Outdated iOS on MDM phones concern
Posted by Northtacx@reddit | sysadmin | View on Reddit | 19 comments
Hello
I work as a it technician in a public sector and just stumble up on a google article regarding a exploit called
we have access to check information on the MDM phone via Workspace ONE UEM and found out we have at least 1000 phones just in my area that are in the vulnerable to this and we have iOS all the way down to version 14 that is used daily. These phones have sensitive apps and email, teams, etc…
when I mention that our phones are out of date and can be exploited by zero day and older vulnerabilities they just say “its fine”
I recently had a meeting with the top manager in cybersecurity regarding something else and he told me to take contact if I notice any secure vulnerabilities.
so should I make a small report regarding this or am I overthinking it and this should be left to the actual security for these phones.
thanks for reading and sorry if my English wording is off as English is my second language
Elensea@reddit
Crazy that they are in mdm but not updating iOS.
bruhgubgub@reddit
Old phones that still work but cannot be updated, pretty obvious that's what they're talking about
Elensea@reddit
Ios 14? We get new phones for free through Verizon every 2 years. 35$ a line.
bruhgubgub@reddit
Damn that's actually pretty good. Now I get it, I was being a dick my bad. Also, quite jealous of that I wish my clients would get deals like that because I've got some clients in the same situation as OP. "Hey can you assign this old ass phone I found behind a cupboard" and somehow apple allows its to register into ABM and be business managed
reserved_seating@reddit
I agree with others here but am really posting to say that I had ZERO clue English’s as your second language and you speak it better than a lot of natives.
Northtacx@reddit (OP)
Growing up without AI/LLM helped and so did playing games and browsing the web in 2000’s. Thanks for the compliment 🫰
jimmothyhendrix@reddit
We block access to internal stuff after they don't update the phone to X version for a month
jnievele@reddit
As the others say, send a report in writing, get an answer back IN WRITING, preferably one that includes the magic phrase "We accept the risk"
anonymousITCoward@reddit
Send email outlining the issue
receive walk up stating that "it's fine"
send another email thanking them for the visit
receive another walk up saying "the emails aren't needed"
send another email agreeing that that the emails aren't needed but you're sending them just in case "someone forgets"
receive another walk up... -ad nauseam-
Recent_Carpenter8644@reddit
If they give me a verbal reply, I just Reply All to my original email, saying ”Just confirming the points discussed in our conversation just now ...”
anonymousITCoward@reddit
i had a friend do that to her manager because it gave him a stress rash... i do it because i've been hit by that hammer before.
jnievele@reddit
Just say "I need to document this for our legal department, new business requirement" ;-)
anonymousITCoward@reddit
then i wouldn't be helping a coworker get their steps in for the day =D
Frothyleet@reddit
The issue is so bad that Apple is backporting the fix to iOS 18 (because it turned out a lot of Apple users were willing to accept a critical vulnerability before accepting a UI change in iOS 26).
It's absolutely worth mentioning. DarkSword is easy to exploit, it's in the wild, and it's a critical vulnerability.
No_Dog9530@reddit
We have a thing with our internal tools, if your corporate iPhone is not updated to latest iOS after InTune send out a notification, then access to office services are restricted until iOS is updated and a penalty of 12 hours device to be kept in quarantine.
Creddahornis@reddit
The actual risk of this causing issues is fairly low, at least compared to other much more common problems like reusing passwords or social engineering. Your cybersec needs to weigh up the cost of this versus other risks and make a decision for you
parthgupta_5@reddit
You’re not overthinking it at all—this is exactly the kind of thing security teams need visibility on.
A short, factual report with numbers and risk impact is the right move here.
Advanced_Day8657@reddit
Give the cyber team and management a basic report in email, if cyber and management don't want to upgrade then it's their problem, not yours. When someone gets hacked, show them the email when they try to blame you.
Cultural_Computer729@reddit
Send the report to the cybersecurity expert. He should decide what happens next, because that's what he's paid for.