iOS Hardening Configuration Guide - DSD
iOS Hardening Configuration Guide - DSD
iOS Hardening Configuration Guide - DSD
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
VPN<br />
� IPSec and SSL are <strong>DSD</strong> Approved Cryptographic Protocols, please refer to the<br />
Evaluated Products List (EPL) for more information –<br />
http://www.dsd.gov.au/infosec/epl/<br />
� “VPN Server <strong>Configuration</strong> for <strong>iOS</strong> 4 Devices” on http://developer.apple.com should<br />
be consulted for server side settings that <strong>iOS</strong> supports.<br />
� Certificate based Machine Authentication. Full trust chain needs to be included.<br />
� Split tunnel VPN should be off ( set VPN concentrator side )<br />
� VPN on Demand should be enabled with a whitelist of agency URLs or domains that<br />
device is allowed to access<br />
� Proxy should be configured - ideally a PAC file.<br />
Email<br />
� Not typically needed if EAS (e.g. Exchange ActiveSync Gateway, Lotus Notes<br />
Traveller) is in use. Otherwise appropriate to IMAP server, and can co-exist with<br />
Exchange.<br />
� If set, SSL only, with authentication<br />
Exchange ActiveSync<br />
� Settings as per EAS server details, SSL authentication credentials required to control<br />
both which device and which users have access to EAS.<br />
� Note if a profile with an EAS payload is removed, all EAS synced email and<br />
attachments are deleted from the device.<br />
LDAP<br />
� As per agency requirements if desired. Not typically needed if Exchange GAL is<br />
used, but can co-exist.<br />
� SSL recommended<br />
CalDAV<br />
� As per agency requirements if required. May not be needed if Exchange used, but<br />
can co-exist.<br />
� SSL recommended<br />
CardDAV<br />
� As per agency requirements if required. May not be needed if Exchange is used, but<br />
can co-exist.<br />
� SSL recommended<br />
Subscribed Calendars<br />
� As per agency requirements<br />
� SSL should be used if there is any sensitivity to the calendar data<br />
Web Clips<br />
� As per agency requirements. These are “aliases” or links to URLs with a custom icon<br />
on the home screen.<br />
� Typical use would include links to pages for AUP, helpdesk contact details, telephone<br />
URLs, and SCEP re-enrolment pages. Note that these web pages could use<br />
preference manifest settings in their HTML to work when the site is offline or the<br />
device is off the network.<br />
� Web clips can also be used to install Enterprise In-House Applications.<br />
28 | D efence Signals Directorate