We also know, that they followed the MDM protocol that allowed the county to have access to the AppleID, because they changed the password in order to get access to the iCloud account backup.
Once Apple helped the FBI with the extraction of the data from the last backup which was in October, the FBI contends that Farook disabled the iCloud back-up, as well as disabling mail, notes and photos.
Why was this handset not properly distributed to Farooq? It is the property of San Berbadino county. The iCloud account also belonged to San Bernadino County. The iCloud backup could not have been turned off without disabling FindMyiPhone first.
But why was Farooq even allowed to disable the component that is used to maintain positive control of a State Government information system asset? The iCloud module in settings should have been configured and locked down using the restrictions payload and deployed with a provisioning profile generated by Configurator. The profile should have been deployed denying the user access to any portion of the Mobile Device Management schmeatic that would prevent the government from having control of their asset.
The gravity of it is this: It stopped being a San Bernadino County iPhone when Farooq gained access to the component that allows the owner to decide if the handset should be tracked through FindMyiPhone.
San Bernadino County FAILED to notice their iPhone was missing for 2 months.
2 months without knowing where the hell their iPhone was. Do you know anyone or can you even think of anyone who could lose their cellphone and not know or care for 2 hours let alone 2 months?
If the iPhone is the hinge upon which discourse on strong encryption revolves, why wasn’t it deployed according to a simple policy outlined by Apple Mobile Device Management guidelines that would prevent state government assets to be used in crimes…or worse, terrorist activity, without their knowledge? Why isn’t the Federal Government working with State Government agencies to mandate enforcing an MDM policy that requires deployed assets be maintained in a posture where they are responsible to know where tax-payer bought information system devices are at all times?
If the government doesn’t have a basic understanding of how to prevent their devices from being used by terrorists, then they have no business deploying them. And if the Government doesn’t care that $800 tax payer funded mobile devices go missing for 2 months, then the tax payer should let the government know they aren’t interested in paying that tax.
Also published on Medium.