iOS Hardening Configuration Guide - DSD

More documents

Recommendations

Info

Securrity featurres in iOS S iOS proovides a nummber of features that eenable: � � � � � � managemeent of credentials and ppasswords w encryption of data in tr ransit (usingg DACA encryption of data at re est and in tr digital signaatures, certificates and randomisattion services; and Code Signing Applicat tions can le the baseline implemen nted in iOS. for an agenncy should generally g ta inventing thhe same capabilities. M Developer wweb site: 4 with Keycha an nd DACP ransit (usin d trust servic verage thes Any Enterp ake advanta More inform 5 ain; ); ng DACA an nd DACP); ces; se services providing ccapabilities beyond prise In-Hou use Applicaations developed age of these e services, rrather than re- ation is ava ailable in deetail from the e Apple http://deeveloper.appple.com/lib brary/ios/#doocumentatio on/Security/ /Conceptuaal/ Securityy_Overvieww/Introductio on/Introducttion.html iOS 4.22.1 introduceed no-cost “Find “ My iPPhone” funct tionality for iOS devicees. This allows a MobileMMe accountt to use the “Find my iPPhone/iPad” ” functionality, with a frree MobileM Me account, rather thaan full Mobil leMe subsccription. User level setu up informattion is includ ded in the URLL below: http://wwww.apple.ccom/iphone e/find-my-iphhone-setup/ 4 DSD Approved Cryptoographic Algo orithm 5 DSD Approved Cryptoographic Prot tocol Securitty Services s in iOS 17 | Defence S ignals Directo rate
Find My iPhone user interface Generally, when agency devices are used, this MobileMe account would be the same as the iTunes account used to install agency owned apps, and set up prior to issuing the device. Note that this requires a network connection, location services to be active, and the device to have opted in to the “Find my iPhone” service. Virtualisation Some agencies may opt to present some agency applications to iOS devices over a network via a Virtual Desktop Infrastructure (VDI), such as Citrix Receiver (e.g. http://www.citrix.com/ipad) or VMWare View. This works particularly well for users who are “micromobile” i.e. they move about a building or a campus during their work day, and able to take advantage of the relatively high bandwidth of a secure Wi-Fi network, but are not strictly away from the office location. Solutions in this space ( such as Citrix XenApp version 6) provide an ability to tune the application UI for a small screen suitable for presenting to mobile devices, rather than merely presenting a remote session to the standard agency desktop resolution. Due to dependency on network performance and differences in screen sizes and input device sizes, VDI based solutions should be thoroughly tested from a usability perspective. This approach also has the advantage that minimal agency data is stored on the device. Note most major authentication token vendors have a soft token available for iOS. Note that in some cases use of VDI is a classic usability/productivity trade off against security, as the absence of locally cached data means users are not able to be productive when the device is off the network, there is no integration with native applications running locally on the end point device. 18 | D efence Signals Directorate
Page 1 and 2: iOS Hardening Configuration Guide F
Page 3 and 4: Audience This guide is for users an
Page 5 and 6: Using this Guide The following list
Page 7 and 8: Chappter Onne Introoductioon to Mob
Page 9 and 10: The fireewall rules aapplied to th
Page 11 and 12: ensured, due to both ‘Man-in-the-
Page 13 and 14: Question Comments/Selection Does my
Page 15 and 16: Chapter Two Installing iOS 4 This c
Page 17: Chappter Thhree Secuurity Feeatures
Page 21 and 22: Conteent Filterinng Access to intra
Page 23 and 24: Chapter Four Suggested Policies Thi
Page 25 and 26: Feature Unclassified XX-in-Confiden
Page 27 and 28: � � � Passcode (can be set vi
Page 29 and 30: VPN � IPSec and SSL are DSD Appro
Page 31 and 32: Chapter Six Mobile Device Managemen
Page 33 and 34: Example of approved or re ecommendd
Page 35 and 36: Task Comments Provide staff with tr
Page 37 and 38: Appendix B Configuration Profiles F
Page 39 and 40: Appendix C Sample Scripts This appe
Page 41 and 42: make new VPN payload with propertie
Page 43 and 44: Appendix E Risk Management Guide Th
Page 45 and 46: Firewall Risk Mitigations Implied P

iOS Hardening Configuration Guide - DSD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?