Apple needs to fix admin authentication in ABM
Apple’s platforms are secure by design, but when it comes to authentication, the company seems to be protecting employees more than it protects IT admins. It’s an attack vector just waiting to be exploited — if it hasn’t been already. As noted first by Six Colors, the problem is that administrator and People Manager accounts on Apple Business Manager (ABM) can’t sign in using federated authentication, even though they manage the federation process for everyone else. What are the implications? What this means in practice is that when admins engage with the authentication process, they need to do so using non-federated Apple Account sign-in with Apple’s two‑factor authentication (typically via a trusted device or trusted phone number using SMS/voice). That’s weird; it means the key accounts that manage protection for sometimes thousands of devices are still only protected by a six-digit SMS code sent to a specified phone number. We know that SMS authentication is risky, with three well-