Announcing the iOS/iPadOS Security Configuration Framework

Published Apr 16 2021 09:30 AM 6,268 Views
Microsoft

As mobile usage becomes more prevalent, so does the need to protect your work or school data on those devices. In March 2020, we introduced the App Protection Policy Data Protection Framework to help organizations determine which Intune app protection policy settings they should deploy to protect work or school account data within the apps.

 

In June 2020, we expanded the framework by including recommendations for enrolled Android Enterprise devices by introducing the Android Enterprise Security Configuration Framework to manage device compliance and device restriction settings.

 

Today, I am happy to announce that we’re expanding the framework to also include recommendations for enrolled iOS/iPadOS devices. iOS/iPadOS supports several enrollment scenarios, two of which are covered as part of this framework:

When configuring device compliance and configuration policies, the number of various settings and options enable organizations to tailor protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings is required to implement a complete scenario. To help organizations prioritize client endpoint hardening, Microsoft has introduced a new taxonomy for security configurations in Windows 10, and Intune is leveraging a similar taxonomy for its iOS/iPadOS security configuration framework.

 

The iOS/iPadOS security configuration framework is organized into several distinct configuration scenarios, providing guidance for personally owned and supervised devices.

 

For personally owned devices:

  • Basic security (Level 1) – Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This is done by enforcing password policies, device lock characteristics, and disabling certain device functions (e.g., untrusted certificates).
  • Enhanced security (Level 2) – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts data sharing controls. This configuration is applicable to most mobile users accessing work or school data on a device.
  • High security (Level 3) – Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration enacts stronger password policies, disables certain device functions, and enforces additional data transfer restrictions.

For supervised devices:

  • Basic security (Level 1) – Microsoft recommends this configuration as the minimum security configuration for supervised devices where users access work or school data. This is done by enforcing password policies, device lock characteristics, and disabling certain device functions (e.g., untrusted certificates).
  • Enhanced security (Level 2) – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts data sharing controls and blocks access to USB devices. This configuration is applicable to most mobile users accessing work or school data on a device.
  • High security (Level 3) – Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration enacts stronger password policies, disables certain device functions, enforces additional data transfer restrictions, and requires apps to be installed through Apple’s volume purchase program.

To see the specific recommendations for each configuration level, review the iOS/iPadOS Security Configuration Framework

 

As with any framework, settings within a corresponding level may need to be adjusted based on the needs of the organization as security must evaluate the threat environment, risk appetite, and impact to usability. 

 

We hope this framework helps you when evaluating what iOS/iPadOS settings to deploy in your environment. As always, if you have questions, please let us know.

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

3 Comments
Senior Member

I am happy to see these Security Configuration Frameworks. So is CISO. :) 

Occasional Contributor

Hi @Ross Smith IV ,

 

Thanks for this article.
This article is very good to have a quick look of the news of the APP Data protection framework.
When opening this I expected a new and entirely redesigned framework but I was confused by the title.

 

Regards,

AEL

Microsoft

@Aldo ELIAS Thanks for the feedback. We took an approach to provide frameworks for all mobile related scenarios - app protection, as well as enrollment scenarios (device restrictions and device compliance). The frameworks can be used independently or together depending on the situation. Of course, we recommend APP whether the device is being enrolled or not.

%3CLINGO-SUB%20id%3D%22lingo-sub-2275960%22%20slang%3D%22en-US%22%3EAnnouncing%20the%20iOS%2FiPadOS%20Security%20Configuration%20Framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275960%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20mobile%20usage%20becomes%20more%20prevalent%2C%20so%20does%20the%20need%20to%20protect%20your%20work%20or%20school%20data%20on%20those%20devices.%20In%20March%202020%2C%20we%20introduced%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fappdpf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EApp%20Protection%20Policy%20Data%20Protection%20Framework%3C%2FA%3E%20to%20help%20organizations%20determine%20which%20Intune%20app%20protection%20policy%20settings%20they%20should%20deploy%20to%20protect%20work%20or%20school%20account%20data%20within%20the%20apps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20June%202020%2C%20we%20expanded%20the%20framework%20by%20including%20recommendations%20for%20enrolled%20Android%20Enterprise%20devices%20by%20introducing%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faesecconfig%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAndroid%20Enterprise%20Security%20Configuration%20Framework%3C%2FA%3E%20to%20manage%20device%20compliance%20and%20device%20restriction%20settings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20I%20am%20happy%20to%20announce%20that%20we%E2%80%99re%20expanding%20the%20framework%20to%20also%20include%20recommendations%20for%20enrolled%20iOS%2FiPadOS%20devices.%20iOS%2FiPadOS%20supports%20several%20enrollment%20scenarios%2C%20two%20of%20which%20are%20covered%20as%20part%20of%20this%20framework%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fios-enroll%23user-owned-iosipados-and-ipados-devices-byod%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDevice%20enrollment%20for%20personally%20owned%20devices%3C%2FA%3E%20%E2%80%93%20these%20devices%20are%20personally%20owned%20and%20used%20for%20both%20work%20and%20personal%20use.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fdevice-enrollment-program-enroll-ios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESupervised%20automated%20device%20enrollment%20for%20corporate-owned%20devices%3C%2FA%3E%20%E2%80%93%20these%20devices%20are%20corporate-owned%2C%20associated%20with%20a%20single%20user%2C%20and%20used%20exclusively%20for%20work%20and%20not%20personal%20use.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhen%20configuring%20device%20compliance%20and%20configuration%20policies%2C%20the%20number%20of%20various%20settings%20and%20options%20enable%20organizations%20to%20tailor%20protection%20to%20their%20specific%20needs.%20Due%20to%20this%20flexibility%2C%20it%20may%20not%20be%20obvious%20which%20permutation%20of%20policy%20settings%20is%20required%20to%20implement%20a%20complete%20scenario.%20To%20help%20organizations%20prioritize%20client%20endpoint%20hardening%2C%20Microsoft%20has%20introduced%20a%20new%20taxonomy%20for%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fsecconframework%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Esecurity%20configurations%20in%20Windows%2010%3C%2FA%3E%2C%20and%20Intune%20is%20leveraging%20a%20similar%20taxonomy%20for%20its%20iOS%2FiPadOS%20security%20configuration%20framework.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20iOS%2FiPadOS%20security%20configuration%20framework%20is%20organized%20into%20several%20distinct%20configuration%20scenarios%2C%20providing%20guidance%20for%20personally%20owned%20and%20supervised%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20personally%20owned%20devices%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBasic%20security%20(Level%201)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20as%20the%20minimum%20security%20configuration%20for%20personal%20devices%20where%20users%20access%20work%20or%20school%20data.%20This%20is%20done%20by%20enforcing%20password%20policies%2C%20device%20lock%20characteristics%2C%20and%20disabling%20certain%20device%20functions%20(e.g.%2C%20untrusted%20certificates).%3C%2FLI%3E%0A%3CLI%3EEnhanced%20security%20(Level%202)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20for%20devices%20where%20users%20access%20sensitive%20or%20confidential%20information.%20This%20configuration%20enacts%20data%20sharing%20controls.%20This%20configuration%20is%20applicable%20to%20most%20mobile%20users%20accessing%20work%20or%20school%20data%20on%20a%20device.%3C%2FLI%3E%0A%3CLI%3EHigh%20security%20(Level%203)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20for%20devices%20used%20by%20specific%20users%20or%20groups%20who%20are%20uniquely%20high%20risk%20(users%20who%20handle%20highly%20sensitive%20data%20where%20unauthorized%20disclosure%20causes%20considerable%20material%20loss%20to%20the%20organization).%20This%20configuration%20enacts%20stronger%20password%20policies%2C%20disables%20certain%20device%20functions%2C%20and%20enforces%20additional%20data%20transfer%20restrictions.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20supervised%20devices%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBasic%20security%20(Level%201)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20as%20the%20minimum%20security%20configuration%20for%20supervised%20devices%20where%20users%20access%20work%20or%20school%20data.%20This%20is%20done%20by%20enforcing%20password%20policies%2C%20device%20lock%20characteristics%2C%20and%20disabling%20certain%20device%20functions%20(e.g.%2C%20untrusted%20certificates).%3C%2FLI%3E%0A%3CLI%3EEnhanced%20security%20(Level%202)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20for%20devices%20where%20users%20access%20sensitive%20or%20confidential%20information.%20This%20configuration%20enacts%20data%20sharing%20controls%20and%20blocks%20access%20to%20USB%20devices.%20This%20configuration%20is%20applicable%20to%20most%20mobile%20users%20accessing%20work%20or%20school%20data%20on%20a%20device.%3C%2FLI%3E%0A%3CLI%3EHigh%20security%20(Level%203)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20for%20devices%20used%20by%20specific%20users%20or%20groups%20who%20are%20uniquely%20high%20risk%20(users%20who%20handle%20highly%20sensitive%20data%20where%20unauthorized%20disclosure%20causes%20considerable%20material%20loss%20to%20the%20organization).%20This%20configuration%20enacts%20stronger%20password%20policies%2C%20disables%20certain%20device%20functions%2C%20enforces%20additional%20data%20transfer%20restrictions%2C%20and%20requires%20apps%20to%20be%20installed%20through%20Apple%E2%80%99s%20volume%20purchase%20program.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ETo%20see%20the%20specific%20recommendations%20for%20each%20configuration%20level%2C%20review%20the%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fiossecconfig%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EiOS%2FiPadOS%20Security%20Configuration%20Framework%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20with%20any%20framework%2C%20settings%20within%20a%20corresponding%20level%20may%20need%20to%20be%20adjusted%20based%20on%20the%20needs%20of%20the%20organization%20as%20security%20must%20evaluate%20the%20threat%20environment%2C%20risk%20appetite%2C%20and%20impact%20to%20usability.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20this%20framework%20helps%20you%20when%20evaluating%20what%20iOS%2FiPadOS%20settings%20to%20deploy%20in%20your%20environment.%20As%20always%2C%20if%20you%20have%20questions%2C%20please%20let%20us%20know.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23ff6600%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ERoss%20Smith%20IV%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20line-height%3A%201.7142%3B%22%3EPrincipal%20Program%20Manager%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20line-height%3A%201.7142%3B%22%3ECustomer%20Experience%20Engineering%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2275960%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20article%2C%20Ross%20discusses%20the%20iOS%2FiPadOS%20security%20configuration%20framework%20for%20personally%20owned%20devices%20or%20corporate-owned%20supervised%20devices.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2275960%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EiOS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2277554%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20iOS%2FiPadOS%20Security%20Configuration%20Framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277554%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20happy%20to%20see%20these%20Security%20Configuration%20Frameworks.%20So%20is%20CISO.%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280565%22%20slang%3D%22fr-FR%22%3ERe%3A%20Announcing%20the%20iOS%2FiPadOS%20Security%20Configuration%20Framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280565%22%20slang%3D%22fr-FR%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20this%20article.%3CBR%20%2F%3EThis%20article%20is%20very%20good%20to%20have%20a%20quick%20look%20of%20the%20news%20of%20the%20APP%20Data%20Protection%20framework.%3CBR%20%2F%3EWhen%20opening%20this%20I%20expected%20a%20new%20and%20entirely%20redesigned%20framework%20but%20I%20was%20confused%20by%20the%20title.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%3C%2FP%3E%3CP%3EAEL%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2281744%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20iOS%2FiPadOS%20Security%20Configuration%20Framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281744%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F65545%22%20target%3D%22_blank%22%3E%40Aldo%20ELIAS%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20feedback.%20We%20took%20an%20approach%20to%20provide%20frameworks%20for%20all%20mobile%20related%20scenarios%20-%20app%20protection%2C%20as%20well%20as%20enrollment%20scenarios%20(device%20restrictions%20and%20device%20compliance).%20The%20frameworks%20can%20be%20used%20independently%20or%20together%20depending%20on%20the%20situation.%20Of%20course%2C%20we%20recommend%20APP%20whether%20the%20device%20is%20being%20enrolled%20or%20not.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Apr 16 2021 10:44 AM
Updated by: