Welcome to another ‘5 Things To Check’ security blog post. This time we’re looking at iPhones and iPads. Do you let people BYOD their own mobile device and just let them consume email on it? Are you controlling which application(s) can connect to your tenant on unmanaged devices, and are you applying application management to prevent data going out of those controlled applications?
iOS/iPadOS hardening has a lot of similarity to SOE/Windows Client hardening these days. Although when iPhones first launched there were next to no controls or management, the platform has eventually progressed into one that can be tightly controlled and hardened. Just like Windows though, this doesn’t mean that the out of the box is the most secure, and you’ll have to review a bunch of settings. You’ll also notice the settings are a bit more ‘basic’ compared to Windows, but that doesn’t mean they’re any less important.
Unsurprisingly, there’s a large amount of configuration than can be applied to harden the mobile user’s experience in dealing with company data, as well as protecting the users themselves. Again, I’m basing my 5 picks off the Center for Internet Security’s (CIS) benchmark’s list of ‘CIS Apple iOS 17 and iPadOS 17 Intune Benchmark’ items (freely available for non-commercial use), and I’m picking 5 that I think are important and not configured by default. This doesn’t mean you should only implement these 5, but it’s a good start for awareness on how much consideration needs to go into hardening an environment and why you need to put the effort in.
The CIS benchmark is broken up into two sections: BYOD and Supervised (i.e. company owned) devices, so my picks will be items that are recommended in both scenarios.
1. Ensure “Block Siri while device is locked” is set to “Yes” (and the lock screen in general)
Some may argue that Siri should be blocked altogether, because you’re sending data that could be sensitive back to Apple, and it may occur without you knowing. In reality, many people working from home probably have an Apple, Google, or Amazon device listening to everything they’re doing on their Teams or Zoom call anyway. However, those devices should at least not be connected to corporate data – unlike their Apple phone or tablet. This is more about someone gaining access to the physical device, and potentially being able to find out information about the data the iPhone has saved on it, or has access to. There have also been past bypasses on using Siri on the lock screen to unlock the phone or access certain other areas without needing the phone properly unlocked, so it’s seen as an unnecessary risk to leave this on.
This also extends to other data that could be viewable while the phone is locked, such as ‘Ensure “Block Today view in lock screen” is set to “Yes”‘ as this can show items like meetings, and ‘Ensure “Block voice dialing while device is locked” is set to “Yes”‘ as voice dialling is a function unrelated to Siri (there’s several more settings around lock screen information too!). You don’t want someone that finds your phone being able to access these and several other areas. One thing I’d potentially disagree with on the CIS benchmark is configuring the ‘Ensure a “Lock Screen Message” has been set’ message. Their advice is to have a helpdesk phone number or email address. The problem with this is, it shows someone who finds the phone what company the phone belongs to, and might incentivise them to keep or sell the phone somehow. If someone finds a phone from either a big company, or a company they don’t like, or a competitor to their own company, that’s a risky scenario. I’d suggest it’s better to use Apple’s guide on how to deal with a lost phone https://support.apple.com/en-au/101593 and also use Intune to destroy anything company managed – it should all be synced anyway and easily replaceable.
In Intune, this configuration is called ‘Allow Assistant White Locked’
2. Ensure “Maximum minutes after screen lock before password is required” is set to “Immediately”
This one is a straight forward setting. When the device’s screen is locked, how long should it wait before letting you just unlock it without a passcode or Face Unlock. It appears that the default for this is ‘Immediately’ but this demonstrates the importance of locking down configuration using a MDM such as Intune. The maximum time configurable is 4 hours, which is a long time someone could put their device down somewhere or completely lose it, and have no protection from being unlocked. The minimum time beyond immediate is 1 minute, which doesn’t seem like much – but someone locking their phone and putting it down leaving a whole minute for someone to obtain the phone is a fair amount of time. This is one I’d like to see a 5 second option just so users who accidently lock their device have a tiny window to unlock it again without having to verify – especially for BYOD. Extra layers of protection can be put on work related apps anyway requiring another Passcode or biometrics unlock.
To look at this option on iOS, Tap ‘Settings’ > ‘Touch ID & Passcode’ or ‘Face ID & Passcode’ depending on the device > Require Passcode. This needs to be set to ‘Immediately’, but as mentioned above a user can just change this.
In Intune, iOS Configuration Settings, the Maximum Grace Period can be set to ‘0’ which means ‘immediately’.
3. Ensure “Block viewing corporate documents in unmanaged apps” is set to “Yes”
As per Microsoft Learn documentation iOS/iPadOS device settings in Microsoft Intune | Microsoft Learn , this setting prevents documents being viewed/opened/saved to non-managed apps. Although some users might find this frustrating that they can’t use their favorite personal program, it prevents data leakage. Many apps will have their own data storage solutions and it’s quite easy for a user to accidently save a document in the wrong place, potentially another cloud provider and to a different country. On top of that, the app itself may not have the same protections as the managed apps you provide. Does the company scrape the data of what the user is doing – document names, metadata, or do they even try to use their own AI solution to read and help the user edit the document, provide a summary, or other hot AI topics? All this needs to be controlled by keeping the data where you manage it as much as possible, and not letting users have an easy path of getting data out. Without something like Purview, there’s always ways of extracting data, but you need to both provide good native ways of working with the data, as well as preventing or slowing down other methods.
As noted on the documentation, this setting does block third party keyboards, but for the same reasons as above, this is a good thing. Keyboard apps may track what you’re typing in different ways and keep a dynamic suggested list of shortcut words you commonly use – maybe you want to keep that project codenamed ‘Order 66’ under wraps as much as possible.
In Intune, Device Restrictions configuration has the ‘Yes’ option for ‘Block viewing corporate documents in unmanaged apps:
4. Ensure “Block trusting new enterprise app authors” is set to “Yes”
As the little (i) next to this configuration states – “Removes the Trust Enterprise Developer button in Settings->General->Profiles & Device Management.”
This setting actually blocks users from being able to trust apps that aren’t downloaded from the app store. Maybe good for a developer trying to quickly test their own app, but for normal users this shouldn’t be necessary. You can probably imagine plenty of scenarios where a user may get tricked into installing an app through non-standard means (such as being emailed a PDF that says to unlock the PDF, please install this software) and giving an attacker an easy path of getting malicious code onto a device.
The title of this setting is a bit misleading, because it sounds like new app authors to the Apple App Store would be blocked, but that’s not the case. Apple have a stringent App approval process and arguably it may not be perfect, it’s still a much larger barrier than just a file downloaded anywhere from the internet.
The approach of ‘only install approved apps’ may work for Corporate Owned devices, but not BYOD.
This is configured in Intune under Device restrictions > General > Block trusting new enterprise app authors:
5. Ensure “Block screenshots and screen recording” is set to “Yes”
I don’t really like the user impact of blocking screenshots and screen recording, but it’s a Level 1 CIS profile item which is their lowest baseline security recommendations. To quote CIS:
Be practical and prudent.
Provide a clear security benefit.
Not inhibit the utility of the technology beyond acceptable means.
Based on this, what is the big issue with screenshots, where’s the security benefit? If you think about most users (including yourself) there’s probably a mess of screenshots somewhere. People rarely clean these up. Worse, they get treated as images/photos and will sync to potentially multiple cloud solutions – Apple’s native photo sync, OneDrive, Google, and many other apps/companies that monitor newly created images and sync them off somewhere. Although you can protect Outlook from being able to take screenshots from within Intune via application configuration, you can’t stop someone screenshotting in many other apps, and therefore can’t protect the data in that screenshot.
If someone wants to take a photo of their computer screen or phone screen you can’t stop them, but blocking screenshots makes the process more difficult and means it should only happen when really needed (or someone’s stealing data on purpose!) and you severely reduce the risk of confidential screenshots floating around many unprotected consumer cloud solutions.
I hope this list has been useful, and I’m sure iOS/iPadOS 18 and beyond will come out soon, but the above should be relevant for quite some time!