The Australian Signals Directorate has released an updated version iOS hardening guide for government agencies.
The guide to securing devices running Apple’s mobile system now covers version 8.3 of iOS.
iOS 8 was released in September last year. The operating system has commenced an ASD evaluation; however, the process of testing its conformance with the US government’s Protection Profile for Mobile Device Fundamentals Version 2.0 standard.
Since April 2014 the ASD has endorsed the Mobile Device Fundamentals Protection Profile (MDF PP) as a key part of evaluating mobile device security.
Although iOS 8 is still undergoing evaluation, the ASD has advised government agencies that use iOS-based devices such as iPhones and iPads upgrade to version 8.3 of the operating system and implement the interim advice provided in its iOS 8 Hardening Guide (PDF).
"Currently, not all ISM requirements can be implemented on iOS 8 devices," the guide notes. However, it also includes a number risk mitigation measures that agencies can take.
"iOS 8 has brought with it many important new features and improvements," the guide states.
"Apple has opened the platform further to app developers with 'app extensions' while simultaneously reenforcing platform security. Enterprise administrators are given more control with new configuration profile payloads and restrictions. While users are given a number of new features, many will challenge administrators of business only iOS fleets."
Earlier this month the ASD published an updated version of Information Security Manual for government agencies and departments.
A key change in the updated ISM was the introduction of the ASD’s Certified Cloud Services List (CCSL), which currently includes a number of Amazon Web Services’ offerings as well as Microsoft’s Office 365 and Azure cloud computing services. The guide was revised to make sure it was suited to a 'cloud first' policy environment.
“The CCSL has been developed to mitigate concerns from government that the security risks of using cloud services may not be easily identified,” an ASD spokesperson said.
“As the certification authority, ASD will provide a baseline understanding of how a cloud service provider approaches these risks using ASD's and industry's experience.”