An MDM administrator, managing a computer or device owned by an organization, cannot grant those permissions to anything without user consent. For good reason!
So why the *fuck* does Apple think they're entitled to?
Because they manufactured the device, and you bought it?
And honestly, I support them. Because starting QuickTime is a user action, and it only records when I want it to. QuickTime is an app I trust.
I don't trust an organization admin not to record me without my consent. As we've heard the horror stories of schools spying on students with school laptops while they're in their own homes, their own bedrooms.
I trust Apple a whole lot more than I trust an org admin.
Do you trust Quicktime Player to be free of exploitable bugs or behaviors?
I trust they aren't there intentionally, and that they'll be patched in a security update as soon as Apple discovers them. In this regard, QuickTime is just part of the entire OS. No software is perfect. Bugs might be anywhere. But the permission dialogs are meant to protect the OS from third-party threats, not to protect the OS from Apple software.
First it was denied, then it was a bug, then it was a "temporary workaround" while ... something ... was updated.
And that was just ... accepted as an answer. I could never fathom why TextEdit might need a kernel extension in the first place, let alone unfettered/unmonitored network access. I don't even think it was necessarily nefarious, just "we know best, shut up and buy".
Now, replace ‘Apple’ with ‘malware author’. What’s the difference? Well, for one, a hacker has nothing to lose and everything to gain from snooping on your webcam. Meanwhile, if Apple mishandles this permission or used it to beam video data to HQ, there’s a high likelihood hundreds of millions of dollars of iPhone or Mac customers are lost, resulting in billions of dollars in stock value loss.
So "just replace x with y" does not really work in this context, MDM is vastly more effort than you think and OP-s point still stands.
QuickTime Player is already on your Mac and you already know what it does when you launch it.
I'm not saying it's not anti-competitive but it's fine from a security context. Apple knows exactly how Quicktime behaves, that it doesn't act maliciously, and can't be updated to do so.
Yes, it's physically impossible for an Apple developer to accidentally or maliciously introduce an exploit into QT and for it to elude security or code review...
I've never heard a security posture that is "well, we know what your tool does, so it doesn't need any security controls".
> well, we know what your tool does, so it doesn't need any security controls
This really isn't that weird. The camera app doesn't need to ask for permission to use the camera/mic. And the why is because the thing you're worried about is some random 3rd party app capturing audio/video without the user's knowledge or intent. You know the built-in camera app doesn't do that because you wrote it, so it's fine to give it an entitlement to bypass the usual prompts. It can also access your photos without prompts because the threat model is malicious exfiltration and again, you know it doesn't do that.
No, it’s not. For example, even if you know every device on your network you STILL need network segmentation.
Running your card readers and corporate computers on the same subnet is asking for trouble - regardless of if you control both.
