easy feature to use. And we would recommend doing so pretty much universally. If you only used this feature of Bushel, you’d still be saving around $75 per computer over industry standard tools. We recommend only using those if your business requirements have you performing tasks that Bushel can’t.
How secure is your data on Bushel? Your data on anything is only ever as secure as your password. At Bushel, we take a lot of precautions to protect your data, including from ourselves. We time out your session, we encrypt your session on a per-transaction basis, and we encrypt your data while at rest on our servers (although consider it like the secure enclave in iOS, where we encrypt the data that needs to be encrypted – such as FileVault keys and activation lock bypass information). These basic precautions keep your communication with Bushel secure and prevent people from doing things like hijacking your session.
Our communications with your devices are secured in a similar fashion. All communications with devices are encrypted. And each device has a key on our servers, so that when it communicates with us, we are able to preserve the integrity of that communication. And a key on the device for preserving the integrity of communications back to the device.
And we protect you from us. We are working on SOC2 compliance at JAMF, so there are also a number of firewalls setup from a business process perspective. For example, I cannot interact directly with your data. This is because I have access to source code. And vice versa, someone with access to data on the servers does not have access to the source code and so cannot actually take action based on the encrypted data sitting on the servers. Also, all access anyone in the organization has is logged and tracked.
This isn’t necessarily a Security FAQ, but it does outline some of what we’re doing today to secure and protect your data. In the future, we will be adding other items to what we do to secure data, keeping up with modern and emerging threats.
However, we are a SaaS-based solution. And so to reiterate how I started this post, your data (and by virtue, the actions that can be taken on your devices) is only as secure as your password. We are in some ways more secure than a publicly accessible on premises server that does the same kind of stuff we do. But in other ways, we are publicly accessible and so will always be looking for ways to better protect your data while remaining as easy to use as we can be.
Thanks, and feel free to comment on this article with more specific questions and we will be happy to answer them. After all, we believe that transparency is the cornerstone of any security plan!