Chapter 6 Security 52
•
Passcode history
•
Grace period for device lock
•
Maximum number of failed attempts before the iOS device will be erased
Policy enforcement
You can distribute policies in a conguration prole that users install. You can also dene a
prole so that deleting the prole is possible only with an administrator password, or you can
dene the prole so that it’s locked to the iOS device and can’t be removed without completely
erasing all of the device’s contents. Passcode settings congured remotely with MDM can push
policies directly to the device, letting policies be enforced and updated without any action by
the user.
If a device is congured to access a Microsoft Exchange account, Exchange ActiveSync policies
are pushed to the device wirelessly. The available set of policies varies, depending on the version
of Exchange ActiveSync and Exchange Server. If both Exchange and MDM policies exist, the more
stringent policy is applied.
Secure device conguration
A conguration prole is an XML le that contains device security policies and restrictions,
VPN conguration information, Wi-Fi settings, mail and calendar accounts, and authentication
credentials that let iOS devices work with your IT systems. The ability to establish passcode
policies along with device settings in a conguration prole ensures that devices are congured
correctly and according to security standards set by your IT department. Because conguration
proles can be encrypted and locked, the settings can’t be removed, altered, or shared
with others.
Conguration proles can be both signed and encrypted. Signing a conguration prole ensures
that the settings it enforces cannot be altered in any way. Encrypting a conguration prole
protects the prole’s contents and permits installation only on the device it was created for.
Conguration proles are encrypted using CMS (Cryptographic Message Syntax, RFC 3852),
supporting 3DES and AES 128.
The rst time you distribute an encrypted conguration prole, you can install it with a USB
connection using Apple Congurator, wirelessly using the Over-the-Air Prole Delivery and
Conguration protocol, or via MDM. Subsequent encrypted conguration proles can be
delivered by a mail message attachment, hosted on a website accessible to your users, or pushed
to the device with MDM.
For more information, see Over-the-Air Prole Delivery and Conguration.
Data protection
You can make sensitive data such as mail messages and attachments stored on the device more
secure by using data protection features built into iOS. Data protection uses each user’s unique
device passcode, along with the hardware encryption on iOS devices, to generate a strong
encryption key. This prevents data from being accessed when the device is locked, and ensures
that critical information is secured even if the device is compromised.
To turn on data protection, establish a passcode on the device. The eectiveness of data
protection depends on a strong passcode, so it’s important to require a passcode stronger than
four digits.
100% resize factor
