Introduction

Security configuration benchmarks are provided in this document which guides for establishing secure configuration posture for the Apple iOS 12. This benchmark will be useful for all the devices on which this OS is supported.

Recommendations

1. Configuration Profile Recommendations for End-User Owned Devices

This provides recommendations for devices in an unsupervised state. The term “unsupervised ” is a specific technical designation in regards to the state of an iOSdevice.

1.1 General

• E.g  Ensure a ‘consent message’ has been ‘configured’

Audit:

From the configuration profile:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the general tab
4. In the right windowpane, verify under the heading consent message, there is an appropriate consent message configured.

Remediation:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the general tab
4. In the right windowpane, verify under the heading consent message, insert an appropriate consent message
5. Deploy the configuration profile.

1.2 Restrictions

• E.g  Ensure ‘Allow voice dialing while the device is locked’ is set to ‘Disabled’

Audit:

From the configuration profile:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Restrictions tab
4. In the right windowpane, verify under the tab Functionality, the checkbox for Allow voice dialing while device is locked is unchecked

Remediation:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Restrictions tab
4. In the right windowpane,under the tab Functionality, uncheck the checkbox for Allow voice dialing while device is locked is unchecked
5. Deploy the configuration profile.

1.3 Domains

• E.g  Ensure ‘Managed safari web Domain’ is ‘Configured’

Audit:

From the configuration profile:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Domain tab
4. In the right windowpane, verify that under managed safari web domains each appropriate URL pattern is configured.

Remediation:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Domain tab
4. In the right windowpane, under manage safari web domains enter the appropriate URL pattern(s)
5. Deploy the configuration profile.

 1.4 Passcode

• E.g  Ensure ‘Allow simple value’ is set to ‘Disabled’

Audit:

From the configuration profile:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Passcode tab
4. In the right windowpane, verify that the checkbox for Allow simple value is unchecked.

Remediation:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Passcode tab
4. In the right windowpane, uncheck the checkbox for Allow Simple Value
5. Deploy the configuration profile.

 1.5 Mail

• E.g  Ensure ‘Allow user to move messages from this account’ is set to ‘Disabled’

Audit:

From the configuration profile:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Mail tab
4. In the right windowpane, verify that the checkbox for Allow user to move messages from this account is unchecked.

Remediation:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Mail tab
4. In the right windowpane, uncheck the checkbox for Allow user to move messages from this account.

 1.6 Notifications

• E.g  Ensure ‘Notification settings’ are configured for all ‘managed apps’

Audit:

From the configuration profile:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Notifications tab
4. In the right windowpane, verify that each managed app includes a configuration entry.

Remediation:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the Notifications tab
4. In the right windowpane, click Configure and/or click + to add notification settings for each application
5. Deploy the configuration profile.

2. Configuration Profile Recommendations for Institutionally Owned Devices

This provides recommendations for devices in the supervised state. The term “supervised” is a specific technical designation in regards to the state of an iOS device and generally applied to institutionally owned devices.

2.1 General

• E.g  Ensure a ‘Controls when the profile can be removed’ is set to ‘never’

Audit:

From the configuration profile:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the general tab
4. In the right windowpane, verify that under the heading Security, the menu Controls when the profile can be removed is set to Never.

Remediation:

1. Open Apple Configurator
2. Open the configuration profile
3. In the left windowpane, click on the general tab
4. In the right windowpane, verify under the heading Security, set the menu Controls when the profile can be removed  to Never.
5. Deploy the configuration profile.

Similarly, you can follow the recommendation for mail, notifications, restrictions, domains etc sections. 

3. Additional Recommendations

These recommendations are not configurable via a Configuration Profile. They are accessible on the device locally.

• E.g  Ensure ‘Software Update’ returns ‘Your software is up to date’

Audit:

From the device:

1. Tap settings 
2. Tap General 
3. Tap Software Update
4. Verify that Your software is up to date is returned

Remediation:

1. Tap settings 
2. Tap General 
3. Tap Software Update
4. Tap Install or Download and Install and then allow the device to complete the installation.

Also we can configure for other options by using this additional  recommendation.

Conclusion

Mobile devices with Apple iOS can be secured by following CIS benchmarks. This will help to protect device from different threats and also reduces the exploitation of devices by an attacker.