Apple devices are a popular choice for enterprise users, so making best use of the built-in iOS data protection features is paramount to keeping business data safe.
Apple's security features have come a long way over the years, but they still have their weak spots. IT needs to know where these are, keep devices updated and enable key capabilities such as encryption and Touch ID.
Here are eight iOS data protection best practices to follow:
Make smart hardware choices
Apple's security continues to improve with each iOS version, enabled in large part by hardware capabilities. For example, iOS devices with an A7 or later A-Series processor include the Secure Enclave coprocessor, which uses a secure boot process to verify the operating system and ensure the integrity of iOS data protection, even if the kernel is compromised.
Refreshing older iPhones and iPads at regular intervals -- and encouraging BYOD users to do the same -- can help overcome known hardware weaknesses and strengthen the platform upon which everything else depends.
Keep your OS and apps current
Mobile threats capitalize upon OS and app vulnerabilities, so IT should plug known holes as quickly possible. In keeping with iOS data protection best practices, this means installing Apple's and other carriers' software updates promptly. Apple routinely releases updates containing security patches, notifying users over the air and via iTunes.
IT should encourage users to install updates and use enterprise mobile management (EMM) to verify that all users do so in a timely manner, notifying or even quarantining devices running old buggy versions. IT can monitor security patches and fixes at SCAP-on-Apple. The same advice applies to apps -- especially, but not exclusively, apps that handle business data, using mobile application management to automatically install updates.
Apple iOS devices can protect data using AES 256 bit encryption, unlocked by keys that fuse the device's Unique ID (UID) and group ID (GID). While GIDs are common to all processors of a given type, UIDs are set during manufacturing and Apple does not record them.
IT can prevent the entire file system or memory chips from being copied or removed and decrypted by cryptographically binding the protected data to each device. Setting a device passcode enables data this level of protection for all files, independent of any further protection that applications might apply.
Combine Touch ID with a complex passcode
The most robust data protection can be undone with a simple passcode, and yet simple passcodes reign because ease of use is crucial on mobile devices. To encourage this best practice, Apple recently increased the default passcode length to six characters and added Touch ID for more convenient unlock.
Certain apps can use Touch ID as a second authentication factor, but the strength of data protection depends on the passcode's strength, which is still required at boot time after five failed Touch ID attempts or 48 hours of inactivity. For example, it would take more than five years to try every possible combination of a six character lowercase alphanumeric passcode.
Enable remote wipe
Wiping an iOS device erases the file system key, quickly rendering all encrypted files unreadable. For protection against device loss or theft, IT should require passcode or Touch ID re-entry after a relatively short timeout, set Erase Data on to auto-wipe the device after multiple passcode retries (10, by default) and enable Find My iPhone for user-initiated remote locate, lock and wipe.
Use Enterprise Mobile Management for more granular control
Enrolling all iOS devices used for business with EMM enables IT-defined remote policy configuration, monitoring and enforcement using APIs built into the operating system.
What does a device-agnostic future look like? Craig Mathias, principal at wireless mobile advisory firm Farpoint Group and a well-known industry expert in the areas of wireless communications and mobile computing technologies, explains in this five-part webcast.
For example, IT can use EMM tools to enforce passcodes use with a minimum length and complexity, configure inactivity timeouts and passcode retries and to locate, lock or wipe a previously-enrolled iOS device. In many cases, however, employers may not want to wipe the entire device; they simply want to wipe business data and settings.
To accomplish this selective wipe, IT can use EMM to unenroll a previously-enrolled iOS device, automatically removing all configuration and application profiles previously pushed by that EMM.
Avoid -- and detect -- iOS jailbreaking
Apple iOS devices can only run apps that are digitally signed with an authorized certificate, such as an Apple-issued developer certificate. Jailbroken devices can circumvent this and other security features, permitting execution of unauthorized and possibly malicious apps, which can result in protected data becoming accessible to bad apps when the device is unlocked.
IT can reduce this risk by establishing a policy that prohibits jailbreaking on iOS devices used for business, then using an EMM tool with jailbreak detection to spot warning signs and automatically quarantine or enterprise wipe a potentially jailbroken iOS device.
Keep data protected everywhere
The iOS data protection best practices described above apply to on-device data, but it's also important to encrypt any data that moves off the device. For example, iOS device backups are encrypted with a user-supplied iTunes password. IT must ensure that backups to iTunes are either disabled or always encrypted, and that backup passwords are at least as strong as the device passcode. The same advice applies to any data backed up to iCloud. IT can also use capabilities such as VPN On Demand, Per App VPN and Always On VPN to prevent data from being unprotected in transit.
Used Managed Open In to control protected data flows
Finally, iOS applications are sandboxed, meaning they do not generally have access to each other's protected data -- files or memory spaces. However, iOS allows apps to share data using extensions, with communication between apps mediated by the system framework, which means protected data could potentially leak from an enterprise app to a third-party app such as a document or keyboard extension.
To avoid this situation, IT can use EMM tools to configure Managed Open In rules which allow protected data to flow between managed apps -- those installed via EMM -- without being accessible to unmanaged apps -- those installed by the user. IT should similarly caution users against using, and authorizing access by, unapproved accessory devices, and enable the Activation Lock on Apple Watches. In short, don't stop with protecting data at rest -- think about where data can move and how to stop leaks.
Better mobile data protection in three steps
New iOS security features focus on apps
Five steps to mobile app security