The White House recently unveiled a new app to give the public “unfiltered” access to “key priorities,” “historic moments” and “policy breakthroughs.” Now, it’s directing agencies to help install it on the government phones of federal employees.
The Trump administration launched the app, which promises to “[keep] you connected to President Donald J. Trump and his administration like never before,” in March.
The push to install the app on the devices of millions of government employees drew surprise from current and former federal officials, who called the move highly unusual and even dangerous.
Lmao.
Org-managed iOS/Android is not “install whatever some agency stapled to a PDF.” The app gets denied by identity, not a fucking sysadmin clicking through a GUI on orders from above.
iOS bundle ID + Apple Team ID + signing identity; Android package name + signing cert digest + Managed Play state. If it shows up anyway, the device will be dropped out of compliance and Conditional Access cuts it off from mail, Teams, VPN, SSO, managed browser, org data. I essentially turn the phone into a kids toy until I get my eyes on the situation.
This ain’t a checkbox in the MDM console. The console is downstream. The source of truth is a repo. A service principal polls the live MDM tenant over API, diffs app approvals, assignments, compliance rules, and app-protection policies against the signed config, then PATCHes the deny back if some genius removes it. The audit log fires, SIEM ingests it, the pipeline reverts it, and the diff names the admin. You are not sneaking spyware into my mobile fleet. 😊
This is literally what I would tell an attacker to their face. I would not publicly even hint at the lengths I go or would go to keep our infrastructure frustratingly safe from shit exactly like this
You’ve built a disaster