Security

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

AirPlay discovery and sharing occurs over AWDL, Apple's peer-to-peer protocol that runs on 802.11, so disabling bluetooth doesn't stop it, and AirGroup won't help either. What you need to do is set a configuration profile on the Apple TV, AirPlay Security/Access to only let devices on the same wifi network connect. I think this can be done in the settings menu on the device directly as well. Then you could use AirGroup on top to restrict visibility. 

https://support.apple.com/en-au/guide/deployment/dep09c789dce/1/web/1.0

Original Message:
Sent: Mar 21, 2023 07:13 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Hello, thank you for the response. The devices cannot be managed by MDM. But I suspected all along Apple's verification code process exists precisely because AirGroup or any wireless management platform can't really stop Apple devices from seeing each other. With the whole AirTag thing I suspected Apple has done two things: One -  is make every Apple device visible to other devices, 2nd - the verification code is the solution to solve the security problem thanks to first "feature"

Original Message:
Sent: Mar 22, 2023 02:13 AM
From: TRS-80
Subject: AirGroup Apple Screen Mirror Restrictions

AirPlay discovery and sharing occurs over AWDL, Apple's peer-to-peer protocol that runs on 802.11, so disabling bluetooth doesn't stop it, and AirGroup won't help either. What you need to do is set a configuration profile on the Apple TV, AirPlay Security/Access to only let devices on the same wifi network connect. I think this can be done in the settings menu on the device directly as well. Then you could use AirGroup on top to restrict visibility. 

https://support.apple.com/en-au/guide/deployment/dep09c789dce/1/web/1.0

Original Message:
Sent: Mar 21, 2023 07:13 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Hello, thank you for the response. The devices cannot be managed by MDM. But I suspected all along Apple's verification code process exists precisely because AirGroup or any wireless management platform can't really stop Apple devices from seeing each other. With the whole AirTag thing I suspected Apple has done two things: One -  is make every Apple device visible to other devices, 2nd - the verification code is the solution to solve the security problem thanks to first "feature"

Original Message:
Sent: Mar 22, 2023 02:13 AM
From: TRS-80
Subject: AirGroup Apple Screen Mirror Restrictions

AirPlay discovery and sharing occurs over AWDL, Apple's peer-to-peer protocol that runs on 802.11, so disabling bluetooth doesn't stop it, and AirGroup won't help either. What you need to do is set a configuration profile on the Apple TV, AirPlay Security/Access to only let devices on the same wifi network connect. I think this can be done in the settings menu on the device directly as well. Then you could use AirGroup on top to restrict visibility. 

https://support.apple.com/en-au/guide/deployment/dep09c789dce/1/web/1.0

Original Message:
Sent: Mar 21, 2023 07:13 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Quick question, what version of ArubaOS are you running?

Hello, thank you for the response. The devices cannot be managed by MDM. But I suspected all along Apple's verification code process exists precisely because AirGroup or any wireless management platform can't really stop Apple devices from seeing each other. With the whole AirTag thing I suspected Apple has done two things: One -  is make every Apple device visible to other devices, 2nd - the verification code is the solution to solve the security problem thanks to first "feature"

Original Message:
Sent: Mar 22, 2023 02:13 AM
From: TRS-80
Subject: AirGroup Apple Screen Mirror Restrictions

AirPlay discovery and sharing occurs over AWDL, Apple's peer-to-peer protocol that runs on 802.11, so disabling bluetooth doesn't stop it, and AirGroup won't help either. What you need to do is set a configuration profile on the Apple TV, AirPlay Security/Access to only let devices on the same wifi network connect. I think this can be done in the settings menu on the device directly as well. Then you could use AirGroup on top to restrict visibility. 

https://support.apple.com/en-au/guide/deployment/dep09c789dce/1/web/1.0

Original Message:
Sent: Mar 21, 2023 07:13 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Hello, AOS 8

Thank you

Quick question, what version of ArubaOS are you running?

Hello, thank you for the response. The devices cannot be managed by MDM. But I suspected all along Apple's verification code process exists precisely because AirGroup or any wireless management platform can't really stop Apple devices from seeing each other. With the whole AirTag thing I suspected Apple has done two things: One -  is make every Apple device visible to other devices, 2nd - the verification code is the solution to solve the security problem thanks to first "feature"

Original Message:
Sent: Mar 22, 2023 02:13 AM
From: TRS-80
Subject: AirGroup Apple Screen Mirror Restrictions

AirPlay discovery and sharing occurs over AWDL, Apple's peer-to-peer protocol that runs on 802.11, so disabling bluetooth doesn't stop it, and AirGroup won't help either. What you need to do is set a configuration profile on the Apple TV, AirPlay Security/Access to only let devices on the same wifi network connect. I think this can be done in the settings menu on the device directly as well. Then you could use AirGroup on top to restrict visibility. 

https://support.apple.com/en-au/guide/deployment/dep09c789dce/1/web/1.0

Original Message:
Sent: Mar 21, 2023 07:13 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.

Would that be 8.9 or 8.10? AirGroup Version 2 was introduced as optional in 8.9 [have to enable it via CLI - can check active version by logging into MM/MC and running

show airgroup status

AirGroup version: ver2

and then made full on production in 8.10 There was some behavioral changes with Version 2 - such as association by "AP-NAME" being default - but learned personal devices would now show up to clients that were neighbors of the AP - unless the shared list was set specifically to the device owner. We worked with TAC/product team [they reproduced the changed behavior and were very helpful during our discussions) - and the behavior is being corrected in 8.10.0.7 to reflect that of AirGroup Version 1.

Hello, AOS 8

Thank you

Quick question, what version of ArubaOS are you running?

Hello, thank you for the response. The devices cannot be managed by MDM. But I suspected all along Apple's verification code process exists precisely because AirGroup or any wireless management platform can't really stop Apple devices from seeing each other. With the whole AirTag thing I suspected Apple has done two things: One -  is make every Apple device visible to other devices, 2nd - the verification code is the solution to solve the security problem thanks to first "feature"

Original Message:
Sent: Mar 22, 2023 02:13 AM
From: TRS-80
Subject: AirGroup Apple Screen Mirror Restrictions

AirPlay discovery and sharing occurs over AWDL, Apple's peer-to-peer protocol that runs on 802.11, so disabling bluetooth doesn't stop it, and AirGroup won't help either. What you need to do is set a configuration profile on the Apple TV, AirPlay Security/Access to only let devices on the same wifi network connect. I think this can be done in the settings menu on the device directly as well. Then you could use AirGroup on top to restrict visibility. 

https://support.apple.com/en-au/guide/deployment/dep09c789dce/1/web/1.0

Original Message:
Sent: Mar 21, 2023 07:13 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, thank you. I have disabled bluetooth on the surrounding iOS devices but the tvOS is still an option on their screen mirror menu. We have several SSIDs with different VLANs. Apple devices on one SSID are able to see the tvOS which is connected to a different SSID on a different VLAN.

Person # 1 has at  tvOS and a iOS device. Other Users in the same building or surrounding office who have iOS devices  are able to view the tvOS in the screen mirror menu but of course can't join without the verification code. 

People in my organization are convinced AirGroup is supposed to be able to hide a Screen Mirror capable device from all users except the owner's own iOS device, provided the user is signed into both devices with their Apple ID and has registered the devices under their own name in ClearPass device registration with the AirGroup "Personal or Shared" options 

Thank you

Original Message:
Sent: Mar 21, 2023 06:40 PM
From: su_A_ve
Subject: AirGroup Apple Screen Mirror Restrictions

Original Message:
Sent: 3/21/2023 3:27:00 PM
From: vvajpeyi
Subject: AirGroup Apple Screen Mirror Restrictions

Hello, we have Aruba Mobility and ClearPass deployed on a campus. We use Mobility for Wireless Management and ClearPass for all our authentication services. I have security concern in regards to the Screen mirror function on Apple devices. The concern is Apple devices will be visible to other Apple devices which would in turn create a situation where Apple devices try to attempt unauthorized connections to other Apple devices through screen mirror function. AirGroup is enabled on ClearPass Guest device registration and I have the option to choose personal or shared. I have logged into two Apple devices with an Apple ID and I registered both through my guest device registration portal. The problem is everyone with an Apple iOS is able to see a screen mirror capable Apple device such as tvOS. I have tried disabling Bluetooth, but the screen mirror still is visible. I work with other people who are on different SSID's and VLAN but the Apple devices are still able to see the tvOS in the screen mirror menu. Is it actually possible with AirGroup and Mobility or ClearPass to restrict visibility of two Apple devices to a registered user? 

Thank you

Best.