This post is partially a rant, partially a cautionary tale, and probably a PSA.
This morning I was just getting into my work day when I lost connection to the work VPN for some reason. This happens on occasion and I didn't think much of it, but upon trying to reconnect I get an error reaching the VPN server. I reach out to a coworker on Slack (whatever websocket or pub/sub it uses was still connected) and they aren't having any issues and my other devices are fine so I just decided to do a reboot and see if that fixes things.
The company I work for uses a service called Mosyle for mobile device management and it enforces two-factor auth on our Macbooks by blocking the entire screen after login and forcing us to login (again) to our SSO provider and complete two-factor auth before the UI is usable. The unfortunate part is that if you have no internet or some sort of internet issue, you lose UI access to your machine and there's nothing you can do about it (there's probably a way to dig in and disable all this and I've tried some things but don't want to fully brick my work laptop).
So PSA #1: if your company uses this software or something similar, don't shut down if you think you won't have internet. Just put it to sleep unless you absolutely have to turn it off. This also defeats most of the purpose of the two-factor software since it doesn't run on login from lock/sleep.
Luckily for me, I had taken a crucial step that allowed me to still do things on my machine, even with this full screen prompt in the way. You may have noticed that I kept mentioning UI access being blocked, that's because SSH access is unrestricted. You see, by the time you see the UI blocker you've already logged in and the OS is running is the background you just can't see it. I had enabled SSH access on the Macbook (Settings > General > Sharing > Remote Login) previously and without this important step I would have been up a creek. So PSA #2 is to enable SSH access on your computer (if it's Windows...someone will have to chime in with a solution) and get familiar with some terminal basics if you aren't already.
Once I was in I had a pretty good idea what had happened. Since I was connected to WiFi and was able to do things on the local network, just not most things on the internet (and Slack was still working before the reboot), I figured it was a DNS issue. So I did a quick cat /etc/resolv.conf and saw that my DNS servers had been hijacked by the work VPN, set to non-public servers, and not restored when I lost connection. So I just had to networksetup -setdnsservers Wi-Fi dns-ip-1 dns-ip-2 and I was back in business. If you're on Linux there are a number of ways to change your DNS and it will depend on your distro, version, and other factors so just look it up.
Rant
So what if I was someone who didn't know about all these acronyms I've used in this post? I would have to find a way to contact my IT staff who may or may not be able to remote access my machine, and otherwise just send in my laptop to HQ for them to troubleshoot and fix. What if I had deadlines? Company policy would also prevent me from using another one of my computers for work things, so I would be out of luck for like a week.
I totally get protecting company data, but putting extra barriers for people with physical access to our machines doesn't do much and mostly just harms the employees. Yes, enforce device encryption. Yes, enforce strong passwords. Yes, mess with people who don't lock their computers when not in use. Yes, enforce two-factor auth on company websites/services. BUT, an attacker using physical access to laptops is one of the least likely attack vectors, and if they have physical access, using something like a screen blocker isn't going to stop them.
Top comments (0)