ASD - Australian Signals Directorate

ASD's Blueprint for Secure Cloud

iOS/iPadOS

This section describes the configuration of device configuration profiles within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Basics

ItemValue
NameIos/Ipad
Description
PlatformiOS/iPadOS
Profile typeDevice restrictions

Assignments

Included groups

None

Excluded groups

ItemValue
GroupsNo groups selected

Scope tags

ItemValue
Scope tagsDefault

Configuration settings

App Store, Doc Viewing, Gaming

ItemValue
Block viewing corporate documents in unmanaged appsYes
Allow unmanaged apps to read from managed contacts accountsYes
Treat AirDrop as an unmanaged destinationYes
Block viewing non-corporate documents in corporate appsYes
Allow copy/paste to be affected by managed open-inYes
Require iTunes Store password for all purchasesNot configured
Block in-app purchasesNot configured
Block download of explicit sexual content in Apple BooksNot configured
Allow managed apps to write contacts to unmanaged contacts accountsNot configured
Ratings regionNo region configured
Block App StoreYes
Block installing apps using App StoreNot configured
Block automatic app downloadsYes
Block playback of explicit music, podcast, and iTunes UNot configured
Block adding Game Center friendsNot configured
Block Game CenterNot configured
Block multiplayer gaming in the Game CenterNot configured
Block access to network drive in Files appNot configured

Built-in apps

ItemValue
Block SiriYes
Block Siri while device is lockedNot configured
Require Safari fraud warningsYes
Block internet search results from SpotlightYes
Safari cookiesBlock all cookies, and block cross site tracking
Block Safari JavaScriptYes
Block Safari pop-upsYes
Block Siri for dictationYes
Block Siri for translationYes
Block cameraYes
Block FaceTimeNot configured
Require Siri profanity filterNot configured
Block user-generated content in SiriNot configured
Block Apple NewsNot configured
Block Apple BooksYes
Block iMessageYes
Block PodcastsYes
Music serviceYes
Block iTunes RadioYes
Block iTunes StoreYes
Block Find My iPhoneYes
Block Find My FriendsYes
Block user modification to the Find My Friends settingsYes
Block removal of system apps from deviceYes
Block SafariYes
Block Safari AutofillYes

Cloud and Storage

ItemValue
Force encrypted backupYes
Block managed apps from storing data in iCloudYes
Block backup of enterprise booksYes
Block notes and highlights sync for enterprise booksYes
Block iCloud Photos syncYes
Block iCloud Photo LibraryYes
Block My Photo StreamYes
Block HandoffYes
Block iCloud backupYes
Block iCloud document and data syncYes
Block iCloud Keychain syncYes
Block iCloud Private RelayNot configured

Connected devices

ItemValue
Force Apple Watch wrist detectionYes
Require AirPlay outgoing requests pairing passwordYes
Block Apple Watch auto unlockYes
Block AirDropYes
Block pairing with Apple WatchYes
Block modifying Bluetooth settingsNot configured
Block pairing with non-Configurator hostsYes
Block AirPrintYes
Block storage of AirPrint credentials in KeychainNot configured
Require AirPrint to destinations with trusted certificatesNot configured
Block iBeacon discovery of AirPrint printersNot configured
Block setting up new nearby devicesYes
Block access to USB drive in Files appYes
Disable near-field communication (NFC)Yes
Allow users to boot devices into recovery mode with unpaired devicesNot configured

General

ItemValue
Block sending diagnostic and usage data to AppleYes
Block screenshots and screen recordingYes
Block untrusted TLS certificatesYes
Block over-the-air PKI updatesYes
Force limited ad trackingYes
Block trusting new enterprise app authorsYes
Limit Apple personalized advertisingYes
Block modification of diagnostics settingsNot configured
Block remote AirPlay, view screen by Classroom app, and screen sharingYes
Allow Classroom app to perform AirPlay and view screen without promptingYes
Block modification of account settingsYes
Block Screen TimeYes
Block users from erasing all content and settings on deviceYes
Block modification of device nameYes
Block modification of notifications settingsYes
Block modification of WallpaperYes
Block configuration profile changesYes
Allow activation lockYes
Block removing appsYes
Block app clipsYes
Allow USB accessories while device is lockedNot configured
Force automatic date and timeYes
Require teacher permission to leave Classroom app unmanaged classesNot configured
Allow Classroom to lock to an app and lock the device without promptingNot configured
Allow students to automatically join Classroom classes without promptingNot configured
Block VPN creationYes
Block modification of eSIM settingsYes
Defer software updatesNot configured
Delay default visibility of software updatesNone

Keyboard and dictionary

ItemValue
Block word definition lookupNot configured
Block predictive keyboardsNot configured
Block auto-correctionNot configured
Block spell checkNot configured
Block keyboard shortcutsNot configured
Block dictationNot configured
Block QuickPathNot configured

Kiosk

ItemValue
App to run in kiosk modeNot configured
Require AssistiveTouchNot configured
Require invert coloursNot configured
Require mono audioNot configured
Require Voice ControlNot configured
Require VoiceOverNot configured
Require zoomNot configured
Block auto lockNot configured
Block ringer switchNot configured
Block screen rotationNot configured
Block screen sleep buttonNot configured
Block touchNot configured
Block volume buttonsNot configured
Allow AssistiveTouch controlNot configured
Allow invert colours controlNot configured
Speak on selected textNot configured
Allow Voice ControlNot configured
Allow VoiceOver controlNot configured
Allow zoom controlNot configured

Locked Screen Experience

ItemValue
Block Control Center access in lock screenYes
Block Notification Center access in lock screenYes
Block Today view in lock screenYes
Block Wallet notifications in lock screenYes

Password

ItemValue
Require passwordYes
Block simple passwordsYes
Required password typeAlphanumeric
Number of non-alphanumeric characters in password1
Minimum password length15
Number of sign-in failures before wiping device11
Maximum minutes after screen lock before password is requiredImmediately
Maximum minutes of inactivity until screen locks1 Minute
Password expiration (days)365
Prevent reuse of previous passwords5
Block Touch ID and Face ID unlockYes
Block passcode modificationYes
Block modification of Touch ID fingerprints and Face ID facesYes
Block password AutoFillYes
Block password proximity requestsYes
Block password sharingYes
Require Touch ID or Face ID authentication for AutoFill of password or credit card informationNot configured

Restricted Apps

ItemValue
Type of restricted apps listApproved apps
Apps list
App store URLApp bundle IDApp namePublisher
https://apps.apple.com/au/app/adobe-acrobat-reader-for-pdf/id469337564com.adobe.Adobe-ReaderAdobe Acrobat Reader for PDFAdobe Inc
https://apps.apple.com/us/app/microsoft-authenticator/id983156458com.microsoft.azureauthenticatorMicrosoft AuthenticatorMicrosoft Corporation
https://apps.apple.com/us/app/microsoft-edge/id1288723196com.microsoft.msedgeMicrosoft EdgeMicrosoft Corporation
https://apps.apple.com/us/app/microsoft-excel/id586683407com.microsoft.Office.ExcelMicrosoft ExcelMicrosoft Corporation
https://apps.apple.com/us/app/microsoft-onedrive/id477537958com.microsoft.skydriveMicrosoft OneDriveMicrosoft Corporation
https://apps.apple.com/au/app/microsoft-onenote/id410395246com.microsoft.onenoteMicrosoft OneNoteMicrosoft Corporation
https://apps.apple.com/au/app/microsoft-powerpoint/id586449534com.microsoft.Office.PowerpointMicrosoft PowerPointMicrosoft Corporation
https://apps.apple.com/us/app/microsoft-outlook/id951937596com.microsoft.Office.OutlookMicrosoft OutlookMicrosoft Corporation
https://apps.apple.com/au/app/microsoft-sharepoint/id1091505266com.microsoft.sharepointMicrosoft SharePointMicrosoft Corporation
https://apps.apple.com/us/app/teams/id1113153706com.microsoft.skype.teamsMicrosoft TeamsMicrosoft Corporation
https://apps.apple.com/us/app/microsoft-word/id586447913com.microsoft.Office.WordMicrosoft WordMicrosoft Corporation
https://apps.apple.com/au/app/power-apps/id1047318566com.microsoft.msappsPowerAppsMicrosoft Corporation

Shared iPad

ItemValue
Block Shared iPad temporary sessions​Yes

Wireless

ItemValue
Block data roamingNot configured
Block global background fetch while roamingNot configured
Block voice dialling while device is lockedYes
Block voice roamingNot configured
Block personal hotspotNot configured
Block use of cellular data
- Block use of cellular dataNot configured
Block use of cellular data when roaming
- Block use of cellular data when roamingNot configured
Block changes to app cellular data usage settingsNot configured
Block changes to cellular plan settingsNot configured
Block modification of personal hotspotNot configured
Require joining Wi‑Fi networks only using configuration profilesNot configured
Require Wi‑Fi always onNot configured
Require devices to use Wi‑Fi networks set up via configuration profilesNot configured

Security and governance

Design

Configuration

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra