iOS Hardening Configuration Guide - DSD

More documents

Recommendations

Info

Question Comments/Selection How does an agency develop applications that are customised to its environment and needs to make the users more productive and better informed when they are mobile, away from their desks? Does access to my agency information need to be pervasive? Do I need to be able to locate devices remotely? Do I need to digitally sign email (e.g. S/MIME or PGP ) ? In-house application development needs to be done in either HTML5/CSS3/Javascript, or native applications code signed with an Enterprise Developer Agreement. Native apps, and Web Clips to web applications can be pushed OTA to devices that are under the control of an MDM server. If access to agency data is primarily appropriate on a site or campus, then potentially, focus on Wi-fi security, and limit agency data access, such as EAS PIM, or limited web site access via a reverse SSL proxy. Use of Mobile Me or an MDM that provides this in its on-device App. In iOS 4.3.3 Mail app does not support PGP or S/MIME, however third party solutions that support S/MIME are available as Apps e.g. Good for Enterprise. 13 | D efence Signals Directorate
Chapter Two Installing iOS 4 This chapter is provided to help agencies ensure that their iOS 4 devices are configured in a way that enables the full set of data protection capabilities in iOS. Data Protection iOS 4 introduces a new system for data protection at rest, that takes advantage of the hardware cryptographic module in recent iOS devices. This minimises the impact of encryption on CPU load and battery life. Data protection is enabled by setting a passcode on the device. If a device is new and shipped from the factory with iOS 4 pre-installed, then no action other than setting a passcode needs to be taken from this chapter. If there is no requirement for data to be retained on a device, then simply performing a restore of iOS 4, and then setting it up as a new device with a passcode will enable data protection. If there is data on a device, then the procedure in the Apple Knowledge Base articlehttp://support.apple.com/kb/HT4175 should be followed in order to ensure that data protection is enabled. Note: iPhone 3, and iPod Touch (Second Generation) are capable of running iOS 4, but do not have the hardware cryptographic module. These older devices should be used in less sensitive roles, or third party solutions that put an encrypted container on the device independent of iOS features, such as Good Enterprise or Sybase Afaria. Verifying Data Protection is Enabled There are two main methods of verifying that the file system of a device has been configured to support data protection. A Mobile Device Management console can query and report centrally as to if data protection is enabled on a device. The user of a device can also validate if data protection is enabled by going to Settings -> General, -> Passcode Lock and scroll to the bottom on the screen. If data protection is enabled, “Data protection is enabled” will be displayed at the bottom of the screen. 14 | D efence Signals Directorate
Page 1 and 2: iOS Hardening Configuration Guide F
Page 3 and 4: Audience This guide is for users an
Page 5 and 6: Using this Guide The following list
Page 7 and 8: Chappter Onne Introoductioon to Mob
Page 9 and 10: The fireewall rules aapplied to th
Page 11 and 12: ensured, due to both ‘Man-in-the-
Page 13: Question Comments/Selection Does my
Page 17 and 18: Chappter Thhree Secuurity Feeatures
Page 19 and 20: Find My iPhone user interface Gener
Page 21 and 22: Conteent Filterinng Access to intra
Page 23 and 24: Chapter Four Suggested Policies Thi
Page 25 and 26: Feature Unclassified XX-in-Confiden
Page 27 and 28: � � � Passcode (can be set vi
Page 29 and 30: VPN � IPSec and SSL are DSD Appro
Page 31 and 32: Chapter Six Mobile Device Managemen
Page 33 and 34: Example of approved or re ecommendd
Page 35 and 36: Task Comments Provide staff with tr
Page 37 and 38: Appendix B Configuration Profiles F
Page 39 and 40: Appendix C Sample Scripts This appe
Page 41 and 42: make new VPN payload with propertie
Page 43 and 44: Appendix E Risk Management Guide Th
Page 45 and 46: Firewall Risk Mitigations Implied P

iOS Hardening Configuration Guide - DSD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?