Mac Shops: Is Your Company Data Ending up in Personal iCloud Accounts?
Are you a Mac shop? Do you have Macs in your corporate environment? Is iCloud a corporate sanctioned cloud repository for your company? If you answered Yes, Yes, No – Then read on, because you may have a data exfiltration problem that you are not aware of.
There are so many great things about Macs and Apple products – and best of all, they work seamlessly together. I love Apple products and can’t imagine myself without them, they have become part of my life and my daily routines. I use a Macbook Pro, an iPhone 11, an Apple Watch and have a personal iCloud account. I use Apple’s products for everything from listening to music and podcasts, streaming movies and TV shows, checking email and organizing my day, tracking my workouts and fitness routine, trading stocks and keeping up on the news of the day, taking pictures and sharing with family and friends….and oh yeah, I also make phone calls and send text messages.
One thing that Apple is known for aside from their great products is adhering to their belief that they know what functionality you want more than you do; and they deliver that belief through their products and features. And you know what? They are usually right! Notice that I said usually here – sometimes they make unilateral decisions on functionality that on its face may be convenient but that can be problematic or beneficial to Apple and not necessarily the customer, at least not every customer. This can be especially true when it comes to Macs in a corporate environment.
Incydr Discovery: Accidental Data Leak to iCloud
So, what am I talking about? Well, what we discovered through our use of Code42 Incydr was large volumes of data being synced to iCloud. This was a problem as iCloud is not a sanctioned cloud repository for Code42. So, right away we knew there was a problem.
Upon reaching out to the associated individuals we immediately saw a trend in the responses we got ….”I didn’t know that this was happening” and “what do you mean? I didn’t set that up or move data to iCloud.” And not only was Code42 data syncing to their personal iCloud drive, their iCloud drive personal data was syncing to their Code42 device. This is a double-whammy since not only do we want to protect against data exfiltration, we do not want personally identifiable information that we are unaware of on our corporate devices from an employee privacy standpoint. Additionally, with a recent new-hire we noticed that customer lists from their prior employer were also being synced to the new employee’s Code42 device. This is definitely data we weren’t expecting nor did we want to have in our possession!
The Cause: OS Upgrades Apply New Setting Defaults
So, we did a bit more digging and learned a couple of things as to why we saw this sudden spike affecting both new and existing employees. First, when Apple pushes a new OS upgrade, Apple re-sets the default iCloud sync settings which include Desktop and Document folders. So when the user signs into their personal iCloud account, if the default settings are not changed, any documents residing in those folders are automatically synced to iCloud.. So, for users who leverage iCloud for personal use they are automatically set up to sync all documents on their corporate endpoint to their personal iCloud account when they sign into iCloud. Believe it or not Apple does not make a distinction between personal documents and corporate documents they just sync away!
Our Remediation Steps
Thanks to Incydr, we had immediate insight into this activity and were able to take quick action to address the issue from a short and long term perspective. The immediate steps we were able to take included creating a simple step-by-step guide to disable the sync functionality to affected users, which included deletion of corporate documents from their personal iCloud. For the long term fix, we set baseline configuration parameters to override Apple’s default settings. Had we not been using Incydr, we would not have had insight into this sync activity.