SYS.3.2.3 iOS (for Enterprise)
Due to modern, simple operating concepts and their high performance, smartphones and tablets are widely used today. This includes mobile devices iPhone and iPad produced by Apple with operating systems iOS and iPadOS...
Description
Introduction
Due to modern, simple operating concepts and their high performance, smartphones and tablets are widely used today. This includes the mobile devices iPhone and iPad produced by Apple with the operating systems iOS and iPadOS. Since iPadOS is based on iOS, both are summarized as “iOS” in this building block for ease of reading. The two operating systems currently differ primarily in functional aspects that take into account the different form factors of the devices.
These devices were originally designed for private use. However, through the restructuring of infrastructures and the manner in which information is collected and processed, they are increasingly used in professional environments as well and are in some cases even replacing notebooks.
Through the integration of business functions, iOS has been gradually expanded since version 4 for use in companies and government agencies, and functions for management from an institution’s perspective have been integrated. These include the possibility of centralized device registration (Apple Business Manager) and options such as Single Sign-On (SSO).
Objective
The objective of this building block is to demonstrate how devices operated with iOS (for Enterprise) can be securely deployed in institutions. For this purpose, requirements for settings of iOS-based end devices are established, which can be distributed to the end devices in the form of configuration profiles. iOS configuration profiles contain uniformly defined settings, e.g., for security policies or individual system aspects, to manage iOS-based devices uniformly and centrally and to configure them automatically.
Scope and Modeling
The building block SYS.3.2.3 iOS (for Enterprise) must be applied to all officially used smartphones and tablets with the operating system Apple iOS.
This building block contains fundamental requirements that must be observed and met when operating iOS-based devices integrated into the institution’s processes. Requirements for integration into the institution’s security or collaboration infrastructure are not the focus of this building block. A so-called “Mobile Device Management” (MDM) provides the ability to manage devices centrally and to roll out configuration profiles per group of users or use case. Security measures can also be implemented uniformly via an MDM. This building block presupposes that iOS devices to be managed are integrated into an MDM infrastructure. If a small number of devices are managed, these can exceptionally be used without an MDM for economic reasons. Requirements for operating an MDM can be found in the building block SYS.3.2.2 Mobile Device Management (MDM)). For smaller environments, the Apple Configurator can be used to uniformly implement the requirements listed in this building block on multiple end devices. General and overarching aspects of operating smartphones and tablets, regardless of the operating system used, can be found in the building block SYS.3.2.1 General Smartphones and Tablets and must also be implemented when iOS-based devices are used.
For the use of biometric authentication mechanisms, the building block SYS.3.2.1 General Smartphones and Tablets contains corresponding requirements.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to represent the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block SYS.3.2.3 iOS (for Enterprise).
Risk Concentration Through One Account (Apple ID) for All Apple Services
The Apple ID provides a central access point to all services provided by Apple (e.g., “iMessage”, “FaceTime”, “iCloud”, “App Store”, “iTunes”, “iBook Store”, “Find My iPhone”, or synchronization services). If unauthorized parties can access a not sufficiently secured Apple ID, they may be able to use these Apple services, disrupt the availability of Apple ID-based services, remotely locate or reset iOS-based devices to factory settings, and access information from the iCloud cloud service. In particular, with activated iCloud backups, it is possible for attackers to clone the stored data to their own iOS device.
Fixed Integration of Pre-Installed Apps and Their Functions
With iOS, Apple delivers already firmly integrated and pre-installed apps (e.g., “Mail” and “Safari”). These apps are in some cases run with higher privileges than apps downloadable from the App Store, thereby increasing the attack surface of the iOS-based device.
Unauthorized Access to Outsourced Data
For a number of iOS-specific functions, the infrastructure operated by Apple must be used. If the functions “iCloud Keychain”, “iMessage”, “FaceTime”, “Siri”, “Continuity”, “Spotlight Suggestions”, and iCloud functions for creating backups or for collaborating on documents are used, data between different devices or users is always synchronized via Apple’s infrastructure. Push notifications for iOS-based devices are also forwarded via this infrastructure. There is therefore in principle a risk that Apple servers could be accessed and the data stored or transmitted there could be misused for other purposes.
Requirements
The following are the specific requirements of the building block SYS.3.2.3 iOS (for Enterprise). The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | None |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many people should fill these roles.
Basic Requirements
The following requirements MUST be met with priority for this building block.
SYS.3.2.3.A1 Strategy for iOS Usage (B)
If an MDM is used, iOS-based devices MUST be managed and configured via the MDM. For this purpose, a strategy for iOS usage MUST be in place, in which aspects such as the selection of end devices or strategies for data backup are defined. It MUST be regulated whether additional third-party apps may or should be used. Furthermore, jailbreaks MUST be organizationally prohibited and technically prevented wherever possible.
SYS.3.2.3.A2 Planning the Use of Cloud Services (B)
Before iOS-based devices are used, it MUST be defined which cloud services may or should be used and to what extent. In doing so, it SHOULD be taken into account that iOS-based devices are fundamentally closely interwoven with Apple’s iCloud services. It SHOULD also be taken into account that, for example, even the activation of individual devices with an Apple ID is affected by this. Therefore, it SHOULD be examined whether Apple Business Manager (formerly Device Enrollment Program, DEP) can be used for device registration.
SYS.3.2.3.A3 DISCONTINUED (B)
This requirement has been discontinued.
SYS.3.2.3.A4 DISCONTINUED (B)
This requirement has been discontinued.
SYS.3.2.3.A5 DISCONTINUED (B)
This requirement has been discontinued.
SYS.3.2.3.A6 DISCONTINUED (B)
This requirement has been discontinued.
SYS.3.2.3.A7 Prevention of Unauthorized Deletion of Configuration Profiles (B)
To prevent configuration profiles from being deleted without authorization, suitable technical (e.g., through supervised mode) or organizational measures MUST be taken and implemented. Users of mobile end devices SHOULD be made aware of the purpose and intent of the security measures.
SYS.3.2.3.A8 DISCONTINUED (B)
This requirement has been discontinued.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
SYS.3.2.3.A9 DISCONTINUED (S)
This requirement has been discontinued.
SYS.3.2.3.A10 DISCONTINUED (S)
This requirement has been discontinued.
SYS.3.2.3.A11 DISCONTINUED (S)
This requirement has been discontinued.
SYS.3.2.3.A12 Use of Apple IDs (S)
Instead of a personal Apple ID of users, an anonymized Apple ID SHOULD be used. Where possible, the Apple Business Manager for volume licenses (formerly Volume Purchase Program, VPP) and centralized installation of apps SHOULD be used.
SYS.3.2.3.A13 Use of the Configuration Option “Restrictions under iOS” (S)
All functions or services of iOS that are not needed or permitted SHOULD be deactivated. Based on the intended use and the underlying protection needs, it SHOULD be examined which of the functions “Lock Screen”, “Unified Communication”, “Siri”, “Wallpaper”, “Connection to Host Systems”, and “Diagnostic and Usage Data” are to be used.
SYS.3.2.3.A14 Use of the iCloud Infrastructure (S)
Before comprehensive or selective use of the iCloud infrastructure for official use is approved, it SHOULD be assessed whether Apple’s general terms and conditions are compatible with internal policies regarding availability, confidentiality, integrity, and data protection. If use of the iCloud infrastructure is permitted, the identity at the iCloud web service SHOULD be verified by two-factor authentication. Otherwise, iCloud usage for purely official needs SHOULD be reduced to a minimum or completely excluded.
SYS.3.2.3.A15 Use of Continuity Functions (S)
If use of the iCloud infrastructure has not been fundamentally prohibited by the institution’s security management, the compatibility of Continuity functions with internal policies SHOULD be assessed taking into account aspects of confidentiality and integrity. Based on the assessment results, it SHOULD be regulated to what extent these functions are technically or organizationally restricted.
SYS.3.2.3.A16 DISCONTINUED (S)
This requirement has been discontinued.
SYS.3.2.3.A17 Use of the Device Code History (S)
In the configuration profile, the number of unique codes before the first repetition SHOULD be set to an appropriate value.
SYS.3.2.3.A18 Use of the Configuration Option for the Safari Browser (S)
The browser policies already established in the institution SHOULD correspondingly also be implemented for Safari through technical and organizational measures. The already established requirements for browsers on stationary and portable PCs SHOULD serve as the basis for securing iOS-based devices, as well as the deployment scenarios. The deployment environment of the devices SHOULD be taken into account.
SYS.3.2.3.A19 DISCONTINUED (S)
This requirement has been discontinued.
SYS.3.2.3.A20 DISCONTINUED (S)
This requirement has been discontinued.
SYS.3.2.3.A21 Installation of Apps and Integration of the Apple App Store (S)
To ensure that the required apps are available to authorized users in sufficient quantity at the necessary time, consideration SHOULD be given to integrating Apple Business Manager into the MDM infrastructure. Payments in the App Store SHOULD NOT be confirmed via biometric methods.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there is a higher need for protection. The concrete definition is made in the context of an individual risk analysis.
SYS.3.2.3.A22 DISCONTINUED (H)
This requirement has been discontinued.
SYS.3.2.3.A23 Use of Automatic Configuration Profile Deletion (H)
Devices that are continuously offline for a clearly defined period of time SHOULD lose their access to the internal infrastructure. After the expiry of the defined period or on a specific day, the configuration profile SHOULD be deleted without any action by IT Operations. If users of the device access the internal network before the deadline, the period until automatic deletion of the configuration profile SHOULD be renewed. If it is necessary to ensure whether users still have possession of their device, they SHOULD be actively prompted to access within a deadline. If the deadline passes without access, the configuration profile of the respective users should be automatically deleted.
SYS.3.2.3.A24 DISCONTINUED (H)
This requirement has been discontinued.
SYS.3.2.3.A25 Use of the Configuration Option for AirPrint (H)
Approved AirPrint printers SHOULD be made available to users via a configuration profile. To prevent users from printing information on untrustworthy printers, all communication connections SHOULD always be routed through the institution’s infrastructure systems.
SYS.3.2.3.A26 No Connection with Host Systems (H)
To prevent iOS-based devices from being connected to other IT systems without authorization, users SHOULD ONLY be able to connect iOS-based devices to the MDM.
SYS.3.2.3.A27 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The BSI has published the document BSI-CS 074: “iOS Configuration Recommendation Based on Operating System Resources for Use with Enhanced Security” (as of 2015) in the “BSI Publications on Cyber Security”.
Apple provides the following additional information in the context of the topics of this building block:
- Apple Configurator: https://support.apple.com/de-de/apple-configurator
- Apple Security Updates: https://support.apple.com/en-us/HT1222
- Discontinued and Vintage Products: https://support.apple.com/de-de/HT201624
- Apple Business Manager: https://business.apple.com
- Support for Business and Educational Institutions: https://www.apple.com/de/support/business-education/