Blowing holes in your security scheme just because isn't much of a reason since only their signed software could be loaded in the first place and they already know where the vulnerability would be.
Its a vulnerability you're already aware of since you engineered it why wouldn't you want to test it out to verify....if they truly wanted these to be secure they would have put preboot authentication on them and made it so every update had to be approved by a user, but they didn't.
I'm not all that familiar with Apple devices but does it force the user to encrypt the phone? If not it's the owners responsibility to ensure that their devices are being used in accordance to their standards. Do Iphones automatically update the OS or is it like my Android where I have to agree to download and install the update? If it doesn't automatically update the government was perfectly free to institute a policy that told their employees not to upgrade government owned Iphones. Again the burden is on the owner to ensure that they retain access to both the device and the data unless they entered into some sort of specific contract with Apple to do otherwise.
I guess one could argue that when the phone was originally purchased that tools to circumvent the security existed and therefore were expected but I would need to see some sort of evidence that the .gov expected this to remain the case as a condition of purchasing and using Iphones. From everything that I have read though the .gov is treating this like any other seized phone and not necessarily as their property. It would be kind of ironic to see the government argue that Apple sold them a device that was to secure against hackers.
With iOS8 they enforced encryption on the user data partition, it seems similar to Microsoft's Bitlocker in that part of the encryption is handled by hardware and that the OS is not encrypted which is why Apple would be able to update it if they wanted to
As for OS updates Apple used to push updates in the past but now is moving more towards a user acceptance model, the caveat is that if you buy new hardware you have to get the latest OS, which is how Apple has rolled for like ever and is brutal for those of us who try to manage a standards based environment when it comes to their laptops and desktops.
And while a company can introduce such a policy there is virtually no way to enforce it, much like Apple Desktop OS, users on iOS need full access and can remove all company enabled controls on their device (if the company is using an MDM solution)
So it would be a verbal policy at best, and once a phone is upgraded there is no way to roll back to an earlier supported release, so its rather futile for companies to attempt to block updating of iPhones....we tell folks all the time to hold off on updating when an iOS change negatively impacts our MDM solution but most users disregard that notification and just update because they see the notice on their phone.
The big difference between Apple and other companies in the tech sector when it comes to corporate device management is that the former basically doesn't care about enterprise customers when it comes to device management/control and tells them to go to some third party vendor which has limited ability other than to manipulate settings which already exist within the device...whereas others will develop tools for enterprise management that are far more difficult for users to circumvent when implemented properly.
Even if the govt was using a solid MDM platform the user in this case could have removed device control and done whatever he wanted with the phone (barring getting corporate email) and the govt would be in the same position they are in now.
Last edited: