iOS Hardening Configuration Guide for iPod Touch, iPhone and iPad devices running iOS 8.3 or higher

Download ACSC iOS Hardening Configuration Guide for iPod Touch, iPhone and iPad devices running iOS 8.3 or higher (5Mb PDF), April 2015

About this guide

The iOS Hardening Configuration Guide for iPod Touch, iPhone and iPad devices running iOS 8.3 or higher (5Mb PDF) provides instructions and techniques for Australian government agencies to harden the security of iOS 8 devices.

Implementing the techniques and settings found in this document can affect system functionality, and may not be appropriate for every user or environment.

In these cases, agencies should seek approval for non-compliance from their accreditation authority to allow for the formal acceptance of the risks involved. Refer to System Accreditation and Product Selection chapters of the Australian Government Information Security Manual (ISM) for more information.

Evaluation status

At the time of publication, the latest version of Apple iOS on iPhone, iPad, and iPod Touch has commenced but not completed an ASD-recognised evaluation.

Apple iOS 8 was launched on 17 September 2014. As per Apple’s usual practice, the previous version, iOS 7, is no longer available for download.

For agencies with existing or planned iOS deployments, ASD advises the following:

Agencies should be made aware that, since April 2014, the ASD has endorsed the Mobile Device Fundamentals Protection Profile (MDF PP) as a key component in all new mobile device evaluations. The MDF PP, as defined by the United States’ National Information Assurance Partnership (NIAP), outlines the security requirements for a mobile device for use in an enterprise.

As in any case where significant updates of a previously-evaluated product are issued by a vendor, agencies should investigate the changes as part of their risk management process. Agencies must refer to the Product Security section of the Australian Government Information Security Manual to ensure compliance when planning to use an unevaluated product.

Apple provides detail of the content of security updates. This information may help agencies quantify the risk posed by not updating.

iOS and the Australian Government Information Security Manual

This guide reflects policy specified in the Australian Government Information Security Manual (ISM). Currently, not all ISM requirements can be implemented on iOS 8 devices. In these cases, risk mitigation measures are provided in the Risk Management Guide at Chapter 11.

Chapter 6 provides recommended passcode settings for iOS devices. This advice has been developed based on an assessment of security risks related specifically to iOS 8, and takes precedence over the non-platform specific advice in the ISM.

About the Australian Signals Directorate

As the Commonwealth authority on the security of information, ASD provides guidance and other assistance to Australian federal and state agencies on matters relating to the security and integrity of information.

Audience

This guide is for users and administrators of iOS 8 or later devices. These devices include the iPod Touch, iPhone and iPad.

To use this guide, readers should be:

Parts of this guide refer to features that require the engagement of the technical resources of agency telecommunications carriers, firewall vendors or Mobile Device Management (MDM) vendors. While every effort has been made to ensure content involving these third-party products is correct at the time of writing, agencies should always check with these vendors when planning an implementation.

Mention of third-party products is not a specific endorsement of that vendor over another; they are mentioned as illustrative examples only.

Some instructions in this guide are complex and, if implemented incorrectly, could reduce the security of the device, the network and the agency’s security posture. These instructions should only be used by experienced administrators, and should be used in conjunction with thorough testing.

For further clarification or assistance, Australian government IT security advisors can contact ASD.

What’s changed

iOS 8 has brought with it many important new features and improvements. Apple has opened the platform further to app developers with 'app extensions' while simultaneously reinforcing platform security. Enterprise administrators are given more control with new configuration profile payloads and restrictions. While users are given a number of new features, many will challenge administrators of business-only iOS fleets.

Continuity

Continuity is the name given to a group of new features which enable a user to transition an activity from one device to another. This includes:

Refer to Security Features and Capabilities for updated advice on the risks and benefits associated with Continuity.

App extensions

Third-party apps with app extensions can now make available content and functions to other apps in iOS. For example:

Refer to Security Features and Capabilities for updated advice on the risks and benefits associated with App Extensions.

New configuration profile controls

New management and supervisory controls have been made available to iOS enterprise fleet administrators. Refer to Recommended Device Profile Settings for our updated advice.

Improved VPN guidance

iOS 8 contains several under-the-hood changes to VPN behaviour. Refer to the VPN section for detail.

Feedback

Advice has been updated throughout the guide based upon the experiences of Australian Government agencies and from industry. If you have feedback, please contact ASD.

Table of contents

  1. Introduction to mobile device security architecture
  2. Security features and capabilities
  3. Encryption in iOS
  4. Deploying iOS devices
  5. Managing apps and data
  6. Suggested policies
  7. Recommended device profile settings
  8. Mobile device management
  9. Security checklist
  10. Example scenarios
  11. Risk management guide
  12. Firewall rules

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.