Skip to end of metadata
Go to start of metadata

Information

The Nation Cyber Security Centre has various guides on security.  This article covers a section of the End User Device Security Collection and how to use FileWave to monitor or follow the guidance as laid out:

https://www.ncsc.gov.uk/guidance/eud-security-guidance-ios-11

From the document:

This guidance was developed following testing performed on an iPhone SE and an iPad Mini 3 running iOS 11.0.

It's important to remember that this guidance has been conceived as a way to satisfy the 12 End User Device Security Principles. As such, it consists of recommendations and should not be seen as a set of mandatory instructions requiring no further thought.

Risk owners and administrators should agree a configuration which balances business requirements, usability and security.”


As set out from the list, here are some solutions.  For descriptions of Configuration Profiles, please consult FileWave Profile Editor section.

Apple Configurator

Where reference to Configurator appears the FileWave interface is still displayed. Profiles may be created and exported from FileWave to import into Configurator if desired or vice versa.


Assured data-in-transit protection

"iOS 11's native IKEv2 VPN client can be configured in an 'Always On' mode to guarantee all traffic is routed through your organisational infrastructure for inspection. This can protect data-in-transit and quickly switch between cellular and Wi-Fi networks.

VPN may be configured using Configuration Profiles"

VPN may be configured using Configuration Profiles

Assured data-at-rest protection

"iOS data protection is enabled by default. The Mail application uses Data Protection APIs to encrypt emails and attachments when the device is locked. By default, this level of protection also extends to location data and app launch images. Third-party developers need only request this protection class to gain its benefits."

Default behaviour


Authentication

The user should be required to authenticate to the device in line with your organisation’s authentication policy.

Authenticating to the device unlocks a key which encrypts certificates and other credentials, giving access to the organisation’s services."

Passcode restrictions may be applied using Configuration Profiles

"Touch ID and Face ID permit biometric unlock of devices but the strength of its security is difficult to measure. In cases where there is a requirement to use biometric authentication, and the risks of using biometrics as the sole authentication mechanism are understood, Touch ID or Face ID can be enabled."

Touch and Face ID can be enabled using Configuration Profiles


Application whitelisting

An organisation application catalogue can be established to permit users access to an approved list of applications developed in-house, and an approved list on the App Store.


Apps can be allowed/disallowed using Configuration Profiles

"Alternatively, the full App Store can be enabled, and Mobile Device Management (MDM) can be used to monitor which applications a user has installed retrospectively."

App Store can be controlled using Configuration Profiles

"Extensions are installed along with a containing application, and cannot be installed alone. It is therefore possible to apply application whitelisting rules that target these applications in order to restrict extensions.

Administrators should be aware of the extensions installed by their whitelisted applications, to ensure that they do not introduce unexpected methods for sharing data outside of managed applications. It is not currently possible to define granular rules that block extensions, but permit the containing application (beyond implementation of managed/unmanaged application boundaries)."

Not currently manageable under Apple's Management Framework

Malicious code detection and prevention

"When configured as per this guidance, iOS will only be able to execute whitelisted applications from the App Store or Enterprise App Catalogue. Apps in the App Store have been scanned by Apple and any malicious content found is removed. Therefore, there is little additional value to be gained from any third-party anti malware products on the platform.”

No additional management required

Security policy enforcement

A combination of either Configurator+MDM or DEP+MDM should be used to configure users’ devices. Settings applied through Apple Configurator can be configured such that they cannot be removed by the user.

 Policy applied through an MDM can be removed completely by an end user through removal of the Remote Management profile. This can be prevented if a Device Enrolment Program (DEP) is used.

However, removing the Remote Management profile will also remove any data stored as part of accounts configured through MDM (e.g. email and credentials). When configuring an MDM, it should be configured such that:

(i) arbitrary devices cannot be enrolled,

(ii) end users are prevented from re-enrolling.


Users should not be allowed to directly re-enrol, as it may be possible for the user to affect the security of the device by:

(i) removing the MDM profile,

(ii) modifying the on-device configuration options,

(iii) re-enrolling the device through a self-service portal.


Apple's Device Enrolment Program should be considered to enable devices to register with the MDM Server during the setup process, decreasing the risk of a compromised device enrolling.

FileWave has full compatibility with Apple's Device Enrollment Program (DEP), including disallowing the removal of the devices enrolment.

"Email accounts should be provisioned via MDM too, as only email accounts provisioned via MDM will operate correctly with restrictions to disallow opening documents in unmanaged applications ("Managed Open In"). This also means that if the MDM profile is removed, all credentials and data associated with that profile will also be removed."

Document management can be configured using Configuration Profiles


All Configuration Profiles can be configured to be non removable


External interface protection

The Configurator should be used to put the device into supervised mode, after which the user is only able to use the USB interface for charging their device."

Restrictions profile may be used to control connection to Configurator hosts.

"Technical controls can be used to restrict which Wi-Fi access points devices can connect to if required."

Unmanaged Wi-Fi networks may be allowed/disallowed through Configuration Profiles

Device update policy

“Users are free to update applications and firmware when they wish, though your organisation can block this at the proxy server if desired. In addition, an MDM can be used to monitor the iOS versions currently installed and access could be revoked if necessary."

With the latest release of iOS and FileWave, updates may be deferred by System Administrators using Configuration Profiles

Event collection for enterprise analysis

iOS does not support remote or local historic event collection. Limited information regarding device state can be retrieved from the device. The features may depend on the MDM.

Limited information of logs may be collected by connecting a device to Apple Configurator.  Little history though is kept, but MDM is not required.

Incident response

“iOS devices can be locked, wiped, and configured remotely by their MDM.”

Device context menu has options to either Lock or Wipe a device.  FileWave has extensive options for remotely configuring MDM enrolled devices.


Preparation for deployment

The steps below should be followed to provision each end user device onto your organisation’s network, preparing it for distribution to end users:

  1. Use Configurator 2 to supervise the iOS devices (this is necessary for the "supervised only" restrictions enforced via the MDM to be effective).
  2. Enrol the devices into the MDM deployed earlier and install the predefined configuration profile.
  3. Apply any additional, required security controls by using the Restrictions menu locally on the device.

Alternatively, devices can be purchased through the Device Enrollment Program (DEP) which means that the devices will be supervised 'out of the box', and can be configured to automatically enroll with the MDM server when first activated.
With Apple Configurator 2.5 and iOS 11, devices that have not been purchased pre-enrolled into DEP can be enrolled post-purchase using Apple Configurator. This can be done when preparing the device to make it supervised. It should however be noted that users will have the option to opt-out of DEP for 30 days after the enrollment is performed.

Devices can benefit from the 'Mass Enrolment' profile downloadable through the 'Enrol iOS Devices' Assistant Menu item.  Alternatively, DEP may be used.  

Inventory Queries may be used to monitor devices converted to DEP through Apple Configurator.  Set durations as required.

Example:

40 days since entering DEP and not within the last 10 days.  This should show devices that were added to DEP in a 10 day time frame after the initial 30 grace period.

Additionally, add those devices that have not checked in within the last day.  During the first 30 days, these devices will not show in this Inventory Query.  At this point any devices that were added to DEP within the last 30-40 days that have not checked in within the last day will be listed.

Scheduled Reports could be used to report this via email.

Recommended Policies and Settings

Configurator Settings

"In cases where Device Enrollment Program (DEP) is being used to enrol devices into the MDM server, this step can be omitted. In other cases, these settings should be applied to the device by creating profiles in the Configurator utility:"


General Group
Security (user can remove profile)Never

Automatically Remove Profile

Never

Supervision

On

Allow devices to connect to other Macs

No


The following payloads can be created through FileWave Admin to apply to devices appropriately.

Security & Privacy

 

Privacy: Allow sending diagnostic and usage data to Apple, and sharing crash data and statistics with app developers

No


Restrictions Group

 

Allow installing apps using Apple Configurator and iTunes

No

Allow screenshots and screen recording

No

Allow installing configuration profiles (supervised devices only)

No

Allow adding VPN Configurations (supervised devices only)

No

Allow iCloud backup

No

Allow iCloud documents & data

No

Allow iCloud keychain

No

Allow iCloud photo sharing

No

Allow iCloud photo library

No

Allow backup of enterprise books

No

Allow managed apps to store data in iCloud

No

Allow Handoff

No

Allow notes and highlights sync for enterprise books

No

Force encrypted backups

Yes

Allow users to accept untrusted TLS certificates

No

Allow Siri whilst device is locked

No

Allow modifying account settings (supervised devices only)

No

Allow documents from managed sources in unmanaged destinations

No

Allow sending diagnostic and usage data to Apple

No

Allow pairing with non-Configurator hosts (supervised devices only)

No

Allow AirDrop (supervised devices only)

No

Show Control Centre in Lock screen

No

Show Today view in Lock screen

No

Show Notification Centre in Lock screen

No


Configuration Rule

Recommended Setting

Show Previews

Never

Notifications may be managed through Configuration Profiles

On-device restrictions menu

"These settings should be applied on each device."

Mostly, as suggested, these need to managed locally on the device:

Configuration Rule

Recommended Setting

Contacts - Don't allow changes

Enabled

Calendars - Don't allow changes

Enabled

Photos - Don't allow changes

As per organisational policy

Share My Location - Don't allow changes

Enabled

Bluetooth Sharing - Don't allow changes

Enabled

  • Bluetooth: With the latest iOS and FileWave, Bluetooth may now be managed with a Configuration Profile
  • Share My Location: Installation of the FileWave App Portal allows for tracking devices without Share My Location enabled

A restrictions policy may be put in place to restrict changes to 'restrictions'

"Allowing changes to these restrictions will enable applications on the device to request access to the named data store. Any that are not required should be disabled.

To make the provisioning steps less onerous, the risks mitigated by these settings could also be met in other ways. Contacts, Calendars, Photos and Bluetooth permissions are only risky if third-party applications which use these permissions are installed on the device. Some users' locations may not be sensitive, in which case Location Services may be enabled.

But where the user's location is sensitive, Location Services should be disabled. In these scenarios, the use of the above restriction settings are not necessary."

Blacklisting/whitellisting of Apps can be achieved as mentioned earlier with a Configuration Profile.  FileWave has an option to provide a licence that disables the ability to track devices.  Please contact your sales rep for details if needed.

VPN Profile

"The deployed VPN should be configured according to the PRIME profile for IPSEC.

The recommended IPsec cipher suite profile for protecting information is called PRIME."

Where Apple's management Framework does not allow for configuration, the level of security for VPN needs to be configured on the VPN server

Authentication policy

"Your organisation should have a consistent authentication policy which applies to all users and devices capable of accessing its data. You can use the published password guidance to help inform any password policy.

An administrator should configure the relevant on-device settings in line with your authentication policy."

As shown above, profiles can dictate the level of authentication required, based upon:

  • Allow simple value
  • Require alphanumeric value
  • Minimum passcode length
  • Minimum number of complex characters
  • Maximum Auto-Lock
  • Passcode history
  • Maximum grace period for device lock
  • Maximum number of failed attempts
  • Allow Touch ID / Face ID to unlock device


Cloud integration

"iOS devices do not need to be associated with an Apple ID to operate as required within an organisation. For example, it is still possible to receive push notifications, and to install organisation applications without an associated account. In addition, in iOS 9 Apple has removed the need for an Apple ID when installing applications using the Volume Purchase Program (VPP), further reducing the requirement for each user to have a provisioned Apple ID.

If an Apple ID is used to enable iCloud services on the device, then documents and other sensitive data may be inadvertently synchronised with iCloud. As a mitigation, organisations that wish to prevent this should implement controls to prevent users from enabling unneeded iCloud services on their device, thereby preventing organisation data from being synchronised with iCloud servers."

FileWave fully supports the Volume Purchase Program (VPP).  Furthermore, Configuration Profiles can disable iCloud services.

Unmarked email domains and Managed Safari web domains

Both of these can be controlled with the Managed Domains payload

Lock screen widgets

"A widget is an extension which can display content or information provided by an application. On iOS 10+ a number of widgets are turned on by default and can expose information to the lock screen. In order to prevent data leakage via the lock screen, widgets can be disabled. This can be enforced via MDM policies. Unticking the “Show Today view in Lock screen” option prevents this behaviour."

Show Today View in Lock Screen configurable through Configuration Profile as suggested.

Universal Clipboard

"Universal Clipboard allows sharing clipboard data between multiple devices registered on an iCloud account. Ensuring that handoff is disallowed in the MDM settings prevents the functionality of Universal Clipboard. As noted in the earlier section on iCloud integration, it is recommended that all iCloud settings are reviewed to ensure they are configured to prevent inadvertent synchronisation of data to iCloud."

"Allow Handoff" configurable through Configuration Profile as suggested

iOS 11 Control Centre and Notifications

"iOS 11 introduces a new notification system, which in its default configuration could expose information to the lock screen. In order to prevent data leakage via the lock screen, previews can be disabled via the on-device "Notifications" settings menu.

Additionally, the options within Control Centre to disable Wi-Fi and Bluetooth disconnect from any existing devices, but do not turn the radios off; which may cause issues in some environments. Guidance should therefore be issued to users instructing them to use the Settings app to disable Wi-Fi or Bluetooth if this is required."

As noted above, notifications may be controlled through Configuration Profiles, along with Wi-Fi control and Bluetooth is now configurable via profile with the latest iOS and FileWave.  Those using Classroom will require Bluetooth to always be on for Classroom integration.


This KB Contains public sector information licensed under the Open Government Licence v3.0.

http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/