iOS Hardening Configuration Guide for iPod Touch, iPhone and iPad devices running iOS 8.3 or higher
Download ACSC iOS Hardening Configuration Guide for iPod Touch, iPhone and iPad devices running iOS 8.3 or higher (5Mb PDF), April 2015
About this guide
The iOS Hardening Configuration Guide for iPod Touch, iPhone and iPad devices running iOS 8.3 or higher (5Mb PDF) provides instructions and techniques for Australian government agencies to harden the security of iOS 8 devices.
Implementing the techniques and settings found in this document can affect system functionality, and may not be appropriate for every user or environment.
In these cases, agencies should seek approval for non-compliance from their accreditation authority to allow for the formal acceptance of the risks involved. Refer to System Accreditation and Product Selection chapters of the Australian Government Information Security Manual (ISM) for more information.
At the time of publication, the latest version of Apple iOS on iPhone, iPad, and iPod Touch has commenced but not completed an ASD-recognised evaluation.
Apple iOS 8 was launched on 17 September 2014. As per Apple’s usual practice, the previous version, iOS 7, is no longer available for download.
For agencies with existing or planned iOS deployments, ASD advises the following:
- Upgrade to iOS 8.3 or later. Even though iOS 8 has not completed an evaluation, this version does provide security enhancements and addresses a number of software vulnerabilities. This is consistent with ASD’s advice to install the latest versions of software and patch operating system vulnerabilities as communicated in the Australian Government Information Security Manual and Strategies to Mitigate Targeted Cyber Intrusions.
- Implement the interim advice contained in this guide. In particular, agencies should take note of advice relating to new features and changed functionality introduced by Apple in iOS 8. This advice is the result of in-house technical testing by ASD, experiences shared by other agencies, and in consultation with the vendor.
Agencies should be made aware that, since April 2014, the ASD has endorsed the Mobile Device Fundamentals Protection Profile (MDF PP) as a key component in all new mobile device evaluations. The MDF PP, as defined by the United States’ National Information Assurance Partnership (NIAP), outlines the security requirements for a mobile device for use in an enterprise.
As in any case where significant updates of a previously-evaluated product are issued by a vendor, agencies should investigate the changes as part of their risk management process. Agencies must refer to the Product Security section of the Australian Government Information Security Manual to ensure compliance when planning to use an unevaluated product.
Apple provides detail of the content of security updates. This information may help agencies quantify the risk posed by not updating.
iOS and the Australian Government Information Security Manual
This guide reflects policy specified in the Australian Government Information Security Manual (ISM). Currently, not all ISM requirements can be implemented on iOS 8 devices. In these cases, risk mitigation measures are provided in the Risk Management Guide at Chapter 11.
Chapter 6 provides recommended passcode settings for iOS devices. This advice has been developed based on an assessment of security risks related specifically to iOS 8, and takes precedence over the non-platform specific advice in the ISM.
About the Australian Signals Directorate
As the Commonwealth authority on the security of information, ASD provides guidance and other assistance to Australian federal and state agencies on matters relating to the security and integrity of information.
This guide is for users and administrators of iOS 8 or later devices. These devices include the iPod Touch, iPhone and iPad.
To use this guide, readers should be:
- familiar with basic networking concepts
- an experienced systems administrator.
Parts of this guide refer to features that require the engagement of the technical resources of agency telecommunications carriers, firewall vendors or Mobile Device Management (MDM) vendors. While every effort has been made to ensure content involving these third-party products is correct at the time of writing, agencies should always check with these vendors when planning an implementation.
Mention of third-party products is not a specific endorsement of that vendor over another; they are mentioned as illustrative examples only.
Some instructions in this guide are complex and, if implemented incorrectly, could reduce the security of the device, the network and the agency’s security posture. These instructions should only be used by experienced administrators, and should be used in conjunction with thorough testing.
For further clarification or assistance, Australian government IT security advisors can contact ASD.
iOS 8 has brought with it many important new features and improvements. Apple has opened the platform further to app developers with 'app extensions' while simultaneously reinforcing platform security. Enterprise administrators are given more control with new configuration profile payloads and restrictions. While users are given a number of new features, many will challenge administrators of business-only iOS fleets.
Continuity is the name given to a group of new features which enable a user to transition an activity from one device to another. This includes:
- Allowing a user to move from one device to another, and have their internet browsing state preserved.
- Allowing a user to take advantage of their iPhone’s cellular network from another associated device for phone calls, messaging and network connectivity.
Refer to Security Features and Capabilities for updated advice on the risks and benefits associated with Continuity.
Third-party apps with app extensions can now make available content and functions to other apps in iOS. For example:
- An app may install a custom keyboard that replaces the default iOS keyboard.
- Custom Actions allows a third-party app to provide a service such as document translation to content in another app.
Refer to Security Features and Capabilities for updated advice on the risks and benefits associated with App Extensions.
New configuration profile controls
New management and supervisory controls have been made available to iOS enterprise fleet administrators. Refer to Recommended Device Profile Settings for our updated advice.
Improved VPN guidance
iOS 8 contains several under-the-hood changes to VPN behaviour. Refer to the VPN section for detail.
Advice has been updated throughout the guide based upon the experiences of Australian Government agencies and from industry. If you have feedback, please contact ASD.
Table of contents
- Introduction to mobile device security architecture
- Security features and capabilities
- Encryption in iOS
- Deploying iOS devices
- Managing apps and data
- Suggested policies
- Recommended device profile settings
- Mobile device management
- Security checklist
- Example scenarios
- Risk management guide
- Firewall rules
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.