This is a corporate device management facility. It exists for both Windows and Macs.
With Macs, it’s more closely tied to the hardware because of course they’re integrated.
With PCs, Intune and Autopilot are Windows features that depend on hardware, but hardware alone isn’t sufficient. You can install and run Linux or DOS all you want on an Autopilot enrolled device, but every time you boot Windows it will want to phone home.
It’s fairly carefully controlled. With a PC, serial number is not sufficient. You need a device specific hash that is not generated and that you can’t get until you turn on the computer at least once, so you need physical possession at some point in the workflow.
With Macs, Apple more completely manages those first stages of enrollment. Devices are enrolled when sold through a B2B channel, or when manually enrolled through Business Manager.
Either way, it would be difficult for an adversary to assume control of a device without authorization. Not impossible, surely, but it’s definitely a scenario these vendors have anticipated and worked to prevent.
The good news for device owners is that it adds complexity to resale of a stolen device.
Physical possession is a good enough high bar. But remotely enabling this feature with just a serial number sounds incredibly invasive, and a very serious breach of trust.
Even if Apple are "the good guys" (now), we know they can be compelled by governments to do things quietly (see the push notifications thing that came up recently). So simply having the ability to remotely push software or configuration changes to any machine targeted by just a serial number is a big security hole.
Second one. It’s also not secret - you are greeted with a prompt, which you must accept, to complete enrolment (although granted you can’t use the device without accepting).
Essentially, the device phones home during setup, and asks Apple whether it’s in Apple Business/School Manager. If it is, and it’s assigned to an MDM, Apple will let it know the host name of that server to try and prompt the user to enroll into.
Yes. That significantly raises the barrier, and reduces the risk of accidental enrollment.
And once that's burned into the UEFI, I'd like it plastered all over; maybe as part of the boot logo "This device belongs to Expedia"; there will be no risk of someone buying the device (perhaps on the used market) and not realize they don't own it.
Of course, there should also be an un-enrollment option for when companies decommission devices so they can be reused instead of just trashed, but that's an environmental concern not a security one.
With Macs, it’s more closely tied to the hardware because of course they’re integrated.
With PCs, Intune and Autopilot are Windows features that depend on hardware, but hardware alone isn’t sufficient. You can install and run Linux or DOS all you want on an Autopilot enrolled device, but every time you boot Windows it will want to phone home.
It’s fairly carefully controlled. With a PC, serial number is not sufficient. You need a device specific hash that is not generated and that you can’t get until you turn on the computer at least once, so you need physical possession at some point in the workflow.
With Macs, Apple more completely manages those first stages of enrollment. Devices are enrolled when sold through a B2B channel, or when manually enrolled through Business Manager.
Either way, it would be difficult for an adversary to assume control of a device without authorization. Not impossible, surely, but it’s definitely a scenario these vendors have anticipated and worked to prevent.
The good news for device owners is that it adds complexity to resale of a stolen device.
The bad news is things like OP’s situation occur.