Apple Leaves ABM Admin Accounts Exposed to 6-Digit SMS Codes

1 articles · Updated · Computerworld · May 11

Apple Business Manager administrator and People Manager accounts cannot use federated sign-in, forcing the accounts that control enterprise device fleets to rely on Apple’s standard two-factor authentication, often a six-digit SMS or voice code.
That setup leaves ABM admins open to SIM-swapping, phishing and message interception, with SIM-swap attacks seen as the most reachable threat for determined attackers targeting business accounts.
A compromised ABM account could let an attacker reassign devices to a rogue MDM server, wipe hardware, or push malicious apps, profiles and configurations across managed fleets.
The risk is amplified because each ABM deployment has only a small number of admin accounts, meaning attackers may need to identify only about five people to reach companies with tens of thousands of users.
Recommended mitigations include dedicated phone numbers with carrier SIM-swap protection and fewer active admins, while Apple is being urged to add passkeys, authenticator apps, FIDO2 security keys and conditional access.

Why does Apple's business platform force its top admins to use authentication it deems insecure for everyone else?

Since businesses are fully liable, is Apple’s security gap creating an unacceptable risk for its most valuable enterprise customers?