Oh I fully agree. In my case, it's their device, so it's not like I'm worried about privacy concerns about my data in particular. I'll be fine, I have another MacBook. It's more like... is this a useful policy and I'm missing something? Or is this a bureaucracy-imposed policy?
It's both. Is the Mac a common target? No. But are they part of the resources that need securing in a mixed-compute environment? Yes. Keep in mind XProtect only really helps you with Mac malware trying to run on that Mac.
At the end of the day, the folks higher up in my experience want:
- The ability to protect business data through
as many attack vectors as possible.
- The ability to measure compliance.
XProtect provides neither, despite it being just fine for a personal device.
And if you are in a mixed-compute environment, which is very likely these days, then the Mac users won't get a pass on compliance.
One thing to keep in mind is that a lot of these sorts of policies
are not aimed at the technically savvy. While engineering has to put up with them, it's not about you. Yes, it does involve some security theater, but at the same time, the damage a single failure presents is generally enough to make companies paranoid.
Your posted reminded me that there's people who bring their own device. I wonder what'll happen to them.
It depends. Apple supports two different types of MDM on Mac and iOS, company owned and personal owned. Company owned allows a lot more control, but personal owned still allows for a lot of "well, if you don't comply with policy, we just cut you off from business data", while still giving the owner control of the machine. Up until recently, all our Mac engineering devices were treated as BYOD.
This is the only thing that sounded like a legitimate reason to have this software installed. Ironically, this wasn't mentioned at all! Even though (if the software ends up being not too intrusive) it's the one thing I could find that was (maybe) worth the hassle. Still not sure how useful this will be in practice.
Ensuring compliance is considered an axiom when it comes to IT. Has been for decades. If you've been in the Mac side of things for a while, then it's not too surprising that you haven't hit this yet, but when I started my career it was no different on Windows XP/Vista/7. Switching to an Apple-facing team got me out of that world for a bit, but now that there's more MDM stuff happening on Mac, it feels a lot like those years again.
With the level of security threats out there, and how companies that pour massive budgets into security get pwned anyways, I'm not surprised to be honest.
What does one do once a system reports a hit? How many false positives will there be? Idk, I have the feeling that it's going to be mostly noise, unless there's a real breach of company data, in which case I doubt that it's going to provide nowhere near enough information. I wish Apple provided this kind of information from XProtect though, maybe that'd be enough to avoid the need of installing this software.
Again, it depends. These policies are supposed to be set by IT, enforced by the software. For malware, it's generally sufficient to quarantine things and move on. If there's a real risk, or a history of non-compliance/risk, IT will reach out.
In my case, there apparently was a recent case of certain platforms hosting malware being risky enough that they got added to the block list for a period of time. Because I don't have ad blockers installed on my corporate machine, I got a good day or so of "We blocked XXXXX" from Defender as push notifications on my Mac. The funny thing is, nothing I actually wanted to see got blocked, and had to go see what was going on to realize it was ad networks being used for pushing malware again.
Was this Malware aimed at Macs? Not likely, but in a mixed environment, I get that block lists and the like will be the superset of threats to the platforms in use.
This software in particular features "Cloud AI detection" heavily, so I'm not holding my breath for a mostly on-device detection. It states that it works offline as well though, so who knows. I'll set up a proxy to see what data is being sent exactly, out of curiosity.
Again, depends. For stuff like this, you can still do things like: quarantine on local
possible detection (heuristics which have been common for a while), send up a copy of the file to the cloud, and then decide what to do with with the quarantined file based on the server side analysis of the file. So it's not like your machine
must wait on a remote server in order to decide what to do with a file.
Is this what Microsoft calls Conditional Access? God I find Microsoft's naming scheme for their products so confusing.
It's one aspect of it. Individual services and apps can provide some rather fine-grained control on top of more broad conditions like this.
Microsoft's penchant for naming things has never been terribly good.