iOS/iPadOS personal device security configurations

As part of the iOS/iPadOS security configuration framework, apply the following device compliance settings to mobile users using personal devices. For more information on each policy setting, see iOS/iPadOS device settings in Microsoft Intune.

When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to usability.

Administrators can incorporate the below configuration levels within their ring deployment methodology for testing and production use by importing the sample iOS/iPadOS Security Configuration Framework JSON templates with Intune's PowerShell scripts.

Personal basic security (Level 1)

Level 1 is the recommended minimum security configuration for iOS/iPadOS personal devices where users access work or school data.

The policies in level 1 enforce a reasonable data access level while minimizing the impact to users. This is done by enforcing password policies, device lock characteristics, and disabling certain device functions (e.g., untrusted certificates).

To simplify the table below, only configured settings are listed. Undocumented device restrictions are not configured.

Device restrictions

Section Setting Value Notes
App Store, Doc Viewing, Gaming Treat AirDrop as an unmanaged destination Yes
Built-in Apps Block Siri while device is locked Yes
Built-in Apps Require Safari fraud warnings Yes
Cloud and Storage Force encrypted backup Yes
Cloud and Storage Block managed apps from storing data in iCloud Yes
Connected Devices Force Apple Watch wrist detection Yes
General Block untrusted TLS certificates Yes
General Block trusting new enterprise app authors Yes
Locked Screen Experience Block Notification Center access in lock screen Yes
Locked Screen Experience Block Today view in lock screen Yes
Password Require a password Yes
Password Block simple passwords Yes
Password Required password type Numeric
Password Minimum password length 6 Organizations may need to update this setting to match their password policy.
Password Number of sign-in failures before wiping the device 10 Organizations may need to update this setting to match their password policy.
Password Maximum minutes after screen lock before password is required 5 Organizations may need to update this setting to match their password policy.
Password Maximum minutes of inactivity until screen locks 5 Organizations may need to update this setting to match their password policy.

Personal enhanced security (Level 2)

Level 2 is the recommended configuration for personal devices where users access more sensitive information. These devices are a natural target in enterprises today. These settings don't assume a large staff of highly skilled security personnel. Therefore, they should be accessible to most enterprise organizations. This configuration is applicable to most mobile users accessing work or school data on a device.

This configuration expands upon the configuration in Level 1 by enacting data sharing controls.

The level 2 settings include all the policy settings recommended for level 1. However, the settings listed below include only those settings that have been added or changed. These settings may have a slightly higher impact to users or to applications. They enforce a level of security more appropriate for risks facing users with access to sensitive information on mobile devices.

Device restrictions

Section Setting Value Notes
App Store, Doc Viewing, Gaming Block viewing corporate documents in unmanaged apps Yes
App Store, Doc Viewing, Gaming Block viewing non-corporate documents in corporate apps Not configured Enabling this device restriction blocks Outlook for iOS’s ability to export contacts. This setting is not recommended if using Outlook for iOS. For more information, see Support Tip: Enabling Outlook iOS Contact Sync with iOS12 MDM Controls.
App Store, Doc Viewing, Gaming Allow managed apps to write contacts to unmanaged contacts accounts Yes This setting is needed to allow Outlook for iOS to export contacts when Block viewing corporate documents in unmanaged apps is set to Yes. For more information, see Support Tip: Enabling Outlook iOS Contact Sync with iOS12 MDM Controls.
App Store, Doc Viewing, Gaming Allow copy/paste to be affected by managed open-in Not configured Enabling this setting will block personal accounts within managed Microsoft apps from sharing data to unmanaged apps.
Built-in Apps Block Siri for dictation Yes
Built-in Apps Block Siri for translation Yes
Cloud Storage Block backup of enterprise books Yes
Cloud Storage Block notes and highlights sync for enterprise books Yes
General Block sending diagnostic and usage data to Apple Yes

Personal high security (Level 3)

Level 3 is the recommended configuration for both:

  • Organizations with large and sophisticated security organizations.
  • Specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries.

This configuration expands upon Level 2 by:

  • Enacting stronger password policies.
  • Disabling device functionality (e.g., screenshots and screen recordings).
  • Enforcing additional data transfer restrictions (e.g., blocking Handoff).

The policy settings enforced in level 3 include all the policy settings recommended for level 2. The settings listed below include only those that have been added or changed. These settings may have significant impact to users or applications. They enforce a level of security more appropriate for risks facing targeted organizations.

Device restrictions

Section Setting Value Notes
Cloud and Storage Block Handoff Yes
Connected Devices Require AirPlay outgoing requests pairing password Yes
Connected Devices Block Apple Watch auto unlock Yes
General Block screenshots and screen recording Yes
Password Number of sign-in failures before wiping the device 5 Organizations may need to update this setting to match their password policy.
Password Password expiration (days) 365 Organizations may need to update this setting to match their password policy.
Password Prevent reuse of previous passwords 5 Organizations may need to update this setting to match their password policy.
Wireless Block voice dialing while device is locked Yes

Next steps

Administrators can incorporate the above configuration levels within their ring deployment methodology for testing and production use by importing the sample iOS/iPadOS Security Configuration Framework JSON templates with Intune's PowerShell scripts.