Chapter 6 Security 54
When Touch ID is enabled, the device immediately locks when the Sleep/Wake button is pressed.
With passcode-only security, many users set an unlocking grace period to avoid having to enter
a passcode each time they use the device. With Touch ID, the device locks every time it goes to
sleep, and requires a ngerprint—or optionally, the passcode—on waking.
Touch ID works with the Secure Enclave, a coprocessor in the Apple A7 chip. The Secure Enclave
has its own protected, encrypted memory space and communicates securely with the Touch ID
sensor. When the device locks, the keys for Data Protection Class Complete are protected by
a key kept in the encrypted memory of the Secure Enclave. The key is held for a maximum of
48 hours, and is discarded if the device is rebooted or an unrecognized ngerprint is used ve
times. If a ngerprint is recognized, the Secure Enclave provides the key for unwrapping the
Data Protection keys and the device is unlocked.
iOS 8 introduces the use of Touch ID to sign in to third-party apps. If the developer has
integrated this capability into their app, there is no need for the user to enter a password. Any
keychain item specied by the developer can be unlocked using Touch ID. A user’s ngerprint
data is protected and never accessed by iOS or by apps.
Remote wipe
Apple devices fully support remote wipe. If an Apple device is lost or stolen, an administrator
or the owner of the device can issue a remote wipe command that removes all data and
deactivates the device using an MDM solution or the Find My iPhone feature of iCloud. If the
device is congured with an Exchange account, the administrator can initiate a remote wipe
command using the Exchange Management Console (Exchange Server 2007) or Exchange
ActiveSync Mobile Administration Web Tool (Exchange Server 2003 or 2007). Users of Exchange
Server 2007 can initiate a remote wipe command directly, using Outlook Web Access.
Local wipe
You can congure devices to automatically initiate a local wipe after several failed passcode
attempts. This protects against brute-force attempts to gain access to the device. When a
passcode is established, users can turn on local wipe directly within settings. By default, iOS
automatically wipes the device after 10 failed passcode attempts. The maximum number of failed
attempts can be set in a conguration prole, set by an MDM server, or enforced over the air by
Microsoft Exchange ActiveSync policies.
Network security
Mobile users must be able to access corporate networks from anywhere in the world, yet it’s
also important to ensure that users are authorized and that their data is protected during
transmission. Built-in network security technologies in iOS accomplishes these security objectives
for both Wi-Fi and cellular connections.
iOS network security supports:
•
Built-in Cisco IPSec, L2TP, IKEv2, PPTP
•
SSL VPN via App Store apps
•
SSL/TLS with X.509 certicates
•
WPA/WPA2 Enterprise with 802.1X
•
Certicate-based authentication
•
RSA SecurID, CRYPTOCard
100% resize factor
