Hardening iOS

Hardening iOS - Anitian

When Apple’s iPhone hit the market in 2007, the shockwaves were intense. If you look back to the mid-2000s, the leading mobile phone looked like a prop from a cheesy sci-fi movie. The iPhone changed that. It introduced near full-body screens, a universe of apps, and a responsive touch interface. It did away with the clumsy stylus, clicky buttons, and more significantly proprietary management systems. It did not, however, have any tools for hardening iOS.

Mobile Device Management Begins

At first, the iPhone was clearly targeted at the consumer. However, as its popularity grew, so did the users who wanted to bring it to work. People connected their personal iPhones and iPads to the corporate Exchange server. This put personal email and work email side by side. When the inevitable breaches arose from phones with sensitive data, Apple responded with adopting the Exchange ActiveSync (EAS) standard. The same standard now implemented with Office 365. This allowed organizations to manage iPhones and their data, but with many limitations. Unfortunately, many organizations are still using EAS as their primary management tool for iOS devices.

About the same time, Mobile Device Management (MDM) solutions began entering the market. These are servers, either on-prem or in the cloud, dedicated to managing mobile devices. They support iOS and Android, and occasionally other things. They generally have a checkbox interface that utilizes Apple’s configuration profile (CP) framework on the backend. The combination of EAS policies with MDM is pretty good and generally how we see the most advanced organizations managing their iOS devices.

Data Everywhere

The problem is that as the years have passed, and the environments have grown more complex, iOS device management for most organizations hasn’t. Whereas five years ago, most of the data on devices came from Exchange, now it comes from everywhere. Apps like Dropbox and Salesforce contain tons of data. Moreover, it is not merely spreadsheets or the occasional social security number in a text, but its content such a complete general ledger, copy of proprietary source code, or detailed customer account data. Plus, not all threats are to the data of your organization. With the rise Whaling, the threat to your organization could be a fraudulent request for a wire transfer that comes from your CFO’s iPhone that was stolen 40 minutes ago in an airport.

Exchange/Office 365 based EAS policies and MDM still have a place, but if you are managing iOS devices with only these tools, you’re missing opportunities to protect your organization. This week the Center for Internet Security (CIS) released a new edition of their iOS benchmark. Now, for full disclosure, I was deeply involved in the development of this release.

The benchmark addresses the containerization and managed flow of corporate data, introduces separate guidance for employee and corporate-owned devices, and it provides audit and remediation guidance that scales from 10 to 100,00 devices. Furthermore, this standard is completely free for any organization to utilize internally and can be scoped to any environment.

CIS Benchmarks

The CIS is one of the most respected producers of system and application hardening standards in the world. Their material is produced through a consensus-based process with volunteer security and technology professionals. The benchmarks are free for non-commercial use. You only need a CIS membership, which includes annual dues, if you intend to use their materials in a product or to access their automated tools for audit and remediation.

You can learn more about the CIS here: https://www.cisecurity.org

iOS Benchmark

The new edition of the hardening iOS Benchmark documents a variety of methods to improve your iOS device management. Some of these include:

Customized Configuration Profiles

A CP is an XML file with configuration settings that are applied at the root level of an iOS device. All MDMs use the CP framework to apply a configuration to iOS devices. The problem though is that you’re limited to the CP framework features that your MDM provider has chosen to implement. The best solution is to create customized CPs with Apple Configurator for certain functions and use your MDM’s built-in functionality for convenience.

More information about Apple Configurator is available here.

Containerization

iOS supports the containerization of app data as well as managed sharing between certain apps. The underlying mechanism for this is a feature called Managed Open In that was introduced in iOS 7. It is implemented through an MDM solution, like VMware AirWatch or Microsoft Intune.

When an app is deployed via MDM, it is flagged as being managed. At that point, settings from a CP can isolate app data and direct how that data can be shared with other apps, devices, or services. It also allows the selective wiping of only managed app data. This allows for targeted destruction of corporate data, without wiping the entire device, and it’s an ideal solution to managing data on BYOD iPhones and iPads.

Apple Device Enrollment Program

Imagine handing a new employee a shrink-wrapped iPhone and when the user turns it on it auto-configures with your corporate MDM and customized CPs upon boot. This is exactly what Apple Device Enrollment Program (DEP) can do. It associates your corporate devices with special activation settings. All iOS devices when first booted, or erased and restored to factory default, must be activated through an Apple controlled server. There is no way around this activation. Apple leverages this requirement to deploy configuration settings to all devices proven to be owned by your organization. This makes DEP an extremely powerful tool for controlling corporate assets. More information can be found here.

Apple’s Volume Licensing Purchasing Program

Anyone with an AppleID will tell you that managing App Store licenses is either a headache or impossible. Apple has a solution for institutional customers. Apple’s Volume Licensing Program associates app licenses with device identifiers instead of AppleIDs. This allows you to provide software to any subset of your devices, employee or corporate-owned, without giving up the licenses. They can be revoked and redistributed at any time. This is managed in combination with your MDM solution. No more lost licenses, no more disputes over app ownership. It greatly streamlines deploying and managing software to your iOS devices and it is available free to any organization direct from Apple.

Conclusion

Any combination of these security improvements can greatly empower your management of iOS devices. Moreover, these standards ensure the iPhone and iPad remain a strong choice for business use.

The Apple iOS benchmark is available now. Download it here: https://www.cisecurity.org/benchmark/apple_ios/

Leave a Reply