Blog

Apple has struck a big blow against the mercenary “surveillance-as-a-service” industry, introducing a new, highly secure Lockdown Mode to protect individuals at the greatest risk of targeted attacks. The company is also offering millions of dollars to support research to expose such threats.

Starting in iOS 16, iPadOS 16 and macOS Ventura, and available now in the latest developer-only betas, Lockdown Mode hardens security defenses and limits the functionalities sometimes abused by state-sponsored surveillance hackers. Apple describes this protection as “sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.”

In recent years, a series of targeted spyware attacks against journalists, activists, and others have been exposed. Names including Pegasus, DevilsTongue, Predator, Hermit, and NSO Group have undermined trust in digital devices and exposed the risk of semi-private entities and the threat they show against civil society. Apple has made no secret that it is opposed to such practices, filing suit against the NSO Group in November and promising to oppose such practices where it can.

“Apple’s newly released Lockdown Mode will reduce the attack surface, increase costs for spyware firms, and thus make it much harder for repressive governments to hack high-risk users,” said John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy.

“We congratulate [Apple] for providing protection to human rights defenders, heads of state, lawyers, activists, journalists, and more,” tweeted the EFF, a privacy advocacy group.

What does Lockdown Mode do?

At present, Apple says Lockdown Mode provides the following protections:

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when an iPhone is locked.
• Configuration profiles cannot be installed and the device cannot enroll into mobile device management (MDM) while Lockdown Mode is turned on.

Ivan Krstić, Apple’s head of Security Engineering and Architecture, notes that Lockdown Mode can be applied to devices that are already enrolled in an MDM service. “Pre-existing MDM enrollment is preserved when you enable Lockdown Mode,” he tweeted.

The company says it intends to extend the protection provided by Lockdown Mode over time and has invested millions in security research to help identify weaknesses and increase the integrity of this protection.

How to enable Lockdown Mode

Apple

• Lockdown Mode is enabled in Settings on iPhones and iPads and in System Settings on macOS.
• You’ll find it as an option in Privacy & Security, listed at the bottom of the page.
• Tap Lockdown Mode and you’ll be told that this provides “Extreme, optional protection that should only be used if you believe you may be personally targeted by a highly sophisticated cyberattack. Most people are never targeted by attacks of this kind.”
• The prompts also warn users that certain features will no longer work as you are used to. Shared albums will be removed from Photos, and invitations will also be blocked.

What is the scale of this threat?

These attacks don’t come cheap, which means most people are unlikely to be targeted in this way. Apple began sending threat notifications to potential victims of Pegasus soon after it was revealed and says the number of people targeted in such campaigns is relatively small.

All the same, the scale is international, and the company has warned people in around 150 nations since November 2021. A BBC report confirms hundreds of targets and tens of thousands of phone numbers leaked as a result of NSO’s Pegasus alone. Victims have included journalists, politicians, civil society advocates, activists, and diplomats, so while the numbers are small, the chilling impact of such surveillance is vast.

I believe that such technologies will become cheaper and more available over time, so it’s only a matter of time before they leak into wider use. Ultimately the very existence of such attacks — state-sponsored or not — makes the entire world less safe, not safer.

“There is now undeniable evidence from the research of the Citizen Lab and other organizations that the mercenary surveillance industry is facilitating the spread of authoritarian practices and massive human rights abuses worldwide,” said Citizen Lab Director Ron Deibert in a statement. Deibert told CNET he thinks Lockdown Mode will deal a “major blow” to spyware companies and the governments that use their products.

“While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are,” said Apple’s Krstić in a statement. “That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks.”

There’s little doubt Microsoft and Google will also move to provide similar protection to users. Google and Meta already offer tools to secure the accounts of those who are at an “elevated risk of targeted online attacks,” but these tools don’t go nearly as far as Lockdown Mode.

Apple’s investments in security

Apple already makes vast investments in security. For example, the company is working with others in the industry to support password-free authentication, has built tools to mask IP addresses and continues to focus on user privacy.

The company will introduce a Rapid Security Response feature for its devices this fall, which will make it possible to deploy security fixes outside of full security updates and much more. Apple is even investing in improving the security of programming languages, further eroding potential attack surfaces.

The company has now announced further investment in the security community:

• Apple has also established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections. Bounties are doubled for qualifying findings in Lockdown Mode, up to a maximum of $2,000,000 — the highest maximum bounty payout in the industry.
• Apple is also making a $10 million grant, plus any damages awarded from the lawsuit it is pursuing against NSO Group, to support organizations that investigate, expose, and prevent highly targeted cyberattacks, including those created by private companies developing state-sponsored mercenary spyware. It is giving this money to the Ford Foundation’s Dignity and Justice Fund.

What will the Dignity and Justice Fund do?

The fund will make its first grants later this year, focusing initially on initiatives to expose the use of mercenary spyware. In the press release announcing the initiative, Apple tells us these grants will focus on:

• Building organizational capacity and increasing field coordination of new and existing civil society cybersecurity research and advocacy groups.
• Supporting the development of standardized forensic methods to detect and confirm spyware infiltration that meet evidentiary standards.
• Enabling civil society to more effectively partner with device manufacturers, software developers, commercial security firms, and other relevant companies to identify and address vulnerabilities.
• Increasing awareness among investors, journalists, and policymakers about the global mercenary spyware industry.
• Building the capacity of human rights defenders to identify and respond to spyware attacks, including security audits for organizations that face heightened threats to their network

The fund’s grant-making strategy will be advised by a global Technical Advisory Committee. Initial members include Daniel Bedoya Arroyo, digital security service platform analyst at Access Now; Citizen Lab Director Ron Deibert; Paola Mosso, co-deputy director of The Engine Room; Rasha Abdul Rahim, director of Amnesty Tech at Amnesty International; and Apple’s Krstić.

Ford Foundation Tech and Society Program director Lori McGlinchey said:

“The global spyware trade targets human rights defenders, journalists, and dissidents; it facilitates violence, reinforces authoritarianism, and supports political repression. The Ford Foundation is proud to support this extraordinary initiative to bolster civil society research and advocacy to resist mercenary spyware. We must build on Apple’s commitment, and we invite companies and donors to join the Dignity and Justice Fund and bring additional resources to this collective fight.”

What else can you do?

Following revelations about NSO Group last year, Apple published a set of recommendations to help users mitigate against such risks. These guidelines do not even approach the kind of robust protection you can expect from Lockdown Mode, but it makes sense for anyone to follow such practices:

• Update devices to the latest software, which includes the latest security fixes.
• Protect devices with a passcode.
• Use two-factor authentication and a strong password for Apple ID.
• Install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

Furthermore, Amnesty Tech is gathering signatures to demand an end this kind of targeted surveillance of human rights defenders. I’d urge readers to add their signature to my own.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Apple has made a decision that should show most enterprises that, when it comes to COVID-19, it’s not over till it’s over. The company has reportedly deferred plans to get staff back in the office three days a week because of increasing infection rates.

Living with COVID means taking it seriously

A weekend Bloomberg report tells us the full implementation of Apple’s originally mandated three-days-a-week-in-person plan is probably “not imminent.” The report suggests the company is experiencing rising infection rates across its workforce. If Apple is experiencing this, then it is not alone.

Way back at the beginning of the pandemic, Apple’s retail stores became seen as guides to local infection rates. The company’s planetary network of stores gave Apple’s HR teams global insight into disease outbreaks. Reporters followed Apple store closures as a guide to the disease clusters.

Apple still has access to those insights today, which means its decision to suspend its return-to-the-office diktat should be seen for what it is: a signal that the sickness has not abated.

Of course, we must identify some way to live with COVID, but doing so also means taking it seriously. Magical thinking will not make the disease go away, but smart working practices, staggered commuting patterns, and investment in air filtration systems might help blunt its impact.

Apple’s decision to suspend progress on the return to the office shows the company is coming to terms with that reality. At least, I think it does.

A warning you should heed

Apple had chosen to adopt a hybrid work pattern in which employees attend the office three days a week and work remotely for two. It began requesting workers return to the office for one day a week on April 11, two days from May 4, and had intended attendance to rise to three days by May 23. Employees are currently expected to be present for two days a week, but the move to three has been delayed.

In common with everyone else, not every Apple employee has been able to work remotely during the pandemic. Some of its teams have continued working in person across most of the last couple of years.

But the decision to delay the company-wide return must surely be taken seriously by businesses hoping to get employees back to the office, as it suggests Apple’s data shows the risk of doing so remains high. As colleague Steven J. Vaughan-Nichols points out, that’s broadly in line with what health professionals are telling us, from epidemiologist Michael Osterholm’s warning to the Washington Post to this observation from Independent SAGE, a group of scientists in the UK: “Closing our eyes and pretending it’s not there, that’s the most dangerous strategy of all.”

If you value collaboration, stay apart

Given that the risks of COVID-19 can include months of mental and physical debilitation that leave sufferers unable to work effectively for months, a company that values collaboration and creative intelligence cannot logically insist its teams expose themselves to such risk.

The last thing Apple, or anyone else, needs is for key personnel to be out of action for months — particularly when the consequences of a forced return are so evident and any company with commitment to corporate social responsibility also has a duty to protect staff’s psychological and physical health.

Think about it. What is to be gained in mythical ‘water cooler conversations’ if there’s no one around to put those ideas into motion? Just ask the Society of Academic Emergency Medicine. It means that if your workplace values collaboration, it’s way past time to figure out how to collaborate effectively when apart.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Third-party cookies may be going away in 18 months, but will that achieve Google’s stated intentions of creating a “more privacy-first web?”

Chris Matty doesn’t think so.

In fact, he believes the death of the invasive little trackers could paradoxically make our online identities less secure.

And he believes the motivations of Apple and Google, which have advocated for an end to this form of passive surveillance, are motivated by goals that are less altruistic than they may seem.

Matty is the founder and chief revenue officer of Versium, a business-to-business omnichannel marketing firm that profiles online visitors without using cookies. Instead, it harvests data from various third-party sources in a process that complies with the California Consumer Privacy Act and then uses deterministic algorithms to make what is essentially an educated guess about the identity of visitors.

Matty believes the end of third-party cookies will be a windfall for technology giants whose reach spans multiple properties.

The losers will be everyone else.

On their own

With third-party cookies out of the picture, marketers will be forced to double down on the data they collect on their own web properties through first-party cookies, which will still be with us.

Those are the trackers you permit to install on your computer when you arrive at a website and are presented with one of those “this site uses cookies” messages.

The thousands of small website owners that now rely on third-party cookies to identify visitors will have to start collecting more data for themselves.

That means more registration pages, paywalls, and prompts to give up information about yourself.

The result will be that “the loss of cookies will actually diminish privacy,” Matty says. “Publishers are going to have to start using gated logins, so they capture an email address.”

This isn’t a problem for the few giants with a vast web footprint.

Think about this: How often do you sign in to Google or Facebook? Almost never.

Once you log in to Google, the company can follow you across its search engines, email service, office productivity applications, media sites, and other outposts in its empire.

Theoretically, it can track you on other properties as well, as long as you’re signed in.

However, independent ad networks won’t have access to this information soon, so Google and Facebook will become even more powerful online advertising brokers.

Meanwhile, independent sites will be pressured to lock down their content more tightly to encourage registration.

The result will be less free information, more walled gardens, and a greater need for people to keep track of usernames and passwords for all the places they visit.

“It will cost marketers more because [the cost per thousand visitors] will grow,” Matty says. “The cost of marketing will go up because information will be controlled by fewer companies.”

An unpopular alternative

Google has proposed an alternative called Federated Learning of Cohorts that replaces third-party cookies with anonymized information about groups of people stored in the browser.

Not everyone thinks that’s such a good idea.

“That approach would put the browser at the center of the advertising equation, and Google, not coincidentally, makes Chrome, the world’s most popular browser,” wrote Adam Tanner, an author of two books about online privacy, in a recent article in Consumer Reports.

Versium and many other identity technology firms are finding ways to reverse engineer identities without using cookies or compromising privacy.

The firm gathers data from multiple sources about people who have given their permission to share it and then uses predictive algorithms to infer identities.

Matty calls this technique “match logic. There are literally hundreds of match codes we can assign with high confidence,” he said. “We can increase match rates from 10% to 90%.”

In a B2B context, that’s valuable in harmonizing personal and business email addresses. About 70% of LinkedIn profiles are tied to personal email addresses; matching them to a list of business addresses can be a shot in the dark.

Matty says that adding third-party, opt-in data can resolve most of those mysteries.

If a marketer has a personal email address, it can be matched to a business address by factoring in other data points like a home address and the nearby population of people with similar names.

“We can look for a physical address and deduce how far they are from a business and so infer that the person works at that business,” Matty says. “There are literally hundreds of match codes we can assign with high confidence.”

This means the end of cookies could trigger an explosion in big data analytics. And guess who owns the most popular suite of analytics tools in the cloud?

Yup, it’s Google.

Hosts Juliet Beauchamp and Ken Mingis talk with guests about the latest tech trends and news.

Audio

On Today in Tech, join Michael Simon and Ken Mingis as they separate the facts from fiction about the new 13-inch MacBook Pro, the M2 chip, the M2 MacBook Air, and the latest rumors.

Copyright © 2022 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend

Technology bootcamps are relatively short-term full- or part-time intensive training programs offering skill sets that in many cases can quickly catapult a previously non-technical person into a high-paying tech career. 

The schools teach students in-demand skills in areas such as coding, cybersecurity and fintech, and in recentyears, the one-and-a-half to six-month long bootcamps have become talent pools for organizations looking for skills-based job seekers. And with the Great Resignation in full swing, more workers are choosing to move into tech for flexible working conditions and high pay.

Graduates from coding bootcamps report quickly finding full-time jobs, a fast ROI, higher salaries, and STEM career opportunities, according to recent survey of 3,800 US graduates of university coding bootcamps by US tech education platform company 2U and Gallup. Along with new careers, the programs can help existing tech workers gain new skills to grow in their current roles.

Globally, there are more than 500 tech bootcamps, according to Source Report, a coding school tracker. While the average bootcamp costs about $14,000, a Source report survey found the average salary increase for coding bootcamp graduates was 56%, or $25,000. And, in 2021, the average starting salary of a bootcamp grad was $69,000.

Some of the more popular tech bootcamps include CareerFoundry, Fullstack Academy, Flatiron School, Wild Code School, Coding Dojo, WBS Coding School, General Assembly online bootcamp, Springboard, and Udacity.

2U offers a tech bootcamp platform that’s been adopted by more than 50 universities. The bootcamp offers instruction across eight disciplines, including coding, data analytics, cybersecurity, and fintech.

Since 2U launched its platform in 2016, 48,000 students have graduated from its programs, and more than 6,000 companies have hired them, including Fortune 500 companies such as Amazon, Autodesk, Capital One, Cognizant, Deloitte, Google, Liberty Mutual, SkillStorm, and State Farm.

Two graduates from U2’s six-month tech bootcamp are Stephen Powell and Danielle Bowman, neither of whom had any previous experience with technology or coding as part of their careers.

Powell, 35, grew up in Washington DC and dropped out of high school before getting a  job in retail sales at Verizon at 20. A year later, he got his GED and advanced into a corporate role. To further boost his career, Powell decided he needed more technical training — but didn’t want to spend four years getting a degree. At age 32 – recently married, working full time and raising a 10-year child – he enrolled in George Washington University Data Analytics Boot Camp and landed a new role in data engineering at Koverse, an SAIC subsidiary.

Based in Atlanta, Bowman spent more than 13 years as a Walgreens store manager before deciding to change careers. After graduating from a University of Central Florida coding bootcamp with a certificate in full stack web development, she now works as software engineering manager at CodeMettle.

The following are excerpts from interviews with both bootcamp graduates:

Stephen Powell

Stephen Powell

What were doing after getting your GED? “I started working for Verizon in the retail channel at 19. I did that for about four years and then went on to do government telesales. Then I was a federal account manager for a couple of years. Then I became a B2B trainer of B2B reps and managers and then a national client partner of enterprise accounts at Verizon. I was there for 11 years. I was able to move up…, mainly through sales and training. At the end of 2018, I decided to leave Verizon on my own volition and go work at a start-up as a sales engineer [at KryptoWire]. So, from a company of 66,000 to a company of 16, it was quite a culture shock. And, that’s kind of where I knew I needed to get a lot smarter around technology.

“It was actually my job at KryptoWire that prompted me to think, ‘I’m going to peak here at some point.’ It was a mobile appliction security testing firm. That’s why I decided to go to boot camp in 2019.”

What was it about your job at KryotoWire that gave you the idea to go to a coding bootcamp? “The first couple of meetings I had at KryptoWire — the internal meetings with the engineering team — they were saying things I had no clue about. To be candid, I felt kind of stupid. So, I went home and I started researching programs on tech, and coding specifically. I knew at 32-years-old, I didn’t have four years to give; not only that, I didn’t have debt to accrue. So, I literally Googled programs around Python and data analytics, and that’s how I found the bootcamp, and then I took the pretest and applied for it. It was literally researching programs on a Saturday.”

What was it about the program that you liked, or didn’t like? “What I liked was the instruction.

“Now, one thing I had over cohorts is that I spent such a long time in corporate America. I knew what it was like to generate and maintain relationships. That’s one thing I’m good at. I knew that developing relationships with instructors and teaching assistants was going to make me most successful in my career path. And, so that’s what I really enjoyed about it. I can’t say I had any dislikes only because I went into program knowing whatever happened would be based upon my effort. I was in sales, so I’m used to eating what I kill. So, I applied that same principle to the bootcamp.  

“It was hard at first, from a work standpoint — but that’s because I hadn’t done Python before. …But after the first few weeks of me getting repetitious about it and doing some self-study, I was able to catch on.”

What was it like seeing code for the first time? “I remember the first night we did Python, I went home and told my wife I’m probably going to drop out. The first night we did Python, they were very simple tasks, but I simply couldn’t catch on.

“My wife has been a backbone for me. She told me to stick with it. It was scary. It was foreign. It looked like a foreign language. I know some Spanish and this looked a lot worse.”

Along with your wife’s support, what kept you from quitting? “I have an acute fear of failure. And also, I knew at KryptoWire, because I worked with such a smart group of people, my skillsets — even my ability to build relationships — wouldn’t carry me into tech. So, if I didn’t get any formal training, whether it be boot camp or a four-years degree, I was going to be left out of that pool of people smart enough to maintain a career in technology.

“So, that fear of missing out — that FOMO – and the fear of failing really drove me. I actually developed a personal interest in learning more about code and data science.”

Was it very expensive? “So, the whole program was $10K. Again, I think I was lucky in the sense that I had a good paying job, so it wasn’t a massive financial undertaking for me. I know some of my other cohorts emptied their savings, they got personal loans. But for me, it wasn’t a heavy lift financially. I always say, I’ve spent more on less.”

What was the course like? “It was six months long. It was all in person. We did Tuesdays and Thursdays for three hours — 6:30 p.m. to 9:30 p.m. And from Saturday from 10 a.m. to 2 p.m.”

Was the workload manageable, considering you were working a full-time job? “There were adjustments that had to be made, for sure. Because you have a full life, including your personal life, you do have to carve out time outside of regular coursework in order to maintain and upskill in the program. So, for the first couple of weeks there was a time I really had to adjust myself — not only my work schedule, but also my sleep schedule; some of these nights went a little longer than they would have if I weren’t in the program. It was a tough couple of weeks…just trying to get ramped up and really understand what being in a program like this takes….”

What was the most difficult part of the course? “The speed of the course work. They really try to squeeze in about four years of materials into six months. So, keeping up initially was really tough for me. That’s why I had to put in the extra time, not just in the classroom, but also at home. So, there were some personal sacrifices, albeit mostly social, I had to make in order to be successful. But the speed was it; one week we’re talking about one thing and the next week we’re onto another topic, and the next topic might incorporate that thing you learned four weeks ago. So, it was a lot to keep up with….”

What did you like best about it? “The teachers. I loved the instruction. It was careful and thoughtful. When you asked a question, you didn’t feel stupid. I really appreciated that. In fact, I still keep in touch with my instructors today. That’s how I know I valued them so much. They were always encouraging me, always.”

What was your first job out of bootcamp? “I was a data analyst. The boot camp was a data science program. Normally, the path is to start off as a data analyst and then you end up a data scientist. So, I went in thinking that would be my path. But in the program you start to understand the skillset you’re investing in can fit a wide range of roles. So, once I was in the program, I stopped narrowing my view of what I could do.

“Number one, I could keep the job I had and be better at it. I could be a data analyst or data scientist. That was a very buzz-worthy title three or four years ago. But after a while, I realized I could do anything with those skills. I actually got the data analyst job a month before completing the bootcamp program.

“Because I had a lot of federal experience, dealing with federal integrators and customers, I got a job as a data analyst with the Department of Justice — and I got that right before COVID started. I wasn’t comfortable with my coding prowess at that point to be a full-fledged engineer. That’s why I went that route.

“Now, I’m on my third job since the program. I was a data analyst for a year, and actually got the opportunity to become a data engineer at Koverse, an SCIC company.”

How has your career change affected your life? “I had a pretty good job before. Job security is a term I stay away from, but now I have skill security. What the program did was give me a sense of always wanting to learn more. I’m a heavy reader. I read at least two books a month around what I do. And I wouldn’t have gotten that fervor to learn — that fire — had I not attended that bootcamp.

“Engineering to me is a trade that if you’re able to learn and upscale it, you’ll be able to maintain [a career] for a very long time.”

In terms of income, has this allowed you to earn more? “Yes. Specifically, when I was at Verizon, I earned well, but it was commission-based. So, now I’m earning that kind of money at a salary level. And, now I work at a company — I started a new job last week — that afforded me the ability to actually have equity in the company….

“To be honest, you don’t know these companies like Facebook give you equity in the company until you get into that realm. It’s made a difference in how I view money, certainly in how I spend it and also how I invest it. It’s made a hell of a difference.”

What advice would you give others considering careers in technology and attending a bootcamp? “Consistency over fear. If you’re consistent with it, no matter what you’re afraid of, you’ll get it eventually. I still have imposter syndrome to this day. But, if I’m consistent with my work ethic and my ability to program and build things, I can put that fear on the back burner. Because all I have to do is get in front of my computer and say. ‘I’m just going to do it regardless of what the outcome is.’ Consistency, will trump everything.

“I now work for Gretel. It’s an AI and machine learning company. I’m super excited.”

What do you like about your current job? “I like the fact that I’m part of a company that’s defining a new space in technology. We specialize around synthetic data. We are at the forefront of defining this space, to the point where we’re going to have to be educating folks in the next few years about what it is, which I absolutely love…. I can look back and say Gretel was the one who introduced me to this amazing new topic of AI and machine learning.”

Danielle Bowman

Danielle Bowman

What was your career prior to attending the coding bootcamp? “I got my business management degree and started at Walgreens literally the week after as assistant manager. I had my own store within three or four years. Then I managed a bunch of stores. I started in Cleveland, Ohio before Orlando. Then I was managing stores in Orlando.

“It was fine. It was a good career. It was well paying. But, I knew it wasn’t my long-term career. I just happened to be good at it. But I also knew I didn’t want to work holidays, I was tired of working on weekends and dealing with stuff non-stop.”

How did you learn about the coding bootcamp? “A friend of mine — we used to be assistant managers together in Ohio — asked me if I’d ever thought about coding, and I told him, no. He’d become a [software] engineer. No one had ever suggested it as a career path to me. I was naïve to all of it. He told me there’s a demand for it and your salary could transition and you wouldn’t have to take a huge [loss].

Cisco has announced plans to formally exit Russia, winding down its business operations in Russia and Belarus in response to the invasion of Ukraine earlier this year.

The networking company first made a statement on March 3, declaring that it would be halting all business operations in Russia and Belarus “for the foreseeable future.” On Thursday the company released another statement, noting that it had continued to “closely monitor” the war in Ukraine and as a result, a decision had been made to “begin an orderly wind-down of our business in Russia and Belarus.”

 “Cisco remains committed to using all its resources to help our employees, the institutions and people of Ukraine, and our customers and partners during this challenging time,” the statement said.

On an earnings call in April, Cisco’s CFO Scott Herren told analysts that historically, Russia, Belarus and Ukraine collectively have represented approximately 1% of the company’s total revenue.

However, he noted that the decision to stop business operations in both Russia and Belarus did have a negative impact on revenue, costing the company “approximately $200 million or two percentage points of growth.”

What are other companies doing?

In the days after Russia’s initial invasion, a long list of Western technology companies suspending operations in Russia began to grow.

SAP and Oracle were two of the first tech organizations to publicly pull out of the country after Ukrainian vice prime minister Mykhailo Fedorov publicly posted letters to appeal to both companies on Twitter.

In early March, Microsoft also announced it would suspend new sales of Microsoft products in Russia, “in compliance with governmental sanctions decisions.”

However, at the time, the statement was criticized by Ukrainian vice prime minister Mykhailo Fedorov, who said that simply suspending sales in Russia did not go far enough and that the company should block access to its products.

This week, Russian news agency TASS reported that attempts to install Windows 10 and Windows 11 in Russia had been blocked. Microsoft has yet to make any comment as to whether this is a technical error or part of the company’s plan to further withdraw from Russia.

Zoom has unveiled Zoom One, a new offering that brings together chat, phone, meetings, and whiteboarding capabilities in a single, purpose-built environment.

Users of Zoom One will be able to access Zoom’s collaboration and communication tools and perform actions such as starting phone or video calls from a chat message or collaborating on a whiteboard from a Zoom desktop or Zoom room.

In a press release announcing the launch, company President Greg Tomb said that as Zoom evolved from a meeting app to a comprehensive communications platform, it was clear that introducing new packaging like Zoom One was the next step in the company’s evolution.

“By bringing together chat, phone, meetings, whiteboard, and more in a single offering, we are able to offer our customers solutions that are simple to manage, so they can focus on business issues that matter most,” he said.

Zoom One has six tiered plans available to customers, including Basic, Pro, Business and Enterprise versions.

•      Zoom One Basic provides free 40-minute Zoom Meetings for up to 100 attendees, persistent Zoom Chat for team messaging, limited Zoom Whiteboard for synchronous and asynchronous work, and real-time transcription.
•      Zoom One Pro provides everything Zoom One Basic offers without meeting time limits, plus cloud-based recording.
•      Zoom One Business provides everything Zoom One Pro offers, plus Zoom meetings for up to 300 attendees and unlimited Zoom Whiteboards.
•      Zoom One Business Plus provides everything Zoom One Business offers, plus Zoom Phone Pro with unlimited regional calling and Zoom’s all-new translation feature.
•      Zoom One Enterprise and Zoom One Enterprise Plus provide everything Zoom One Business offers with larger meeting capacity and additional features, like Zoom Webinars, to help modern businesses scale. Zoom One Enterprise Plus also includes Zoom Phone Pro with unlimited regional calling.

Zoom One Basic, Pro, Business and Business Plus plans are available for purchase today, priced at $149 per year/user; $199 per year/user; and $250 per year/user respectively.

Translated and multilanguage captions

Users of Zoom’s new Zoom One Business Plus and Zoom One Enterprise Plus packages will have access to bidirectional translated captions. The captions will be able to translate between Chinese (simplified), Dutch, English, French, German, Italian, Japanese, Korean, Russian, Spanish, and Ukrainian upon launch.

Zoom has also extended its automated captioning—the ability to caption in real-time what a speaker is saying in the same language as the one spoken—to include 10 additional languages. Automated captions previously were supported in English, but now can be displayed in the same 10 languages available for live translation.  

Multilanguage automated captions are available in Business Plus, Enterprise, and Enterprise Plus packages with additional support for other plans coming soon.

Zoom Apps software development kit

Zoom also announced this week that the company has opened its Zoom Apps developer programme to all developers via Zoom Apps SDK (software development kit).

Zoom Apps JavaScript software development kit (SDK) is designed to provide developers with the resources and supports the necessary infrastructure to build Zoom Apps within the Zoom platform. By using Zoom Apps SDK, developers can reach Zoom customers via Zoom App marketplace, where users can simultaneously discover and add new apps, according to the company.

Zoom says that to date, over 100 apps have been published by developer partners in its app marketplace.

“With the launch of the Zoom Apps SDK, the Zoom Developer Platform continues to expand and offer developers new ways to incorporate video communications and collaboration into their creations, transforming business workflows forever,” said Zoom CTO Brendan Ittelson, in a statement.

As expected, Apple at WWDC announced a series of significant changes to how Macs, iPads, iPhones, and Apple TVs are managed in business and education environments. These changes largely break into two groups: those that affect overall device management and those that apply to declarative management (a new type of device management Apple introduced last year in iOS 15).

It’s important to look at each group separately to best understand the changes.

How did Apple change overall device management?

Apple Configurator

Apple Configurator for iPhone got a significant expansion. It’s long been a manual method of enrolling iPhones and iPads in management rather than using automated or self-enrollment tools. The tool originally shipped as a Mac app that could configure devices, but it had one major downside: devices had to be connected via USB to the Mac running the app. This had obvious implications in terms of the time and manpower in anything other than a small environment.

Last year, Apple introduced a version of Configurator for iPhone that reversed the workflow of the original, meaning an iPhone version of the app could be used wirelessly to enroll Macs into management. It was primary used to enroll Macs that had been purchased outside of Apple’s enterprise/education channel into Apple Business Manager (Apple products purchased through the channel can be auto-enrolled with zero-touch configuration).

The iPhone incarnation is incredibly simple. During the setup process, you point an iPhone camera at an animation on the Mac’s screen (much like pairing an Apple Watch) and that triggers the enrollment process.

The big change this year is that Apple expanded the use of Apple Configurator for iPhone to support iPad and iPhone enrollment using the same process — removing the requirement that devices be attached to a Mac. This greatly reduces the time and effort needed to enroll these devices. There’s one caveat: devices that require cellular activation or have been activation locked will need that activation to be completed manually before Configurator can be used.

Identity management

Apple has made useful changes for identity management in enterprise environments. The most significant: it now offers support for additional identity providers including Google Workspace and Oauth 2, which allows an expansive set of providers. (Azure AD was already supported.) These identity providers can be used in conjunction with Apple Business Manager to generate Managed Apple IDs for employees.

The company also announced that support for single sign-on enrollment across its platforms will be implemented after macOS Ventura and iOS/iPadOS16 arrive this fall. The goal here is to make user enrollment easier and more streamlined by requiring users to authenticate only once. Apple also announced Platform Single Sign-on, an effort to expand and streamline access to enterprise apps and websites each time they login to their device(s).

Managed per-app networking

Apple has long had per-app VPN capabilities, which allow only specific enterprise or work-related apps to use an active VPN connection. This applies VPN security, but limits VPN load by only sending specific app traffic over a VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple is adding per-app DNS proxy and per-app web content filtering. This helps secure traffic for specific apps and functions the same as per-app VPN. And this requires no changes to the apps themselves. DNS proxy supports system-wide or per-app options while content filtering supports system-wide or up to seven per-app instances.

E-SIM provisioning

For iPhones that support eSIMs, Apple is making it possible for mobile device management software (MDM) to configure and provision an eSIM. This can include provisioning a new device, migrating carriers, use of multiple carriers, or configuration for travel and roaming.

Managing Accessibility settings

Apple is well known for its expansive set of Accessibility features for people with special needs. In fact, many people without special needs also use several of these features. In iOS/iPadOS 16, Apple is allowing MDM to enable and configure a handful of the most common features automatically, including: text size, Voice Over, Zoom, Touch Accommodations, Bold Text, Reduce Motion, Increase Contrast, and Reduce Transparency. This will be a welcome tool in such areas as special education or hospital and healthcare situations where devices may be shared among users with special needs.

What’s new in Apple’s Declarative Management process?

Apple unveiled Declarative Management last year as an improvement over its original MDM protocol. Its big advantage is that it moves much of the business logic, compliance, and management from the MDM service to each device. As a result, devices can proactively monitor their state. That eliminates the need for the MDM service to constantly poll for their device state and then issue commands in response. Instead, devices make those changes based on their current state and on the declarations sent to them and report them back to the service.

Declarative management relies on declarations that contain things like activations and configurations. One advantage is that a declaration can include multiple configurations as well as the activations that indicate when or if the configuration should be activated. This means a single declaration can include all the configurations for all users, paired with activations that indicate to which users they should apply. This reduces the need for large sets of different configurations as the device itself can determine which ones should be enabled for the device because of its user. 

This year, Apple has expanded where Declarative Management can be used. Initially, it was available only on iOS/iPadOS 15 devices that leveraged user enrollment. Going forward, all Apple devices running macOS Ventura or iOS/iPadOS/tvOS 16 will be supported, regardless of their enrollment type. That means device enrollment (including Supervised devices) is supported across the board, as is shared iPad (an enrollment type that allows multiple users to share the same iPad, each with his or her own configuration and files.)

The company has made it crystal clear that Declarative Management is the future of Apple device management and that any new management features will be rolled out only to the declarative model. Although traditional MDM will be available for some unspecified time, it has been deprecated and will eventually be retired.

This has major implications for devices already in use. Devices that can’t run macOS Ventura or iOS/iPadOS 16 will eventually be dropped and any that remain in service will need to be replaced. Given the swath of devices losing support, this could make for a costly transition for some organizations. Although it isn’t immediate, you should begin to determine the size and cost of the transition and how you will manage it (particularly since it will likely require a transition to Apple Silicon, which doesn’t support the ability to run Windows or Windows apps, in the process).

Beyond expanding what products can use declarative management, Apple also extended its functionality, including support for passcode configuration, enterprise accounts, and MDM-governed app installation.

The passcode option is more complex than simply requiring a passcode of a certain type. Passcode compliance is traditionally required for certain security-related configurations, such as sending the corporate Wi-Fi configuration to a device. In the declarative model, those configurations can be sent to the device before a passcode is set. They are sent along with the passcode requirement and include an activation that will only enable it once the user creates a passcode that complies with that policy. Once the user sets a passcode, the device will detect the change and enable the Wi-Fi configuration with multiple connections to the MDM service, enabling Wi-Fi immediately and notifying the service it’s been activated.

Accounts — which can include things such as mail, notes, calendar, and subscribed calendars — function similarly. A declaration can specify all the types of accounts supported within the organization as well as all the subscribed calendars. The device will then determine — based on the user’s account and role(s) within the organization — to activate and enable.

MDM app installation is the most significant addition to declarative management, since app installation is one of the tasks that puts the most load on an MDM and the biggest bottleneck during mass device activations (such as a large onboarding of new employees, new device rollouts, or the first day of school). A declaration can specify all the potential apps to be installed and sent to a device at activation, even before it has been handed to its user. Again, the device will determine which app installation configurations to activate and make available, based on the user. This avoids each device having to repeatedly query the service and download apps and their configurations. It also simplifies and speeds up the process of enabling (or disabling) apps if a user’s role changes.

These are significant improvements and it’s easy to see why they are the first additions to Declarative Management after its initial rollout. There are still MDM capabilities that have not made the leap to declarative use, but it is obvious that eventually – perhaps as soon as next year – they will.

This is one of the most significant WWDC announcements for enterprise and it’s good to see that Apple has been thoughtful in deciding which features to add or update since most of them tackle areas that were difficult, time consuming, resource intensive, or tedious. Apple is not just addressing enterprise customer needs, but demonstrating that it understands those needs.

June’s Patch Tuesday updates, released on June 14, address 55 vulnerabilities in Windows, SQL Server, Microsoft Office, and Visual Studio (though there are oo Microsoft Exchange Server or Adobe updates this month). And a zero-day vulnerability in a key Windows component, CVE-2022-30190, led to a “Patch Now” recommendation for Windows, while the .NET, Office and SQL Server updates can be included in a standard release schedule.

You can find more information on the risk of deploying these Patch Tuesday updates in this infographic.

Key testing scenarios

Given the large number of changes included in this June patch cycle I have broken out the testing scenarios for high risk and standard risk groups.

These high-risk changes are likely to include functionality changes, may deprecate existing functions, and will likely require new testing plans. Test your signed drivers using physical and virtual machines, (BIOS and UEFI) and across all platforms (x86, 64-bit):

• Run applications that have binaries (.EXE and .DLL) that are signed and unsigned.
• Run drivers that are signed and unsigned. Unsigned drivers should not load. Signed drivers should load.
• Use SHA-1 signed versus SHA-2 signed drivers.

Each of these high-risk test cycles must include a manual shut-down, reboot, and restart. The following changes are not documented as including functional changes, but will still require at least “smoke testing” before general deployment:

• Test remote Credential Guard scenarios. (These tests will require Kerberos authentication, and may only be used with the RDP protocol.)
• Test your Hyper-V servers and start/stop/resume your Virtual Machines (VM).
• Perform shadow copy operations using VSS-aware backup applications in a remote VSS deployment over SMB.
• Test deploy sample applications using AADJ and Intune. Ensure that you deploy and revoke access as part of your test cycle.

In addition to these standard testing guidelines, we recommend that all core applications undergo a testing regime that includes self-repair, uninstall, and update. This is due to the changes to Windows Installer (MSI) this month. Not enough IT departments test the update, repair, and uninstall functions of their application portfolio. It’s good to challenge each application package as part of the Quality Assurance (QA) process that includes the key application lifecycle stages of installation, activation, update, repair, and then uninstall.

Not testing these stages could leave IT systems in an undesirable state — at the very least, it will be an unknown state.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms affected this cycle. This month, there are some complex changes to consider, including:

• After installing this June update, Windows devices that use certain GPUs might cause applications to close unexpectedly or cause intermittent issues. Microsoft has published KB articles for Windows 11 (KB5013943) and Windows 10, version 21H2, all editions (KB5013942). No resolutions for these reported issues yet.
• After installing this month’s update, some .NET Framework 3.5 apps might have issues or fail to open. Microsoft said you can mitigate this issue by re-enabling .NET Framework 3.5 and the Windows Communication Foundation in Windows Features.

As you may be aware, Microsoft published an out-of-band update (OOB) last month (on May 19). This update affected the following core Windows Server based networking features:

The security vulnerabilities addressed by this OOB update only affects servers operating as domain controllers and application servers that authenticate to domain controller servers. Desktop platforms are not affected. Due to this earlier patch, Microsoft has recommended that this June’s update be installed on all intermediate or application servers that pass authentication certificates from authenticated clients to the domain controller (DC) first. Then install this update on all DC role computers. Or pre-populate CertificateMappingMethods to 0x1F as documented in the registry key information section of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting only after the June 14 update has been installed on all intermediate or application servers and all DCs.

Did you get that? I must note with a certain sense of irony, that the most detailed, order-specific set of instructions that Microsoft has ever published (ever), are buried deep, mid-way through a very long technical article. I hope everyone is paying attention.

Major revisions

Though we have fewer “new” patches released this month, there are a lot of updated and newly released patches from previous months, including:

• CVE-2021-26414: Windows DCOM Server Security Feature Bypass. After this month’s updates are installed, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers will be enabled by default. Customers who need to do so can still disable it by using the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft has published KB5004442 to help with the configuration changes required.

• CVE-2022-23267: NET and Visual Studio Denial of Service Vulnerability. This is a minor update to affected applications (now affecting the MAC platform). No further action required.

• CVE-2022-24513: Visual Studio Elevation of Privilege Vulnerability. This is a minor update to the list of affected applications (now affecting the MAC platform). No further action required.

• CVE-2022-24527: Microsoft Endpoint Configuration Manager Elevation of Privilege. This major update to this patch is a bit of a mess. This patch was mistakenly allocated to the Windows security update group. Microsoft has removed this Endpoint manager from the Windows group and has provided the following options to access and install this hot-fix:

1. Upgrade to Configuration Manager current branch, version 2203 (Build 5.00.9078), which is available as an in-console update. See Checklist for installing update 2203 for Configuration Manager for more information.
2. Apply the hotfix. Customers running Microsoft Endpoint Configuration Manager, versions 1910 through versions 2111 who are not able to install Configuration Manager Update 2203 (Build 5.00.9078) can download and install hot-fix KB12819689.

• CVE-2022-26832: .NET Framework Denial of Service Vulnerability. This update now includes coverage for the following affected platforms: Windows 10 version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation). No further action required.

• CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This patch is personal — we were affected by this issue with massive server performance spikes. If you are having problems with MSDT, you need to read the MSRC blog post, which includes detailed instructions on updates and mitigations. To solve our issues, we had to disable the MSDT URL protocol, which has its own problems.

I think that we can safely work through the Visual Studio updates, and the Endpoint Configuration Manager changes will take some time to implement, but both changes do not have significant testing profiles. DCOM changes are different — they are tough to test and generally require a business owner to validate not just the installation/instantiation of the DCOM objects, but the business logic and the desired outcomes. Ensure that you have a full list of all applications that have DCOM dependencies and run through a business logic test, or you may have some unpleasant surprises — with very difficult-to-debug troubleshooting scenarios.

Mitigations and workarounds

For this Patch Tuesday, Microsoft published one key mitigation for a serious Windows vulnerability:

• CVE-2022-30136: Windows Network File System Remote Code Execution Vulnerability. This is the first time I have seen this, but for this mitigation, Microsoft strongly recommends you install the May 2022 update first. Once done, you can reduce your attack surface area by disabling NFSV4.1 with the following PowerShell command: “PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false”

Making this change will require a restart of the target server.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, maybe next year).

Browsers

We are seeing a welcome trend of fewer and fewer critical updates to the entire Microsoft browser portfolio. For this cycle, Microsoft has released five updates to the Chromium version of Edge. They are all low risk to deploy and resolve the following reported vulnerabilities:

A key factor in this downward trend of browser related security issues, is the decline and now retirement of Internet Explorer (IE). IE is officially no longer supported as of this July. The future of Microsoft’s browsers is Edge, according to Microsoft. Microsoft has provided us with a video overview of Internet Explorer’s retirement. Add these Chromium/Edge browser updates to your standard application release schedule.

Windows

With 33 of this month’s 55 Patch Tuesday updates, the Windows platform is the primary focus — especially given the low-risk, low-profile updates to Microsoft Browsers, Office, and development platforms (.NET). The Windows updates cover a broad base of functionality, including: NTFS, Windows networking, the codecs (media) libraries, and the Hyper-V and docker components. As mentioned earlier, the most difficult-to-test and troubleshoot will be the kernel updates and the local security sub-system (LSASS). Microsoft recommends a ring-based deployment approach, which will work well for this month’s updates, primarily due to the number of core infrastructural changes that should be picked up in early testing. (Microsoft has published another video about the changes this month to the Windows 11 platform, found here.)

Microsoft has fixed the widely-exploited Windows Follina MSDT zero-day vulnerability reported as CVE-2022-30190, which given the other three critical updates (CVE-2022-30136, CVE-2022-3063 and CVE-2020-30139) leads to a “Patch Now” recommendation. 

Microsoft Office

Microsoft released seven updates to the Microsoft Office platform (SharePoint, Excel, and the Office Core foundation library), all of them rated important. The SharePoint server updates are relatively low risk, but will require a server reboot. We were initially worried about the RCE vulnerability in Excel, but on review it appears that the “remote” in Remote Code Execution refers to the attacker location. This Excel vulnerability is more of an Arbitrary Code Execution vulnerability; given that it requires user interaction and access to a local target system, it is a much-reduced risk. Add these low-profile Office updates to your standard patch deployment schedule.

Microsoft Exchange Server

We have a SQL server update this month, but no Microsoft Exchange Server updates for June. This is good news.

Microsoft development platforms

Microsoft has released a single, relatively low-risk (CVE-2022-30184) update to the .NET and Visual Studio platform. If you are using a Mac (I love the Mac version of Code), Microsoft recommends that you update to Mac Visual Studio 2022 (still in preview) as soon as possible. As of July (yes, next month) the Mac version of Visual Studio 2019 will no longer be supported. And yes, losing patch support in the same month as the next version is released is tight. Add this single .NET update to your standard development patch release schedule.

Adobe (really, just Reader)

There are no Adobe Reader or Acrobat updates for this cycle. Adobe has released a security bulletin for their other (non-Acrobat or PDF related) applications — all of which are rated at the lowest level 3 by Adobe. There will be plenty of work with printers in the coming weeks, so this is a welcome relief.