Purpose. This document provides security-related usage and conguration recommendations for Apple
iOS devices such as the iPhone, iPad, and iPod touch. This document does not constitute Department
of Defense (DoD) or United States Government (USG) policy, nor is it an endorsement of any particular
platform; its purpose is solely to provide security recommendations. This guide may outline procedures
required to implement or secure certain features, but it is also not a general-purpose conguration manual.
The guidance provides recommendations for general-purpose business use of iOS devices for processing data
that is UNCLASSIFIED, and possibly Sensitive But Unclassied. Such data may carry various designations
such as For Ocial Use Only, Law Enforcement Sensitive, or Security Sensitive Information. Approval for
processing such Sensitive But Unclassied data is dependent upon risk decisions by Designated Approving
Authorities (or their analogs in non-DoD entities).
Audience. This guide is primarily intended for network/system administrators deploying Apple’s iOS
devices or supporting their integration into enterprise networks. Some information relevant to IT decision
makers and users of the devices is also included. Readers are assumed to possess basic network and system
administration skills for Mac OS X or Microsoft Windows systems, and they should have some familiarity
with Apple’s documentation and user interface conventions.
Scope. Apple’s mobile devices, including the iPhone and iPad, are prominent examples of a new generation
of mobile devices that combine into a single device the capabilities of a cellular phone, laptop computer,
portable music player, camera, audio recorder, GPS receiver and other electronics. The capabilities of such
devices are considerable but, as with any information system, also pose some security risks. Design features
can seriously mitigate some risks, but others must be considered as part of a careful, holistic risk decision that
also respects the capabilities enabled by such devices. Major risks, and available mitigations, are discussed
in Section 1.3.
Security guidance for mobile devices must cut across many previously discrete boundaries between tech-
nologies. For example, scrupulous deployment of an iPhone includes consideration not just the settings on
the device itself, but those of the Wi-Fi networks to which it will connect, the VPNs through which it will
tunnel, and the servers from which it will receive its conguration. This guide provides recommendations for
the settings on an iOS device itself, as well as closely-related information for the network and conguration
resources upon which deployment of iOS devices depends.