Malcolm Owen
The iPhone Mirroring feature of macOS Sequoia and iOS 18 is a security risk for corporate users, as it's possible that a personal iPhone's applications will be exposed to a company's IT department.
The addition of iPhone Mirroring in macOS Sequoia allows users to see and interact with their iPhone display via their Mac. While this makes it easier to use the iPhone without necessarily having to handle it, it may be problematic when using a personal iPhone with a corporate Mac.
According to Sevco Security, there is a bug that can allow an employee's personal iPhone to be exposed to a corporate IT department. It's possible for an IT department to be aware of apps installed on an employee's private iPhone.
Sevco discovered that personal iOS apps were reported as installed on Mac devices. The issue is that an IT department may see apps that could be banned from corporate devices as being "installed" on a company-managed Mac or MacBook, despite only really being installed on the user's own iPhone.
Aside from games and other leisure apps, this could also expose the installation of other potentially risky apps. For example, a VPN in a country that heavily restricts Internet access, or a dating app that reveals the user's sexual orientation in a repressive country.
Fearing this could be a privacy risk, and a potential violation of privacy laws in some jurisdictions, Sevco has notified Apple about the issue and potential fixes. Sevco has also informed a number of enterprise software vendors who have common customers with the security outfit, confirming the issue isn't a one-off.
Based on conversations with Apple, Sevco expect that a patch will become available in the future.
While a fix is on the way, it is recommended that employees avoid using iPhone Mirroring with their personal iPhone on work computers. Companies should also warn employees against using iPhone Mirroring for the moment, and to identify any IT systems that collect software inventory from Macs that may be affected.
AppleInsider Staff
Christine McKee
Andrew Orr
Andrew O'Hara
William Gallagher
4 Comments
Today on obvious.com
I know for many people this is easier said than done (potentially even being impossible) but you should never, never use a personal phone, computer, tablet, or any other personal device for work for an employer. And it follows that you should never setup a personal device to have any type of connection or visibility of any of your employer's network or data. Doing so can bring about a ton of problems from a legal standpoint. In the situation described in this article a company could argue that being able to tell what is on the personal phone is not a bug, but a feature -- because they have to be able to protect their systems and network from potential malicious devices. And that follows anytime you use a personal device for your employer's benefit. They can argue that they need full access to the device (i.e. they need to search it) to protect the company and you as the employee using the device in this manner is a tacit agreement to such search. And then there is the whole issue of if someone sues or criminally charges your employer. Your personal device then becomes just another piece of evidence they may be able to get full legal access to regardless of the device's status as "personal." FYI, not a lawyer but there is a ton of information about this out there on this type of thing -- I'm surprised people are still doing it. BYOD is a huge red flag for anyone looking for a position with a company.
A few years ago when the corporate IT department really started locking down and monitoring devices, I made a hard line in the sand between work and personal computing.
- I have two phones, one for work, one for home.
- I have separate Apple IDs for the work/home computers and iPhones
- My work MacBook doesn’t know my main home wi-fi password at my home; it’s relegated to the guest network
- My home iPhone doesn’t even know the guest wi-fi password at the office, strictly using cellular at work
“Forcing” the company to purchase any computing devices you need is easier to do at a large corporation than a small company, but I do agree that even in those situations, the company should provide you the tools you need to do your job.
Any corporate IT department worth their salt would block the use of iPhone mirroring from corporate Macs for the time being (I’m guessing there’s a profile setting for that). It’s in effect mounting an unknown device which despite it being an iPhone should be treated with deep suspicion.