iOS Hardening Configuration Guide - DSD

More documents

Recommendations

Info

Chappter Fivve Recoommennded Device D Profile e Settin ngs This chhapter listss the profile e settings tthat would typically be used whhen an <strong>iOS</strong> S device is usedd on an Australian go overnment network. Note thhat if profiless are not be eing pushedd by an MDM M solution, the correct t technique with Configuuration Profi files is bund dling the payyloads in a way that: Profiless pulled to thhe device, bundle b restrrictions with h authentica ation, so if thhe profile is s removeed, all accesss to agency y resourcess is removed. If MDM M is used, thee MDM mas ster profile is always re emovable, but b if it is reemoved all manageed profiles aare lost as well. w Pre-loaded <strong>Configuration</strong> Prof files and MDDM manage ed profiles can c be mixeed on devic ces, but the MDM server caannot remov ve the profiles manually pulled to the device. . The following settinngs are a baseline for use on Res stricted/Prot tected netwworks. Agency discretioon can be uused to vary y to be moree restrictive e if required by local reqquirements, or loweredd at lower classification ns in accorddance with ISM policy. Where a pprofile setting is not discusssed below, aagencies sh hould examiine their ow wn particular r technical aand policy needs. n iPhone Configuratiion Utility ca an be used to view the e full range of o profile seetting that ca an be deployeed. Generral (non-MManaged Profiles P onnly): 25 | Defence S ignals Directo rate
� � � Passcode (can be set via a EAS deppending on version, , OR Conffiguration Profilee): � � � � � � � � � Profile Security should d be “Removve Always” if setting is for convennience for us sers that does nnot contain any a sensitivve data (e.g g. a subscrib bed calendaar of Australian public holiddays). Opt-In MDM proffiles would usually fit in nto this cateegory as we ell. Profile secuurity would usually be “ “Remove with w Passcod de” for profiles that you u may want IT staaff to remove e temporariily. Generally users wo ould not get the passco ode to such profilees. Most profilees that are not n MDM mmanaged wo ould be set to t “Never”. The Passco ode policy profile, if used, should s be sset to “Neve er”. a maximumm passcode length of 990 days; require passscode on device; d do NOT alloow simple value v (i.e. PPIN); require alphhanumeric; minimum oof 8 characte ers; auto-lock oof 5 minutes s (Note: Current maxim mum allowed time on iOOS); history of 8 passwords s; immediate device lock k; and auto-wipe oon 5 failed attempts. a Dependding on the EAS versio on, only somme of the ab bove may be e set by thee EAS Serve er, and a configguration proofile would be b required. . 26 | Defence S ignals Directo rate
Page 1 and 2: iOS Hardening Configuration Guide F
Page 3 and 4: Audience This guide is for users an
Page 5 and 6: Using this Guide The following list
Page 7 and 8: Chappter Onne Introoductioon to Mob
Page 9 and 10: The fireewall rules aapplied to th
Page 11 and 12: ensured, due to both ‘Man-in-the-
Page 13 and 14: Question Comments/Selection Does my
Page 15 and 16: Chapter Two Installing iOS 4 This c
Page 17 and 18: Chappter Thhree Secuurity Feeatures
Page 19 and 20: Find My iPhone user interface Gener
Page 21 and 22: Conteent Filterinng Access to intra
Page 23 and 24: Chapter Four Suggested Policies Thi
Page 25: Feature Unclassified XX-in-Confiden
Page 29 and 30: VPN � IPSec and SSL are DSD Appro
Page 31 and 32: Chapter Six Mobile Device Managemen
Page 33 and 34: Example of approved or re ecommendd
Page 35 and 36: Task Comments Provide staff with tr
Page 37 and 38: Appendix B Configuration Profiles F
Page 39 and 40: Appendix C Sample Scripts This appe
Page 41 and 42: make new VPN payload with propertie
Page 43 and 44: Appendix E Risk Management Guide Th
Page 45 and 46: Firewall Risk Mitigations Implied P

iOS Hardening Configuration Guide - DSD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?