During the induction week of university, a first-year student is told that to access her university email and course materials, she must open “access work or school” settings on her laptop and click “connect”. In a moment, her laptop – and phone, if she chooses – is enrolled in the university’s mobile device management (MDM) system and is centrally managed by the university. This allows the university to keep security updates current on students’ devices and supports enforcement of credential policies by verifying device compliance.
However, this also gives IT administrators the ability to change settings and install software, and – depending on the type and configuration of a vuser’s device – can also include the abilities to run commands and issue a remote lock or wipe. Precautions like role-based access and logging help, but they do not, by themselves, prevent a privileged identity (e.g., an administrator or an attacker using an administrator account) from issuing high-impact actions at scale.
Even some of the stronger precautions like multi-admin approval can sometimes be undermined if the same administrator can create new approvers or disable the…
