Securing iOS applications
This section describes the design decisions associated with securing applications on iOS endpoints configured according to guidance in ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Mobile Application Management (MAM) in Intune enables configuration of managed applications within an iOS device. Managed applications enclose organisation applications within an application bubble. This bubble prevents accidental data spillage by preventing cutting and pasting, as well as enabling data sharing within the application bubble.
MAM provides the capability to configure iOS device applications. These configurations include:
- Managed Applications – List of organisation business applications.
- Managed Application configuration – Configure and secure managed application configuration within the device. These configurations enable and isolate managed applications to reside next to unmanaged applications.
- Per-app VPN - Secure communication between applications on devices, and the Office 365 tenant. This will require the organisations VPN device setup to accept communication from the VPN connection from managed apps.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Managed Applications | Microsoft Corporate Portal Microsoft Azure Information Protection Microsoft Word Microsoft Excel Microsoft Outlook Microsoft PowerPoint Microsoft Teams Microsoft Edge Adobe Reader Microsoft OneDrive Microsoft OneNote Microsoft Whiteboard Microsoft Planner PowerApps | This is to meet the organisations requirement for managed applications. |
| Application VPN configuration | Configured for Managed Applications | Managed applications will use VPN to secure its connection to the organisations Office 365 tenant. |
| Disable organisation data to be backed up to iCloud | Disable | PROTECTED must be stored within the organisations environment / corporate data store. |
| Encrypt organisation data in mobile device | Configured | To ensure encryption requirements are met based on ASD’s hardening requirements. |
| Send organisation data to unmanaged apps | Policy managed apps with Open In/Share Filtering | Prevents data to be shared between managed application stated above and other unmanaged application on the device. |
| Save copies of organisation data | SharePoint and OneDrive for Business only | Ensure all data is saved within the organisations tenant. |
| Organisation data notification | Block organisation Data | Prevents organisation information being displayed on the lock screen. |
| Microsoft Edge Configuration | Configured. Set Microsoft Edge proxy and homepage URL to organisations Intranet | Configured so Microsoft Edge is able to access organisations internal websites. |
| Microsoft Outlook | Configured. Ensure Contact list is added into Outlook Contact list rather than device | Configured so organisations contact list is maintained within managed application rather than the phone’s contact details. |
Related information
Security & Governance
Design
Configuration
References
- None identified