iOS Hardening Configuration Guide - DSD

More documents

Recommendations

Info

Restriictions � � � � � � � � � � � � � Wi-Fi � � � � Allow installing apps - Off at Resttricted/Prote ected, and to t fully compply with ISM M. Potentially On as an exception at t lower level ls, as per di iscussion and mitigatio on measure nooted previously. Allow use oof Camera - up to agenncy Allow screeen capture - up to agenncy Allow autommatic sync while w roamiing - usually y off Allow voicee dialling - on o Allow in-appp purchase e - Off if appp installation n off, potent tially on if usser-installed d apps allowed Force encryypted backu ups Allow use oof You-tube - as per aggency policy y Allow use oof iTunes Music Store - as per age ency policy Allow use oof Safari – enable e autoffill, force fra aud warning g, enable JaavaScript, block b popups Allow use oof explicit music m and poodcasts - us sually off, as s per agenccy policy Ratings Reegion - Australia Allowed content rating gs - up to aggency policy y SSID of network as ap ppropriate Hidden SSID as per ag gency policcy WPA2 Authhentication with EAP-TTLS and a pre-shared p key k as a minnimum, but per user RADIUUS or 802.1 1X is recommmended Protocols, AAuthentication and Truust to match h network re equirementss. 802.1X with w device idenntity certifica ate and useername/pass sword is the e preferred authenticat tion mechanismm for in-Confidence andd higher. 27 | Defence S ignals Directo rate
VPN � IPSec and SSL are DSD Approved Cryptographic Protocols, please refer to the Evaluated Products List (EPL) for more information – http://www.dsd.gov.au/infosec/epl/ � “VPN Server Configuration for iOS 4 Devices” on http://developer.apple.com should be consulted for server side settings that iOS supports. � Certificate based Machine Authentication. Full trust chain needs to be included. � Split tunnel VPN should be off ( set VPN concentrator side ) � VPN on Demand should be enabled with a whitelist of agency URLs or domains that device is allowed to access � Proxy should be configured - ideally a PAC file. Email � Not typically needed if EAS (e.g. Exchange ActiveSync Gateway, Lotus Notes Traveller) is in use. Otherwise appropriate to IMAP server, and can co-exist with Exchange. � If set, SSL only, with authentication Exchange ActiveSync � Settings as per EAS server details, SSL authentication credentials required to control both which device and which users have access to EAS. � Note if a profile with an EAS payload is removed, all EAS synced email and attachments are deleted from the device. LDAP � As per agency requirements if desired. Not typically needed if Exchange GAL is used, but can co-exist. � SSL recommended CalDAV � As per agency requirements if required. May not be needed if Exchange used, but can co-exist. � SSL recommended CardDAV � As per agency requirements if required. May not be needed if Exchange is used, but can co-exist. � SSL recommended Subscribed Calendars � As per agency requirements � SSL should be used if there is any sensitivity to the calendar data Web Clips � As per agency requirements. These are “aliases” or links to URLs with a custom icon on the home screen. � Typical use would include links to pages for AUP, helpdesk contact details, telephone URLs, and SCEP re-enrolment pages. Note that these web pages could use preference manifest settings in their HTML to work when the site is offline or the device is off the network. � Web clips can also be used to install Enterprise In-House Applications. 28 | D efence Signals Directorate
Page 1 and 2: iOS Hardening Configuration Guide F
Page 3 and 4: Audience This guide is for users an
Page 5 and 6: Using this Guide The following list
Page 7 and 8: Chappter Onne Introoductioon to Mob
Page 9 and 10: The fireewall rules aapplied to th
Page 11 and 12: ensured, due to both ‘Man-in-the-
Page 13 and 14: Question Comments/Selection Does my
Page 15 and 16: Chapter Two Installing iOS 4 This c
Page 17 and 18: Chappter Thhree Secuurity Feeatures
Page 19 and 20: Find My iPhone user interface Gener
Page 21 and 22: Conteent Filterinng Access to intra
Page 23 and 24: Chapter Four Suggested Policies Thi
Page 25 and 26: Feature Unclassified XX-in-Confiden
Page 27: � � � Passcode (can be set vi
Page 31 and 32: Chapter Six Mobile Device Managemen
Page 33 and 34: Example of approved or re ecommendd
Page 35 and 36: Task Comments Provide staff with tr
Page 37 and 38: Appendix B Configuration Profiles F
Page 39 and 40: Appendix C Sample Scripts This appe
Page 41 and 42: make new VPN payload with propertie
Page 43 and 44: Appendix E Risk Management Guide Th
Page 45 and 46: Firewall Risk Mitigations Implied P

iOS Hardening Configuration Guide - DSD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?