iOS devices
This section describes the design decisions associated with iOS endpoints configured according to guidance in ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
iOS follows a yearly major release cycle. With every major release of iOS, older iPhone devices are deprecated from support, hence security updates will not be available to these devices.
Update policies control the update frequency of managed devices. Intune can define update policies that specify how and when service updates are deployed to iOS devices. By using update rings, it is possible to create an update strategy that mirrors business needs.
ASD’s Blueprint for Secure Cloud (the Blueprint) recommends organisations secure iOS for devices based on a variety of hardening guidance including the United States’ (US) National Information Assurance Partnership Protection Profile for Mobile Device Fundamentals version 3.3, the US Department of Defence’s Cyber Exchange Security Technical Implementation Guides (STIGs), the Centre for Internet Security’s(CIS) Apple iOS Benchmarks, and ASD’s Security Configuration Guidance for Apple iOS Devices to provide secure access to corporate information.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| iOS version | iOS 16 or above | To align with ASD’s Security Configuration guide – iOS version enforcement of n or n-1 will allow for testing of patches and internal applications before deploying operating system updates. Apple applies the n-1 rule to incremental updates, all other versions are no longer signed. Once a version is not signed a device cannot be restored to it. iOS 17 is the latest version at time of writing, but a security configuration guide for that version has not yet been released by ASD’s. organisations should review security update notifications from Apple for resolved vulnerabilities and determine an appropriate minimum supported version. |
| iOS Devices | iPhone XS and above | iPhone X and older are all vulnerable to the exploit Checkm8 and should be avoided. |
| Update Policies | Configured | To align with ASD’s Security Configuration guide. |
| Jailbroken/rooted devices | Blocked | Prevents jail broken devices from accessing organisation information. |