Apple Watch and macOS Auto Unlock in enterprise environments

The topic of wether or not to allow an employee to use their personal Apple Watch to unlock their work Mac is a discussion that has come up a couple times over the years in the MacAdmins Slack #security channel.

When I first saw the subject brought up I hadn’t used the feature myself. At the time I was still maintaining separate personal and work iCloud accounts to keep everything segregated. But since I could imagine receiving a request from users to enable the feature, I decided I had better start testing it out so a policy could be formed in advance.

Apple calls the feature Auto Unlock. I’ve been using it for a while now and don’t see any reason to block it for employee use. Here’s why:

In the discussions I’ve read, MacAdmins have suggested various reasons for why allowing the feature could be risky.

  • “The possibility for unlocking by someone else when you’re around the corner, but still within range of your Mac.”
  • “Just walking by the computer would unlock it (if you walk slow enough).”
  • The necessity of logging into the company computer with a personal iCloud account.

It all boils down to the primary concern that simply having the feature enabled would make it easier for an unauthorized person to gain access to the corporate computer (and the data it contains).

I’ve been using the feature for a year now with my personal Apple Watch Series 2 and company 2017 MacBook Pro (15″) w/ TouchBar and in my experience I don’t see these concerns as being issues in day to day usage.

First, even in ideal environments, the watch needs to be pretty close, within just a couple feet, to succeed with an unlock. There have been numerous times where if I’m oriented the wrong direction, such as putting my left wrist completely on the other side of my body from the computer, that unlocking doesn’t work.

To the second concern, simply being near the computer doesn’t trigger an unlock. The keyboard must be touched to begin the unlock sequence. So while a bad actor could hide near the computer and time a keypress for when the user walks by, it isn’t like passing your computer will automatically unlock it leaving it vulnerable until the screensaver kicks in again several minutes later.

We already allow the use of personal iCloud accounts, with the exception of iCloud Drive (blocked via configuration profile), so that point isn’t a concern for us.

In noisy RF environments the performance of the Auto Unlock feature is understandably worse. For instance when covering Houston Astros games on assignment I more often than not have to use Touch ID to unlock my Mac. Even holding my Apple Watch within inches of the computer doesn’t result in a successful unlock. The more crowded your office environment is the more closely in proximity the watch will need to be for the feature to function, reducing the chances of unintended unlocks.

We got a lot of pushback when we began requiring computers to automatically lock after a certain period of time. Before the policy most users never had their screens lock and only had to enter their passwords upon reboot. Allowing employees with an Apple Watch to use the Auto Unlock feature can be a big win in the balance between security and ease of use.

I’m comfortable allowing use of Apple’s Auto Unlock feature here and would be interested to hear if you are allowing or blocking the feature in your workplace.

1 comment on “Apple Watch and macOS Auto Unlock in enterprise environments

  1. Pingback: Weekly News Summary for Admins — 2019-02-22 – Scripting OS X

Leave a Reply

Your email address will not be published. Required fields are marked *