iOS Hardening Configuration Guide - DSD
iOS Hardening Configuration Guide - DSD
iOS Hardening Configuration Guide - DSD
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter Two<br />
Installing <strong>iOS</strong> 4<br />
This chapter is provided to help agencies ensure that their <strong>iOS</strong> 4 devices are<br />
configured in a way that enables the full set of data protection capabilities in <strong>iOS</strong>.<br />
Data Protection<br />
<strong>iOS</strong> 4 introduces a new system for data protection at rest, that takes advantage of the<br />
hardware cryptographic module in recent <strong>iOS</strong> devices. This minimises the impact of<br />
encryption on CPU load and battery life. Data protection is enabled by setting a passcode on<br />
the device.<br />
If a device is new and shipped from the factory with <strong>iOS</strong> 4 pre-installed, then no action other<br />
than setting a passcode needs to be taken from this chapter.<br />
If there is no requirement for data to be retained on a device, then simply performing a<br />
restore of <strong>iOS</strong> 4, and then setting it up as a new device with a passcode will enable data<br />
protection.<br />
If there is data on a device, then the procedure in the Apple Knowledge Base<br />
articlehttp://support.apple.com/kb/HT4175 should be followed in order to ensure that data<br />
protection is enabled.<br />
Note: iPhone 3, and iPod Touch (Second Generation) are capable of running <strong>iOS</strong> 4, but do<br />
not have the hardware cryptographic module. These older devices should be used in less<br />
sensitive roles, or third party solutions that put an encrypted container on the device<br />
independent of <strong>iOS</strong> features, such as Good Enterprise or Sybase Afaria.<br />
Verifying Data Protection is Enabled<br />
There are two main methods of verifying that the file system of a device has been configured<br />
to support data protection. A Mobile Device Management console can query and report<br />
centrally as to if data protection is enabled on a device. The user of a device can also<br />
validate if data protection is enabled by going to Settings -> General, -> Passcode Lock and<br />
scroll to the bottom on the screen. If data protection is enabled, “Data protection is enabled”<br />
will be displayed at the bottom of the screen.<br />
14 | D efence Signals Directorate