[Fed-Talk] Revised iPhone security info
[Fed-Talk] Revised iPhone security info
- Subject: [Fed-Talk] Revised iPhone security info
- From: Rex Sanders <email@hidden>
- Date: Mon, 28 Sep 2009 19:30:57 -0700
I've updated my guidance for iPhone OS 3.1 with the MMS update, and tested on iPhone 3G and 3GS.
We don't have Apple iPhone Security Guidelines, or an approved STIG, so I wrote the following information up for interim use.
These settings are based on the CIS "Security Configuration Benchmark For Apple iPhone OS 2.2.1 Version 1.0.0 March 2009" http://www.cisecurity.org/tools2/iphone/CIS_iPhone_2.2.1_Benchmark_v1.0.0.pdf using Level 1 settings without the iPhone Configuration Utility (ICU). References like (CIS 1.1.1) refer to specific sections of the Benchmark. Additional settings are based on independent USGS research.
By using Apple's Enterprise deployment tools and MobileMe or Exchange server, you could implement better iPhone security, especially remote wipes. We're not using any of those yet, so these instructions don't cover that.
I know these instructions won't meet everyone's needs, maybe this will help someone.
-- Rex Sanders, USGS
*** iPhone Firmware Updates
Apple updates iPhone firmware from time to time, including security fixes. Update your iPhone firmware before you do anything else. You must keep your iPhone firmware up-to-date. (CIS 1.1.1)
1. Connect your iPhone to a computer running iTunes
2. Launch iTunes
3. In iTunes "Source" list, select your iPhone
4. Click the "Summary" Tab
5. Click "Check for Updates"
6. Download and install the latest software
7. Detach your iPhone from the computer
*** Recommended iPhone security settings
iPhone Home > Settings > Wi-Fi > Ask to Join Networks > OFF (CIS 1.1.5)
iPhone Home > Settings > General > Bluetooth > OFF -- If you don't use a Bluetooth headset (CIS 1.1.7)
iPhone Home > Settings > General > Auto-Lock > 5 Minutes (CIS 1.1.10)
iPhone Home > Settings > General > Passcode Lock > Turn Passcode On (CIS 1.1.9)
iPhone Home > Settings > General > Passcode Lock > Require Passcode > After 15 minutes
iPhone Home > Settings > General > Passcode Lock > Erase Data > ON (CIS 1.1.12)
iPhone Home > Settings > General > Restrictions > Enable Restrictions. All settings should be ON except ...
iPhone Home > Settings > General > Restrictions > iTunes > OFF
iPhone Home > Settings > General > Restrictions > Installing Apps > OFF -- Must turn ON again to install apps
iPhone Home > Settings > General > Home > Double-click the Home Button for: > Home
iPhone Home > Settings > General > Date & Time > Set Automatically > ON
iPhone Home > Settings > Mail, Contacts, Calendars > Load Remote Images > OFF
iPhone Home > Settings > Mail, Contacts, Calendars > Fetch New Data > Push > OFF
iPhone Home > Settings > Mail, Contacts, Calendars > Manually
iPhone Home > Settings > Mail, Contacts, Calendars > Signature > Edit to remove "Sent from my iPhone"
iPhone Home > Settings > Phone > Show My Caller ID > OFF
iPhone Home > Settings > Safari > Fraud Warning > ON
iPhone Home > Settings > Safari > Block Pop-ups > ON
iPhone Home > Settings > Safari > Accept Cookies > From visited
iPhone Home > Settings > Safari > Clear History -- Clear by hand from time to time
iPhone Home > Settings > Safari > Clear Cookies -- Clear by hand from time to time
iPhone Home > Settings > Safari > Clear Cache -- Clear by hand from time to time
iPhone Home > Settings > Messages> Show Preview > OFF -- If you get sensitive SMS messages (CIS 1.1.11)
*** Splash Screen
You should add a splash screen for your iPhone, indicating that the phone is US Government property, and including your contact information to help people return a lost iPhone.
Simple, crude version:
1. iPhone Home > Notes
2. Press + in upper left corner to open new note
3. Type in a warning and your contact information, for example:
Property of United States Government
Unauthorized Use Prohibited
Return to:
Jane Doe, Big Government Agency
1600 Pennsylvania Ave
Washington, DC 12345
email@hidden
+1-800-555-1212
4. Take a Screen Shot:
4a. Press and hold Home button at bottom of screen
4b. Press and release Power button on top of iPhone.
You should hear a shutter snap sound.
5. iPhone Home > Photos > Camera Roll
6. Select the screen shot
7. Tap the image
8. Click the curved arrow button in lower left corner
9. Select "Use As Wallpaper"
10. Move and Scale the image as needed
11. Click "Set Wallpaper"
Want something fancier, with your agency logo? Print it on a sheet of paper, take a picture with the iPhone, then follow steps 5-11. Use big fonts!
*** Wiping your iPhone
Before you dispose of your iPhone or give it to someone else at your agency, you must wipe the old information and settings to prevent security problems.
Wiping also erases iPhone software updates, so you must update again after wiping.
If your iPhone is below version 2.0, update before wiping.
To wipe your iPhone:
1. iPhone Home > Settings > General > Reset > Erase All Content and Settings
This will take a few hours on iPhone and iPhone 3G, few seconds on 3GS
2. Plug your iPhone into a computer running iTunes
3. In iTunes "Source" list, select your iPhone
4. Click the "Summary" Tab
5. Click "Check for Updates"
6. Download and install the latest software
7. Detach your iPhone from the computer
*** iPhone info from Apple
Apple iPhone User Guide
http://manuals.info.apple.com/en_US/iPhone_User_Guide.pdf
Apple iPhone Enterprise Support web site, including tools for managing iPhone settings.
http://www.apple.com/support/iphone/enterprise/
Apple iPhone Enterprise Deployment Guide
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden