Many praise Apple for the security of its devices. The company’s hardware and software have certifications that affirm their compliance with various regulations. However, when it comes to the overall cyber defense posture of an organization, the software and hardware certification of individual devices is just a fraction of what is needed to ensure reliable cybersecurity.
iPhones and other iOS devices may be inherently secure, but the way they are used in an organization’s IT ecosystem is a different story. The presumption that iOS devices are not as prone to vulnerabilities as other devices may just provide cybercriminals the vulnerability they can exploit to steal data or introduce malicious software.
Adhering to security requirements may sound simple and straightforward, but it is remotely the case. The requirements may change or evolve. The complexity of large IT infrastructure makes it difficult to properly cover all devices and activities. For growing organizations, it is possible for silos to emerge. Additionally, connections with third-party software, web services, and hardware create more complications.
To maintain formidable protection from cyber threats, it is advisable to implement a sensible security compliance management process. In the case of iOS devices, it helps to take the following into account.
Do not use obsolete devices
Obsolete here refers to devices that are no longer supported or updated by Apple. iOS devices usually come with software updates for around five years. After the software support ends, the devices do not necessarily become dysfunctional or certainly unsecure, but they no longer receive updates, especially in response to newly discovered threats. This makes them vulnerable to unidentified attacks and newly discovered bugs or software issues.
Ensure device supervision
Again, it is inexpedient to rely on the inherent security of devices. Everything that connects to a network should be supervised strictly to make sure that security policies are enforced. For iOS devices, it is preferable to use Apple Business Manager (ABM) to take advantage of native management functions, especially zero-touch enrollment. This feature prevents users from unenrolling their devices once deployed.
If ABM is not an option, it is also possible to enforce device supervision through Apple Configurator, which enables the manual oversight of devices. It does not stop device owners from unenrolling their devices, but it provides greater control because the configurator handles resource provisioning.
Enforce mobile device management
Supervision is different from management. After the supervision step is undertaken, it is necessary to proceed to subjecting iOS devices to a mobile device management service. The National Institute of Standards and Technology (NIST) provides guidelines for the management of the security of mobile devices in enterprises, which suggests the use of a centralized device management technology.
This centralized device management platform or mobile device management system simplifies the management of all devices by providing functions that enable control over device configuration, data protection, the handling of enterprise-approved apps, and the monitoring of the compliance status of devices across different operating systems and device types. It is also useful in enforcing enterprise security policies such as the use of VPN connections, remote device data wiping for lost or unlocatable devices, and the monitoring of possible violations of software integrity such as jailbreaking and the lack of software updates.
With the popularity of cloud computing and remote work arrangements, it is preferable to use a cloud-based device management platform. This ensures that the system can cover all devices, including those that are in remote locations or multiple satellite and branch locations.
Enable remote access to devices
One of the most common security tips for device owners is to disable remote access to their devices if they are not using this function. However, when it comes to enterprise mobile device management, remote access is a must. It is through remote access that device management is made possible.
Enabling remote access should be handled prudently. It is advisable to implement a zero-trust architecture, which takes away any regard for the inherent trustworthiness of devices. As mentioned, iOS devices are usually secure, but this should not be considered in the compliance management process. Every device, user, or connection should be perceived as a potential threat. Hence, authentication, authorization, and other precautionary measures should be enforced before granting access permissions or connection privileges.
The use of zero-trust architecture, however, is not foolproof. It does not guarantee absolute protection. Implemented incorrectly, it can even become a source of additional risks. A good benchmark for adopting a zero-trust architecture entails the implementation of strong user authentication, especially with multi-factor authentication, machine authentication, log monitoring, contextual authentication, and the enforcement of access control policies within specific applications.
Discourage the use of third-party apps as much as possible
This is a basic and oft-repeated cybersecurity reminder: limit app usage to native or enterprise applications as much as possible. If a VPN is necessary, for example, the built-in IKEv2 VPN in iOS devices is preferable. It is easy to use and provides virtually everything users need from a VPN app.
Using third-party applications may be inevitable for some organizations, though. In such cases, it is important for an organization to establish its own curated catalog of approved or safe apps, which may only be installed through the centralized device management platform. Relying on the approval process and security measures of the Apple app store is an unsafe practice. There have been a number of instances when unsafe or dubious applications were included in the official Apple app store.
Organizations should pay extra attention to high-privilege applications such as keyboard, messaging, and network extension apps. Using malware-laced apps that can track data inputs and storage in devices is a critical security compromise.
Ensure proper configuration
Organizations should formulate or adopt a solid device configuration system that will serve as the basis for enforcing technical controls. For instance, when it comes to external interfaces, it is considered a secure practice to disable wired and wireless peripheral connection permissions when a device is locked. By doing this, threat actors cannot easily bypass the password or biometric protection of devices by simply connecting USB accessories to access data storage or specific apps.
Similarly, it is important to have carefully thought out policies for iCloud and other cloud service access. In terms of OS and app updates, automatic updating used to be regarded as generally safe. However, because of recent major software supply chain attacks, it makes sense to add additional layers of verification or authentication to make sure that software updates only come from legitimate sources.
In summary
Devices running the iOS and other Apple operating systems are generally safe, but this does not mean that they can automatically be treated as secure devices when connected to the enterprise network. They should be supervised and managed just like other devices if they are connected to an organization’s network to maintain security posture integrity. Their configurations should be handled cautiously. Additionally, it helps to embrace the zero-trust security principle and the proper handling of third-party apps.
Image: Pixabay
