Mosyle launches AI-driven zero trust for macOS

Apple’s macOS has long had a reputation of being more secure than its rival Microsoft Windows, but that doesn’t mean that hackers aren’t going after macOS computers.

Among the many ways that organizations aim to secure systems today is with a zero trust approach, which is now coming in a limited way to Apple macOS users, thanks to Mosyle. With zero trust, the basic idea is that there is no implicit trust for operations or applications and everything that runs needs to be validated in some way. 

Over the last several years Mosyle has been building out a mobile device management (MDM) platform known as the Apple Unified Platform. In 2023, the company expanded its capabilities with generative AI to help improve MDM operations. The new Mosyle Automated Zero Trust solution announced today extends the company’s capabilities to help secure macOS devices and is powered by the company’s proprietary LeeryAI artificial intelligence (AI) engine.

“The concept with zero trust is really trying to flip the game in terms of endpoint security, by not just looking for bad guys, but to just work with who we know is the good guy,” Alcyr Araujo, founder and CEO at Mosyle told VentureBeat in an exclusive interview.

How the Mosyle zero trust approach uses AI to secure macOS

Araujo explained that the new zero trust technology has taken his company over three years to develop.

The technology takes all the information from Mosyle’s MDM as a foundation. With MDM, organizations have information about device configuration, usage and management. On top of that, Mosyle has developed its own AI engine that it calls LeeryAI, that has been trained on and learns from the MDM data.

Araujo explained that Mosyle monitors every single event on a device and combines that with information it has about the devices in the same organization. LeeryAI makes use of a number of different predictive AI techniques to build an AI model for each specific device of what should be running or what should not be running and what’s the context around all code binaries to better understand what should be trusted.

Zero trust is more than just Apple Gatekeeper

The idea of only allowing trusted code to run is not a new one for Apple. In fact, for the last decade Apple has incorporated a technology known as Gatekeeper into macOS.

The basic idea with Gatekeeper is that it will only allow code to run that has been cryptographically signed. While Gatekeeper can be helpful, according to Araujo, it’s not nearly enough to deal with the modern threat landscape.

“Our lives would be way better if we could assume that malware will never be signed,” Araujo said.

Araujo noted that malware is increasingly being signed, as threat actors obtain legitimate developer credentials through supply chain attacks or leaked passwords. This allows signed malware to bypass Gatekeeper. 

He added that unsigned application code binaries can still be run on devices if Gatekeeper is not properly configured by the user. In recent years there has also been an uptick in supply chain attacks which can result in malware being inserted into legitimate apps after they have been signed.

Gatekeeper only verifies signatures, not the behavior or context of running binaries. Mosyle’s approach using LeeryAI aims to provide deeper behavioral analysis beyond just signatures.

“I believe we should look to the main concept of zero trust in terms of really working with a list of things that we know we should be running and ignore everything else, and doing that in an automated manner,” he said.