# Security

# Securing Network Connections

All network connections established by Alectrona Patch require the use of Apple's App Transport Security (ATS) feature. ATS requires that network connections are secured using Transport Layer Security (TLS) version 1.2, perfect forward secrecy, and strong cryptography. ATS blocks connections that don’t meet the minimum security requirements:

  • The server certificate must be signed with either a Rivest-Shamir-Adleman (RSA) key of at least 2048 bits, or an Elliptic-Curve Cryptography (ECC) key of at least 256 bits.
  • The certificate must use the Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a fingerprint, of at least 256 bits (that is, SHA-256 or greater).
  • The connection must use Transport Layer Security (TLS) protocol version 1.2 or later.
  • Data must be exchanged using either the AES-128 or the AES-256 symmetric cipher.
  • The link must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.

More information about ATS can be found below:

Apple Developer - Preventing Insecure Network Connections (opens new window)

# Validating Install Media

Alectrona Patch is designed to obtain install media directly from the vendor. This means that when installing/updating a software title, the publicly available install media is cached on a client directly from the vendor.

Prior to installation, Alectrona Patch will perform security validations to ensure the software being installed is what you expect.

  • When installing a package file (.pkg/.mpkg) Alectrona Patch will check the signature/certificates used when signing the package to ensure it matches what we expect.
  • When installing an application (.app) inside a compressed container (.dmg/.zip etc.) Alectrona Patch will extract the application from its original container, then validate the Code Signing Requirement (opens new window) of the application. This is the same requirement that you'd use when creating a PPPC profile using your MDM.

If the security validations fail for any reason, the software is not installed.

# Client-Side Data Security

Alectrona Patch does not capture/record/track any sensitive information about your Macs. The client-side data leveraged during the installation of software is as follows:

  • The UDID (opens new window) (Unique Device Identifier), which is like the Social Security Number of a Mac, is sent in a request to our Patch API along with your Alectrona Patch license key in order to grant your Mac access to our Patch Catalog. The UDID is securely stored and only used to determine the number of unique Macs using the same license key for billing purposes.
  • The architecture type of a Mac (Intel/Apple silicon) is also sent in the request (but not stored) in order to provide builds of software that match the architecture of the Mac making the request.

Have more questions?

Additional details covering Alectrona Patch's security are available upon request.