iOS Hardening Configuration Guide - DSD

More documents

Recommendations

Info

Capability Enablers MDM, EAS, Apple Push Comment Remote Wipe Notification Service (APNS) Proxy Firewall Force Device Settings Multi-factor Authentication OTA Configuration Profile (pull) OTA Configuration and Provisioning Profiles (push) Mobile Device Monitoring Mobile Device Management Remote Application Deployment Home screen Custom APN, VPN iOS 4.3.3 does not implement a global proxy setting. A proxy can be set on a custom APN Firewall on Custom APN, Firewall on Wireless network. and a VPN session. iOS 4.3.3 does not implement a local firewall. This is significantly mitigated by the runtime environment. iPCU 3.x, MDM Enterprise Deployment Guide lists XML schema, this can be used to generate and sign profiles from custom scripts. iPCU is an easy to use GUI tool to generate the XML, but CA integration requires signing with SSL CA infrastructure, DNS, RSA or CryptoCard ( VPN Only ), Smartcard ( Requires Good Enterprise and Good Mobility Server ) SSL CA infrastructure, DNS, Web Service, Directory Service Enterprise Developer Agreement, 3rd Party MDM appliance, SSL CA infrastructure, DNS, Directory Service, APNS Enterprise Developer Agreement, 3rd Party MDM appliance, CA infrastructure, DNS, Directory Service, APNS Enterprise Developer Agreement, 3rd Party MDM appliance, CA infrastructure, DNS, Directory Service, APNS Enterprise Developer Agreement, Web Server, 3rd Party MDM appliance (optional), APNS (optional). OpenSSL tools. Depending on the agency’s security posture device certificates or soft tokens may be considered as a second factor of authentication. Externally sign & encrypt profiles, do not sign with iPCU. MDM should be tied into CA and Directory Service. MDM should be tied into CA and Directory Service. MDM should be tied into CA and Directory Service. Only Enterprise In-House Apps can be deployed OTA. Set Home screen to “If found return to PO BOX XXXX”. This could also be done with a Picture Frame Album. 21 | D efence Signals Directorate
Chapter Four Suggested Policies This chapter lists suggested policies in graduated levels of response, applied to iOS devices at varying security classifications. The agency’s Information Technology Security Advisor should be consulted for the specific usage scenarios for a deployment. Note: at the time of writing, iOS devices implement DSD Approved Cryptographic Algorithms and Protocols (and the implementations have been submitted for FIPS-140-2 certification), but have not yet completed a DSD Cryptographic Evaluation (DCE) conducted by DSD. In the absence of a DCE, use with PROTECTED and/or RESTRICTED content would require the agency head and accreditation authority, (typically an SES level staff member tasked with CISO responsibilities) to provide a dispensation for use. The ISM and agency security policy should be consulted directly for risk assessment and mitigation procedures in such use-cases. If iOS devices are being considered for use at classifications above RESTRICTED/ PROTECTED, agencies must undertake a risk assessment following the guidance in the ISM as well as their own agency security policies and determine mitigation procedures and policy. Agencies must also obtain any dispensations as required by the ISM. Feature Unclassified XX-in-Confidence Restricted/Protected Hardware Crypto iOS Devices Agency’s Decision Recommended Must BYOD ( Bring Your Own Device ) Passcode iTunes Account Sync to Content/Sync to iTunes Account. Agency’s Decision May be possible (MDM opt-in for AUP agreement and enforcement recommended). See ISM section on Mobile Devices Must Must Must May be possible. (MDM opt-in for AUP agreement and enforcement recommended) See ISM section on Mobile Devices. Personal or Agency Personal or Agency Personal or Agency Yes, if Personal iTunes Generally no Generally no 22 | D efence Signals Directorate
Page 1 and 2: iOS Hardening Configuration Guide F
Page 3 and 4: Audience This guide is for users an
Page 5 and 6: Using this Guide The following list
Page 7 and 8: Chappter Onne Introoductioon to Mob
Page 9 and 10: The fireewall rules aapplied to th
Page 11 and 12: ensured, due to both ‘Man-in-the-
Page 13 and 14: Question Comments/Selection Does my
Page 15 and 16: Chapter Two Installing iOS 4 This c
Page 17 and 18: Chappter Thhree Secuurity Feeatures
Page 19 and 20: Find My iPhone user interface Gener
Page 21: Conteent Filterinng Access to intra
Page 25 and 26: Feature Unclassified XX-in-Confiden
Page 27 and 28: � � � Passcode (can be set vi
Page 29 and 30: VPN � IPSec and SSL are DSD Appro
Page 31 and 32: Chapter Six Mobile Device Managemen
Page 33 and 34: Example of approved or re ecommendd
Page 35 and 36: Task Comments Provide staff with tr
Page 37 and 38: Appendix B Configuration Profiles F
Page 39 and 40: Appendix C Sample Scripts This appe
Page 41 and 42: make new VPN payload with propertie
Page 43 and 44: Appendix E Risk Management Guide Th
Page 45 and 46: Firewall Risk Mitigations Implied P

iOS Hardening Configuration Guide - DSD

Create successful ePaper yourself

Delete template?

Save as template?