0% found this document useful (0 votes)

190 views262 pages

CIS Apple IOS 17 and IPadOS 17 Intune Benchmark v1.0.0

Uploaded by

affy1977

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

190 views262 pages

CIS Apple IOS 17 and IPadOS 17 Intune Benchmark v1.0.0

Uploaded by

affy1977

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 262

CIS Apple iOS 17 and

iPadOS 17 Intune
Benchmark
v1.0.0 - 02-27-2024
Terms of Use
Please see the below link for our current terms of use:
https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

Page 1
Table of Contents
Terms of Use ..................................................................................................................... 1
Table of Contents ............................................................................................................. 2
Overview ............................................................................................................................ 6
Intended Audience ..................................................................................................................... 6
Consensus Guidance................................................................................................................. 7
Typographical Conventions ...................................................................................................... 8
Recommendation Definitions ......................................................................................... 9
Title............................................................................................................................................... 9
Assessment Status .................................................................................................................... 9
Automated ............................................................................................................................................... 9
Manual...................................................................................................................................................... 9
Profile ........................................................................................................................................... 9
Description .................................................................................................................................. 9
Rationale Statement ................................................................................................................... 9
Impact Statement...................................................................................................................... 10
Audit Procedure........................................................................................................................ 10
Remediation Procedure ........................................................................................................... 10
Default Value ............................................................................................................................. 10
References ................................................................................................................................ 10
CIS Critical Security Controls® (CIS Controls®) .................................................................... 10
Additional Information ............................................................................................................. 10
Profile Definitions ..................................................................................................................... 11
Acknowledgements .................................................................................................................. 12
Recommendations ......................................................................................................... 13
1 Benchmark Guidance ........................................................................................................... 13
2 Recommendations for Unsupervised (BYOD) Devices .................................................... 14
2.1 App Store, Doc Viewing, Gaming ................................................................................................. 15
2.1.1 Ensure "Block viewing corporate documents in unmanaged apps" is set to "Yes"
(Manual) ..................................................................................................................................... 16
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is set to "Yes" (Manual) ............. 18
2.1.3 Ensure "Allow copy/paste to be affected by managed open-in" is set to "Yes" (Manual) 20
2.2 Built-in Apps ................................................................................................................................... 22
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes" (Manual) ................................. 23
2.2.2 Ensure "Require Safari fraud warnings" is set to "Yes" (Manual) .................................... 25
2.3 Cloud and Storage .......................................................................................................................... 27
2.3.1 Ensure "Force encrypted backup" is set to "Yes" (Manual) ............................................. 28
2.3.2 Ensure "Block managed apps from storing data in iCloud" is set to "Yes" (Manual) ....... 30

Page 2
2.3.3 Ensure "Block backup of enterprise books" is set to "Yes" (Manual) .............................. 32
2.3.4 Ensure "Block notes and highlights sync for enterprise books" is set to "Yes" (Manual) 34
2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes" (Manual) ........................................... 36
2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes" (Manual) ......................................... 38
2.3.7 Ensure "Block My Photo Stream" is set to "Yes" (Manual) .............................................. 40
2.3.8 Ensure "Block Handoff" is set to "Yes" (Manual) ............................................................. 42
2.4 Connected Devices ........................................................................................................................ 44
2.4.1 Ensure "Force Apple Watch wrist detection" is set to "Yes" (Manual) ............................. 45
2.4.2 Ensure "Require AirPlay outgoing requests pairing password" is set to "Yes" (Manual) 47
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes" (Manual) .................................. 49
2.5 General ............................................................................................................................................ 51
2.5.1 Ensure "Block sending diagnostic and usage data to Apple" is set to "Yes" (Manual).... 52
2.5.2 Ensure "Block screenshots and screen recording" is set to "Yes" (Manual) ................... 54
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes" (Manual) ................................. 56
2.5.4 Ensure "Force limited ad tracking" is set to "Yes" (Manual) ............................................ 58
2.5.5 Ensure "Block trusting new enterprise app authors" is set to "Yes" (Manual) ................. 60
2.5.6 Ensure "Limit Apple personalized advertising" is set to "Yes" (Manual) .......................... 62
2.6 Locked Screen Experience ............................................................................................................ 64
2.6.1 Ensure "Block Control Center access in lock screen" is set to "Yes" (Manual) ............... 65
2.6.2 Ensure "Block Notifications Center access in lock screen" is set to "Yes" (Manual) ....... 67
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes" (Manual)................................. 69
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to "Yes" (Manual)..................... 71
2.7 Password ......................................................................................................................................... 73
2.7.1 Ensure "Require password" is set to "Yes" (Manual) ....................................................... 74
2.7.2 Ensure "Block simple passwords" is set to "Yes" (Manual) ............................................. 76
2.7.3 Ensure "Required password type" is set to "Alphanumeric" (Manual) ............................. 78
2.7.4 Ensure "Minimum password length" is set to "6" or greater (Manual) ............................. 80
2.7.5 Ensure "Maximum minutes after screen lock before password is required" is set to
"Immediately" (Manual) ............................................................................................................. 82
2.7.6 Ensure "Maximum minutes of inactivity until screen locks" is set to "2" or less (Manual)
................................................................................................................................................... 84
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to "Yes" (Manual) ........................... 86
2.8 Wireless ........................................................................................................................................... 88
2.8.1 Ensure "Block voice dialing while device is locked" is set to "Yes" (Manual) .................. 89
3 Recommendations for Supervised (Organization) Devices ............................................. 91
3.1 App Store, Doc Viewing, Gaming ................................................................................................. 92
3.1.1 Ensure "Block viewing corporate documents in unmanaged apps" is set to "Yes"
(Manual) ..................................................................................................................................... 93
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is set to "Yes" (Manual) ............. 95
3.1.3 Ensure "Allow copy/paste to be affected by managed open-in" is set to "Yes" (Manual) 97
3.1.4 Ensure "Block App Store" is set to "Yes" (Manual) .......................................................... 99
3.1.5 Ensure "Block access to network drive in Files app" is set to "Yes" (Manual)...............101
3.2 Built-in Apps .................................................................................................................................103
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes" (Manual) ...............................104
3.2.2 Ensure "Require Safari fraud warnings" is set to "Yes" (Manual) ..................................106
3.3 Cloud and Storage ........................................................................................................................108
3.3.1 Ensure "Force encrypted backup" is set to "Yes" (Manual) ...........................................109
3.3.2 Ensure "Block managed apps from storing data in iCloud" is set to "Yes" (Manual) .....111
3.3.3 Ensure "Block backup of enterprise books" is set to "Yes" (Manual) ............................113
3.3.4 Ensure "Block notes and highlights sync for enterprise books" is set to "Yes" (Manual)
.................................................................................................................................................115
3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes" (Manual) .........................................117
3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes" (Manual) .......................................119
3.3.7 Ensure "Block My Photo Stream" is set to "Yes" (Manual) ............................................121
3.3.8 Ensure "Block Handoff" is set to "Yes" (Manual) ...........................................................123

Page 3
3.3.9 Ensure "Block iCloud backup" is set to "Yes" (Manual) .................................................125
3.3.10 Ensure "Block iCloud document and data sync" is set to "Yes" (Manual) ...................127
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes" (Manual) ...................................129
3.4 Connected Devices ......................................................................................................................131
3.4.1 Ensure "Force Apple Watch wrist detection" is set to "Yes" (Manual) ...........................132
3.4.2 Ensure "Require AirPlay outgoing requests pairing password" is set to "Yes" (Manual)
.................................................................................................................................................134
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes" (Manual) ................................136
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is set to "Yes" (Manual) ............138
3.4.5 Ensure "Block access to USB drive in Files app" is set to "Yes" (Manual) ....................140
3.5 General ..........................................................................................................................................142
3.5.1 Ensure "Block sending diagnostic and usage data to Apple" is set to "Yes" (Manual)..143
3.5.2 Ensure "Block screenshots and screen recording" is set to "Yes" (Manual) .................145
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes" (Manual) ...............................147
3.5.4 Ensure "Force limited ad tracking" is set to "Yes" (Manual) ..........................................149
3.5.5 Ensure "Block trusting new enterprise app authors" is set to "Yes" (Manual) ...............151
3.5.6 Ensure "Limit Apple personalized advertising" is set to "Yes" (Manual) ........................153
3.5.7 Ensure "Block users from erasing all content and settings on device" is set to "Yes"
(Manual) ...................................................................................................................................155
3.5.8 Ensure "Block modification of device name" is set to "Yes" (Manual) ...........................157
3.5.9 Ensure "Block configuration profile changes" is set to "Yes" (Manual) ..........................159
3.5.10 Ensure "Allow activation lock" is set to "Yes" (Manual) ...............................................161
3.5.11 Ensure "Force automatic date and time" is set to "Yes" (Manual) ...............................163
3.5.12 Ensure "Block VPN creation" is set to "Yes" (Manual) .................................................165
3.6 Locked Screen Experience ..........................................................................................................167
3.6.1 Ensure "Block Control Center access in lock screen" is set to "Yes" (Manual) .............168
3.6.2 Ensure "Block Notifications Center access in lock screen" is set to "Yes" (Manual) .....170
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes" (Manual)...............................172
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to "Yes" (Manual)...................174
3.7 Password .......................................................................................................................................176
3.7.1 Ensure "Require password" is set to "Yes" (Manual) .....................................................177
3.7.2 Ensure "Block simple passwords" is set to "Yes" (Manual) ...........................................179
3.7.3 Ensure "Required password type" is set to "Alphanumeric" (Manual) ...........................181
3.7.4 Ensure "Minimum password length" is set to "6" or greater (Manual) ...........................183
3.7.5 Ensure "Maximum minutes after screen lock before password is required" is set to
"Immediately" (Manual) ...........................................................................................................185
3.7.6 Ensure "Maximum minutes of inactivity until screen locks" is set to "2" or less (Manual)
.................................................................................................................................................187
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to "Yes" (Manual) .........................189
3.7.8 Ensure "Block password proximity requests" is set to "Yes" (Manual) ..........................191
3.7.9 Ensure "Block password sharing" is set to "Yes" (Manual) ............................................193
3.7.10 Ensure "Require Touch ID or Face ID authentication for AutoFill of password or credit
card information" is set to "Yes" (Manual) ...............................................................................195
3.8 Wireless .........................................................................................................................................197
3.8.1 Ensure "Block voice dialing while device is locked" is set to "Yes" (Manual) ................198
3.9 Lock Screen Message ..................................................................................................................200
3.9.1 Ensure a "Lock Screen Message" has been set (Manual).............................................201
3.10 Additional Recommendations ...................................................................................................203
3.10.1 Ensure the ability to remove the management profile does not exist (Manual) ...........204
3.10.2 Ensure the ability to sync with computers has been blocked (Manual) .......................206
4 Recommendations for Compliance Policies .................................................................... 208
4.1 Ensure "Jailbroken devices" is set to "Block" (Manual).....................................................209
4.2 Ensure "Minimum OS version" or "Minimum OS build version" has been defined (Manual)
.................................................................................................................................................211
4.3 Ensure "Mark device noncompliant" is set to "Immediately" (Manual) .............................213

Page 4
4.4 Ensure "Send email to end user" is set to "3 days" or less (Manual)................................215
4.5 Ensure all devices are marked as "compliant" (Manual) ...................................................217
4.6 Ensure "Mark devices with no compliance policy assigned as" is set to "Not compliant"
(Manual) ...................................................................................................................................219
4.7 Ensure "Compliance status validity period (days)" is set to "7" or less (Manual) .............221
Appendix: Summary Table .......................................................................................... 223
Appendix: CIS Controls v7 IG 1 Mapped Recommendations ................................. 231
Appendix: CIS Controls v7 IG 2 Mapped Recommendations ................................. 234
Appendix: CIS Controls v7 IG 3 Mapped Recommendations ................................. 239
Appendix: CIS Controls v7 Unmapped Recommendations .................................... 244
Appendix: CIS Controls v8 IG 1 Mapped Recommendations ................................. 245
Appendix: CIS Controls v8 IG 2 Mapped Recommendations ................................. 250
Appendix: CIS Controls v8 IG 3 Mapped Recommendations ................................. 255
Appendix: CIS Controls v8 Unmapped Recommendations .................................... 260
Appendix: Change History .......................................................................................... 261

Page 5
Overview
All CIS Benchmarks focus on technical configuration settings used to maintain and/or
increase the security of the addressed technology, and they should be used in
conjunction with other essential cyber hygiene tasks like:
• Monitoring the base operating system for vulnerabilities and quickly updating with
the latest security patches
• Monitoring applications and libraries for vulnerabilities and quickly updating with
the latest security patches

In the end, the CIS Benchmarks are designed as a key component of a comprehensive
cybersecurity program.

This document, Security Configuration Benchmark for Intune Apple iOS 17 and iPadOS
17, provides prescriptive guidance for establishing a secure configuration posture for
both Apple iOS and iPadOS version 16 via enrollment within Microsoft Intune. This
guide was tested against Apple iOS 17 and iPadOS 17 using Microsoft Intune MDM
enrollment. This benchmark covers Apple iOS 17 and iPadOS 17 on all supported
devices.
The current guidance considers iOS and iPadOS devices as having the same use
cases and threat scenarios when determining recommendations. In nearly all instances,
the configuration steps, default settings, and benchmark recommended settings are
identical regardless of hardware platform or operating system. For the few cases where
variation exists, the benchmark notes differences within the respective section. To
obtain the latest version of this guide, please visit http://cisecurity.org. If you have
questions, comments, or have identified ways to improve this guide, please write us at
[email protected].

Intended Audience
This document is intended for system and application administrators, security
specialists, auditors, help desk, end users, and platform deployment personnel who
plan to use, develop, deploy, assess, or secure solutions that incorporate the
management of Apple iOS 17 or iPadOS 17 devices via MDM enrollment within
Microsoft Intune.

Page 6
Consensus Guidance
This CIS Benchmark was created using a consensus review process comprised of a
global community of subject matter experts. The process combines real world
experience with data-based information to create technology specific guidance to assist
users to secure their environments. Consensus participants provide perspective from a
diverse set of backgrounds including consulting, software development, audit and
compliance, security research, operations, government, and legal.
Each CIS Benchmark undergoes two phases of consensus review. The first phase
occurs during initial Benchmark development. During this phase, subject matter experts
convene to discuss, create, and test working drafts of the Benchmark. This discussion
occurs until consensus has been reached on Benchmark recommendations. The
second phase begins after the Benchmark has been published. During this phase, all
feedback provided by the Internet community is reviewed by the consensus team for
incorporation in the Benchmark. If you are interested in participating in the consensus
process, please visit https://workbench.cisecurity.org/.

Page 7
Typographical Conventions
The following typographical conventions are used throughout this guide:

Convention Meaning

Used for blocks of code, command, and script

Stylized Monospace font examples. Text should be interpreted exactly as
presented.

Monospace font Used for inline code, commands, or examples.

Text should be interpreted exactly as presented.

Italic texts set in angle brackets denote a variable

<italic font in brackets> requiring substitution for a real value.

Used to denote the title of a book, article, or other

Italic font
publication.

Note Additional information or caveats

Page 8
Recommendation Definitions
The following defines the various components included in a CIS recommendation as
applicable. If any of the components are not applicable it will be noted or the
component will not be included in the recommendation.

Title
Concise description for the recommendation's intended configuration.

Assessment Status
An assessment status is included for every recommendation. The assessment status
indicates whether the given recommendation can be automated or requires manual
steps to implement. Both statuses are equally important and are determined and
supported as defined below:

Automated
Represents recommendations for which assessment of a technical control can be fully
automated and validated to a pass/fail state. Recommendations will include the
necessary information to implement automation.

Manual
Represents recommendations for which assessment of a technical control cannot be
fully automated and requires all or some manual steps to validate that the configured
state is set as expected. The expected state can vary depending on the environment.

Profile
A collection of recommendations for securing a technology or a supporting platform.
Most benchmarks include at least a Level 1 and Level 2 Profile. Level 2 extends Level 1
recommendations and is not a standalone profile. The Profile Definitions section in the
benchmark provides the definitions as they pertain to the recommendations included for
the technology.

Description
Detailed information pertaining to the setting with which the recommendation is
concerned. In some cases, the description will include the recommended value.

Rationale Statement
Detailed reasoning for the recommendation to provide the user a clear and concise
understanding on the importance of the recommendation.

Page 9
Impact Statement
Any security, functionality, or operational consequences that can result from following
the recommendation.

Audit Procedure
Systematic instructions for determining if the target system complies with the
recommendation.

Remediation Procedure
Systematic instructions for applying recommendations to the target system to bring it
into compliance according to the recommendation.

Default Value
Default value for the given setting in this recommendation, if known. If not known, either
not configured or not defined will be applied.

References
Additional documentation relative to the recommendation.

CIS Critical Security Controls® (CIS Controls®)

The mapping between a recommendation and the CIS Controls is organized by CIS
Controls version, Safeguard, and Implementation Group (IG). The Benchmark in its
entirety addresses the CIS Controls safeguards of (v7) “5.1 - Establish Secure
Configurations” and (v8) '4.1 - Establish and Maintain a Secure Configuration Process”
so individual recommendations will not be mapped to these safeguards.

Additional Information
Supplementary information that does not correspond to any other field but may be
useful to the user.

Page 10
Profile Definitions
The following configuration profiles are defined by this Benchmark:

• Level 1 - Unsupervised Devices

Items in this profile apply to unsupervised (end-user owned/BYOD) Apple iOS 17

and iPadOS 17 devices and intend to:

o Be practical and prudent.

o Provide a clear security benefit.
o Not inhibit the utility of the technology beyond acceptable means.

• Level 2 - Unsupervised Devices

This profile extends the "Level 1 - Unsupervised Devices" profile. Items in this
profile apply to unsupervised (end-user owned/BYOD) Apple iOS 17 and iPadOS
17 devices and may:

o Be used for environments or use cases where security is paramount.

o Act as defense in depth measures.
o Negatively inhibit the utility or performance of the technology.

• Level 1 - Supervised Devices

Items in this profile apply to supervised (fully managed) Apple iOS 17 and
iPadOS 17 devices and intend to:

o Be practical and prudent.

o Provide a clear security benefit.
o Not inhibit the utility of the technology beyond acceptable means.

• Level 2 - Supervised Devices

This profile extends the "Level 1 - Supervised Devices" profile. Items in this
profile apply to supervised (fully managed) Apple iOS 17 and iPadOS 17 devices
and may:

o Be used for environments or use cases where security is paramount.

o Act as defense in depth measures.
o Negatively inhibit the utility or performance of the technology.

Page 11
Acknowledgements
This Benchmark exemplifies the great things a community of users, vendors, and
subject matter experts can accomplish through consensus collaboration. The CIS
community thanks the entire consensus team with special recognition to the following
individuals who contributed greatly to the creation of this guide:

Author
Lewis Hardy

Contributor
Ron Colvin, Ron Colvin
Kari Byrd
Phil Bain

Editor
Pierluigi Falcone CISSP, CISM, CRISC, GSTRT, CCSK, LA27001, SABSA Foundation
Edward Byrd , Center for Internet Security, New York

Page 12
Recommendations
1 Benchmark Guidance
Intune is a cloud endpoint management service produced by Microsoft. Intune supports
Apple iOS and iPadOS operating system software. Due to the near identical code base,
use cases, threat scenarios, and a shared configuration management mechanism within
Intune, the CIS Community offers guidance for both operating systems within this single
Intune MDM benchmark.
For those unfamiliar with using Intune for iOS and iPadOS device management, a
Configuration Profile must be created to apply to the device that is to be managed,
similar to a traditional software MDM (Mobile Device Management) solution (such as
Apple Configurator). This configuration profile is created within Intune, where device
restrictions and features can be individually configured. This configuration profile can
then apply to devices that have been enrolled within Intune using a scope. The device
will then have a management profile present listing restrictions that have been applied
to the device. A specific recommendation has been defined in this benchmark that
provides guidance on how to make this profile non-removable on supervised devices.
This benchmark defines what these device restrictions and features should be from a
security standpoint. Further guidance on securely applying the profile and compliance
policy guidance also exists in the benchmark.
This benchmark release continues to separate guidance for Unsupervised (BYOD) and
Supervised (Organization) devices. The intention is to scope security control
appropriateness by ownership model. This allows the benchmark to address the
differing use cases and threat profiles, as well as for an organization to maintain CIS
compliance for fully-managed Supervised (organization) devices, while also allowing
Unsupervised Bring-Your-Own-Devices (BYOD).
In order to securely manage a corporate device, the device must be supervised. This
should be a requirement of all institutionally-owned devices. Supervision is a specific
technical state of an iOS or iPadOS device. It does not refer to management via Intune.
Devices can be enrolled and supervised through methods such as Apple's Device
Enrollment Program (DEP), or on a per-device basis using Apple Configurator.
Unsupervised devices cannot have all the same security restrictions applied due to
device security limitations, therefore these devices should be treated as BYOD-only
devices with access to limited managed resources.
The Compliance Policy Guideline section includes material for both ownership states.
Thank you for taking the time to read this benchmark guidance.
The CIS Intune iOS and iPadOS Community

Page 13
2 Recommendations for Unsupervised (BYOD) Devices
This section provides both level 1 and level 2 recommendations for devices in an
unsupervised state. The term "unsupervised" is a specific technical designation
regarding the state of an iOS or iPadOS device and does not mean the device is
unmanaged. See the Benchmark Guidance section of this benchmark for clarification on
supervised and unsupervised states.

Page 14
2.1 App Store, Doc Viewing, Gaming

Page 15
2.1.1 Ensure "Block viewing corporate documents in unmanaged
apps" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents viewing corporate documents in unmanaged apps.

Rationale:
By default, depending on per-app policies, the OS might allow corporate documents to
be viewed in any app.
Impact:
Third-party keyboards may not function correctly with this restriction set.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Verify that Block viewing corporate documents in unmanaged apps is present
and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Opening documents from managed to unmanaged apps not allowed is
displayed

Page 16
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Set Block viewing corporate documents in unmanaged apps to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

Configure data access control lists based on a user’s need to know. Apply data
v8 access control lists, also known as access permissions, to local and remote file
● ● ●
systems, databases, and applications.

14.6 Protect Information through Access Control Lists

Protect all information stored on systems with file system, network share,
v7 claims, application, or database specific access control lists. These controls will
enforce the principle that only authorized individuals should have access to the
● ● ●
information based on their need to access the information as a part of their
responsibilities.

Page 17
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is set
to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This forces AirDrop to be considered an unmanaged drop target.

Rationale:
This stops managed apps data from being sent via Airdrop.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Verify that Treat AirDrop as an unmanaged destination is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Sharing managed documents using AirDrop not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 18
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 19
2.1.3 Ensure "Allow copy/paste to be affected by managed open-
in" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This enforces copy/paste restrictions based on configured Block viewing corporate
documents in unmanaged apps and Block viewing non-corporate documents in
corporate apps.
Rationale:
This can ensure that copy/paste restrictions set by managed apps are enforced.
Audit:

From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Verify that Allow copy/paste to be affected by managed open-in is present
and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Copy and paste are managed is displayed

Page 20
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Set Allow copy/paste to be affected by managed open-in to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 21
2.2 Built-in Apps

Page 22
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents access to Siri when the device is locked.

Rationale:
Accessing Siri on a locked device may allow unauthorized users to access information
otherwise not available to them, such as messaging, contacts, and a variety of other
data.
Impact:

The end user must unlock the device before interacting with Siri.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Built-in apps heading
6. Verify that Block Siri while device is locked is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Siri while locked not allowed is displayed

Page 23
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the Built-in apps heading
6. Set Block Siri while device is locked to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

Assets
v8 Configure automatic session locking on enterprise assets after a defined period ● ● ●
of inactivity. For general purpose operating systems, the period must not exceed
15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 24
2.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This enforces the feature to display fraud warnings within the Safari web browser.

Rationale:
Fraudulent websites masquerade as legitimate instances of financial, business, or other
sensitive sites. They are designed to capture user credentials, often through phishing
campaigns. Safari's fraudulent website warning feature helps protect end users from
such sites.
For increased security, the Safari web browser should be used to enforce fraud
warnings.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Built-in apps heading
6. Verify that Require Safari fraud warnings is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Safari fraud warning enforced is displayed

Page 25
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.4 Restrict Unnecessary or Unauthorized Browser and

Email Client Extensions
v8 Restrict, either through uninstalling or disabling, any unauthorized or ● ●
unnecessary browser or email client plugins, extensions, and add-on
applications.

7.2 Disable Unnecessary or Unauthorized Browser or

v7 Email Client Plugins
Uninstall or disable any unauthorized browser or email client plugins or add-
● ●
on applications.

Page 26
2.3 Cloud and Storage

Page 27
2.3.1 Ensure "Force encrypted backup" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This requires device backups to be stored in an encrypted state.
Rationale:
Data that are stored securely on an iOS or iPadOS device may be trivially accessed
from a local computer backup. Forcing the encryption of backups protects data from
being compromised if the local host computer is compromised.
Impact:
End users must configure a password for the encrypted backup, the complexity of which
is not managed.
Audit:

From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Cloud and Storage heading
6. Verify that Force encrypted backup is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Encrypted backups enforced is displayed

Page 28
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the Cloud and Storage heading
6. Set Force encrypted backup to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

11.3 Protect Recovery Data

v8 Protect recovery data with equivalent controls to the original data. Reference ● ● ●
encryption or data separation, based on requirements.

10.4 Ensure Protection of Backups

v7 Ensure that backups are properly protected via physical security or encryption
when they are stored, as well as when they are moved across the network. This
● ● ●
includes remote backups and cloud services.

Page 29
2.3.2 Ensure "Block managed apps from storing data in iCloud" is
set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents managed apps from storing and syncing data to the user's iCloud
account.
Rationale:
This recommendation addresses intentional or unintentional data leakage. It prevents a
user from installing an application that is managed by the organization on a personal
device and allowing iCloud to sync the managed application's data to the personal, non-
managed application.
Impact:
Data created within apps on the device may be lost if the end user has not transferred it
to another device.
Audit:

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Managed apps cloud sync not allowed is displayed

Page 30
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 31
2.3.3 Ensure "Block backup of enterprise books" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents backing up of enterprise books.

Rationale:
This recommendation addresses intentional or unintentional data leakage. It prevents a
user from backing up enterprise books (documents handled by the Books application).
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Backing up enterprise books not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 32
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 33
2.3.4 Ensure "Block notes and highlights sync for enterprise
books" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents syncing notes and highlights in enterprise books.

Rationale:
Notes and highlights of text created within enterprise books may contain sensitive
information that should not be backed up.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Synchronizing enterprise books notes and highlights not allowed
is displayed

Page 34
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 35
2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents photo stream syncing to iCloud.
Rationale:
This stops the ability to share pictures and screenshots to cloud storage that can be
accessed outside your organization's network or devices.

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Photo Stream not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 36
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 37
2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents photo Library syncing to iCloud.
Rationale:
This stops the ability to share pictures and screenshots to cloud storage that can be
accessed outside your organization's network or devices.

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm iCloud Photos not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 38
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 39
2.3.7 Ensure "Block My Photo Stream" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This disables iCloud Photo Sharing.
Rationale:
This stops the ability to share pictures and screenshots to cloud storage that can be
accessed outside your organization's network or devices.

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Shared Streams not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 40
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 41
2.3.8 Ensure "Block Handoff" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This prevents Apple's Handoff data-sharing mechanism, allowing users to carry on
tasks on another iOS/iPadOS or macOS device.
Rationale:
Impact:

Handoff does not enforce managed application boundaries. This allows managed
application data to be moved to the unmanaged application space on another device,
which may allow for intentional or unintentional data leakage.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Handoff not allowed is displayed

Page 42
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 43
2.4 Connected Devices

Page 44
2.4.1 Ensure "Force Apple Watch wrist detection" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction forces wrist detection to be enabled to paired Apple Watches. When
enforced, the Apple Watch won't display notifications when it's not being worn. The
Apple Watch will also lock itself when it has been removed from a user's wrist.
Rationale:
Wrist detection prevents a removed Apple Watch from providing access to information
not otherwise available. It will also automatically lock if the watch was removed.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Connected devices heading
6. Verify that Force Apple Watch wrist detection is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Wrist detection enforced on Apple Watch is displayed

Page 45
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the Connected devices heading
6. Set Force Apple Watch wrist detection to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 46
2.4.2 Ensure "Require AirPlay outgoing requests pairing
password" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction enforces the requirement of a pairing password when using AirPlay to
stream content to a new Apple device.
Rationale:
This will mitigate the risk of accidental casting of content to an incorrect screen. It will
also reduce the effectiveness of a spoofing style attack.
Impact:

Users will have to authenticate to new Airplay devices via a password before first use.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Connected devices heading
6. Verify that Require AirPlay outgoing requests pairing password is present
and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm AirPlay outgoing requests pairing password enforced is displayed

Page 47
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 48
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This will restrict users from being able to automatically unlock their Apple Watch when
they unlock their iOS/iPadOS device.
Rationale:
If an Apple Watch is connected to the user's iOS/iPadOS device, but is not on their
person, this could result in the user unintentionally unlocking their Apple Watch,
allowing access to sensitive information on the device.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Connected devices heading
6. Verify that Block Apple Watch auto unlock is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Phone auto unlock not allowed is displayed

Page 49
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 50
2.5 General

Page 51
2.5.1 Ensure "Block sending diagnostic and usage data to Apple"
is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
Apple provides a mechanism to send diagnostic and analytics data back to them in
order to help improve the platform. This information sent to Apple may contain internal
organizational information that should not be disclosed to third parties.
Rationale:
Organizations should have knowledge of what is shared with vendors and other third
parties, and should also be in full control of what is disclosed.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block sending diagnostic and usage data to Apple is present and
set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Diagnostic submission not allowed is displayed

Page 52
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the General heading
6. Set Block sending diagnostic and usage data to Apple to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

Enterprise Assets and Software
v8 Uninstall or disable unnecessary services on enterprise assets and software, ● ●
such as an unused file sharing service, web application module, or service
function.

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 53
2.5.2 Ensure "Block screenshots and screen recording" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This recommendation limits screen recording and the ability to screenshot from the
device.
Rationale:
Sensitive information displayed on the device may be captured by screenshot or screen
recording into an unmanaged storage location intentionally or unintentionally by a user.
Impact:

Screenshots and screen recordings will be disabled entirely.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block screenshots and screen recording is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Screen capture not allowed is displayed

Page 54
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 55
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"
(Manual)
Profile Applicability:

• Level 2 - Unsupervised Devices

Description:
This recommendation blocks untrusted Transport Layer Security (TLS) certificates.

Rationale:
iOS devices maintain a list of trusted TLS certificate roots. An organization may choose
to add their own certificates to the list by using a configuration profile. Allowing users to
bypass that list and accept self-signed or otherwise unverified/invalid certificates may
increase the likelihood of an incident.

Impact:
The device automatically rejects untrusted HTTPS certificates without prompting the
user. Services using self-signed certificates will not function.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block untrusted TLS certificates is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Establishing untrusted TLS connections not allowed is displayed

Page 56
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

Establish and maintain a secure configuration process for enterprise assets
v8 (end-user devices, including portable and mobile, non-computing/IoT devices, and
servers) and software (operating systems and applications). Review and update
● ● ●
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 57
2.5.4 Ensure "Force limited ad tracking" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This recommendation disables the ad identifier that is used to link advertisement
information to a device.
Rationale:
Having this enabled allows ad companies to better track and harvest information from a
device.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Force limited ad tracking is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Requests to track from apps not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 58
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 59
2.5.5 Ensure "Block trusting new enterprise app authors" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This recommendation disables application installation by end users from outside the
Apple App Store or Mobile Device Management (MDM) deployment.
Rationale:
Allowing application installation by end users from outside of the Apple App Store or
Mobile Device Management (MDM) may permit a user to intentionally or unintentionally
install a malicious application.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block trusting new enterprise app authors is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Trusting enterprise apps not allowed is displayed

Page 60
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

2.6 Address unapproved software

v7 Ensure that unauthorized software is either removed or the inventory is ● ● ●
updated in a timely manner

Page 61
2.5.6 Ensure "Limit Apple personalized advertising" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
Apple provides a framework that allows advertisers to target Apple users with
advertisements relevant to them and their interests by means of a unique identifier. For
such personalized advertisements to be delivered, however, detailed information is
collected, correlated, and made available to advertisers. This information is valuable to
both advertisers and attackers and has been used with other metadata to reveal users'
identities.
Rationale:
Disabling the use of a unique identifier helps hinder the tracking of users, which in turn
supports protection of user data.
Impact:
Users will see generic advertising rather than targeted advertising. Apple has warned
that this will reduce the number of relevant ads.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Limit Apple personalized advertising is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Apple personalized advertising not allowed is displayed

Page 62
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 63
2.6 Locked Screen Experience

Page 64
2.6.1 Ensure "Block Control Center access in lock screen" is set
to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction prevents access to the Control Center on the lock screen.
Passcode/Face ID must be set for this to apply.
Rationale:
When a device is lost or stolen, the Control Center may be used to enable airplane
mode, thus preventing locating or erasing the device. Disabling Control Center forces a
malicious actor to power down the device, which then discards the encryption key in
memory. This makes some attacks based on physical possession more difficult. Further
information such as media recently played, alarm information, and latest calculator
history can also be seen.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Locked Screen Experience heading
6. Verify that Block Control Center access in lock screen is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Control Center on lock screen not allowed is displayed

Page 65
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the Locked Screen Experience heading
6. Set Block Control Center access in lock screen to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 66
2.6.2 Ensure "Block Notifications Center access in lock screen" is
set to "Yes" (Manual)
Profile Applicability:

• Level 2 - Unsupervised Devices

Description:
This restriction prevents access to the Notifications Center on the lock screen. This
does not restrict or limit information displayed from notifications, only older notifications
that are stored in the notification center. This is usually visible by swiping up on the lock
screen.
Rationale:
This will block older notifications from being displayed on the lock screen. The
introduction of the notification center is a location where unaddressed notifications often
reside.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Locked Screen Experience heading
6. Verify that Block Notifications Center access in lock screen is present and
set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Notifications view on lock screen not allowed is displayed

Page 67
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 68
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction prevents access to the Today View and search on the lock screen. This
can be seen by swiping left on the lock screen. A Passcode/Face ID must be set for this
to apply.
Rationale:
This will block sensitive information from being displayed on the lock screen. Today
View allows widgets and reminders to be displayed, as well as the option to list installed
applications and other Siri suggestions.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Locked Screen Experience heading
6. Verify that Block Today view in lock screen is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Today view on lock screen not allowed is displayed

Page 69
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 70
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction prevents access to the Apple Wallet while the screen is locked.
Passcode/Face ID must be set for this to apply.
Rationale:
This will block the option for the Apple Wallet to be used while the screen is locked.
Impact:
The device will need to be unlocked to access the Wallet.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Locked Screen Experience heading
6. Verify that Block Wallet notifications in lock screen is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Passbook not allowed is displayed

Page 71
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 72
2.7 Password

Page 73
2.7.1 Ensure "Require password" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction enforces a password to be set on the device.
Rationale:
This will block the option for the device to be used without a password.
Impact:

A user will need to set a password to use the device.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Password heading
6. Verify that Require password is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Passcode required is present and its value is yes

Page 74
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the Password heading
6. Set Require password to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

v8 Use unique passwords for all enterprise assets. Best practice implementation
includes, at a minimum, an 8-character password for accounts using MFA and a
● ● ●
14-character password for accounts not using MFA.

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 75
2.7.2 Ensure "Block simple passwords" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction enforces a block on simple passwords on the device. Passwords such
as 1234 and 0000 would be blocked.
Rationale:
This will block the option for a simple password to be used on the device.

Impact:
Those with passwords that do not meet this requirement will be prompted to set a new
device password.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Simple passcodes allowed is present and its value is no

Page 76
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 77
2.7.3 Ensure "Required password type" is set to "Alphanumeric"
(Manual)
Profile Applicability:

• Level 2 - Unsupervised Devices

Description:
This restriction enforces an alphanumeric password on the device. Numeric-only
passcode pins would not be allowed.
Rationale:
Alphanumeric passwords provide a greater security posture by increasing the number of
possible combinations, as well as not providing an indicator of password length.
Impact:

Those with passwords that do not meet this requirement will be prompted to set a new
device password.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Alphanumeric required is present and its value is yes

Page 78
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 79
2.7.4 Ensure "Minimum password length" is set to "6" or greater
(Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction requires the password length set on the device to be 6 or greater.

Rationale:
Longer passwords provide a greater security posture by increasing the number of
possible combinations.
Impact:
Those with passwords that do not meet this requirement will be prompted to set a new
device password.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Minimum length is present and its value is 6 or greater

Page 80
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 81
2.7.5 Ensure "Maximum minutes after screen lock before
password is required" is set to "Immediately" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction disables any grace period where a password is not required to be
entered after the screen has locked.
Rationale:
This would make it impossible for the device to be picked up and used after the screen
has locked.
Audit:

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Max grace period is present and its value is Immediately

Page 82
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 83
2.7.6 Ensure "Maximum minutes of inactivity until screen locks" is
set to "2" or less (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction sets the maximum time of inactivity before the device will be
automatically locked.
Rationale:
This would mitigate the concern of an unattended device being picked up and used, as
the window of inactivity has been set.
Impact:

This is not enforced during certain activities, such as watching video content.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Max inactivity is present and its value is 2 minutes

Page 84
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 85
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to "Yes"
(Manual)
Profile Applicability:

• Level 2 - Unsupervised Devices

Description:
This restriction blocks Touch ID and Face ID being used to unlock the device. A
standard passcode/password will be the only form of authentication to unlock the
device.
If this is not set, passcode/password will still be required after a device power-cycles or
the device has been reported as lost.
Rationale:

This would address the concern of a malicious individual using the face/touch
identification of the device owner as a means of authentication for the device.
Impact:
A passcode/password will be required to unlock the device.
Audit:

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Touch ID unlock not allowed is displayed

Page 86
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 87
2.8 Wireless

Page 88
2.8.1 Ensure "Block voice dialing while device is locked" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Unsupervised Devices

Description:
This restriction blocks initiating phone calls from a locked device. Voice dialing is
handled separately from Siri.
Rationale:
Allowing calls from a locked device may allow for the impersonation of the device
owner, or other malicious actions.
Audit:

From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Wireless heading
6. Verify that Block voice dialing while device is locked is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Voice dialing while locked not allowed is displayed

Page 89
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the Wireless heading
6. Set Block voice dialing while device is locked to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 90
3 Recommendations for Supervised (Organization) Devices
This section provides both level 1 and level 2 recommendations for devices in a
supervised state. The term "supervised" is a specific technical designation in regard to
the state of an iOS or iPadOS device and is generally only applied to institutionally-
owned devices. See the Benchmark Guidance section of this benchmark for clarification
on supervised and unsupervised states.

Page 91
3.1 App Store, Doc Viewing, Gaming

Page 92
3.1.1 Ensure "Block viewing corporate documents in unmanaged
apps" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents viewing corporate documents in unmanaged apps.

Rationale:
By default, depending on per app policies, the OS might allow corporate documents to
be viewed in any app.
Impact:
Third party keyboards may not function correctly with this restriction set.

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Opening documents from managed to unmanaged apps not allowed is
displayed

Page 93
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 94
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is set
to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This forces AirDrop to be considered an unmanaged drop target.

Rationale:
This stops managed apps data from being sent via Airdrop.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Verify that Treat AirDrop as an unmanaged destination is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Sharing managed documents using AirDrop not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 95
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 96
3.1.3 Ensure "Allow copy/paste to be affected by managed open-
in" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Verify that Allow copy/paste to be affected by managed open-in is present
and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Copy and paste are managed is displayed

Page 97
Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Set Allow copy/paste to be affected by managed open-in to Yes

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 98
3.1.4 Ensure "Block App Store" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents access to the App Store on supervised devices.
Rationale:
Blocking the App Store will deny users the ability to install apps that have not been
explicitly approved by the organization. Allowing users to install apps could introduce
malicious applications designed to exfiltrate information intentionally or unintentionally
by a user.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Installing apps not allowed is displayed

Remediation:

From the Microsoft Intune admin center:

Page 99
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

2.6 Address unapproved software

v7 Ensure that unauthorized software is either removed or the inventory is ● ● ●
updated in a timely manner

Page 100
3.1.5 Ensure "Block access to network drive in Files app" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents access to networked file shares, such as SMB network drives.

Rationale:
Network drives can be used as an unmanaged storage location for transferring data to
and from iOS/iPadOS devices.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the App Store, Doc Viewing, Gaming heading
6. Verify that Block access to network drive in Files app is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Network drives not accessible in Files app is displayed

Remediation:
From the Microsoft Intune admin center:

Page 101
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

1.2 Address Unauthorized Assets

v8 Ensure that a process exists to address unauthorized assets on a weekly
basis. The enterprise may choose to remove the asset from the network, deny the
● ● ●
asset from connecting remotely to the network, or quarantine the asset.

13.3 Monitor and Block Unauthorized Network Traffic

v7 Deploy an automated tool on network perimeters that monitors for
unauthorized transfer of sensitive information and blocks such transfers while
●
alerting information security professionals.

Page 102
3.2 Built-in Apps

Page 103
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents access to Siri when the device is locked.

Rationale:
Accessing Siri on a locked device may allow unauthorized users to access information
otherwise not available to them, such as messaging, contacts, and a variety of other
data.
Impact:

The end user must unlock the device before interacting with Siri.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Siri while locked not allowed is displayed

Page 104
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 105
3.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This enforces the feature to display fraud warnings within the Safari web browser.

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Built-in apps heading
6. Verify that Require Safari fraud warnings is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Safari fraud warning enforced is displayed

Page 106
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.4 Restrict Unnecessary or Unauthorized Browser and

Email Client Extensions
v8 Restrict, either through uninstalling or disabling, any unauthorized or ● ●
unnecessary browser or email client plugins, extensions, and add-on
applications.

7.2 Disable Unnecessary or Unauthorized Browser or

v7 Email Client Plugins
Uninstall or disable any unauthorized browser or email client plugins or add-
● ●
on applications.

Page 107
3.3 Cloud and Storage

Page 108
3.3.1 Ensure "Force encrypted backup" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Encrypted backups enforced is displayed

Page 109
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

11.3 Protect Recovery Data

v8 Protect recovery data with equivalent controls to the original data. Reference ● ● ●
encryption or data separation, based on requirements.

10.4 Ensure Protection of Backups

Page 110
3.3.2 Ensure "Block managed apps from storing data in iCloud" is
set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Managed apps cloud sync not allowed is displayed

Page 111
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 112
3.3.3 Ensure "Block backup of enterprise books" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents backing up of enterprise books.

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Backing up enterprise books not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 113
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 114
3.3.4 Ensure "Block notes and highlights sync for enterprise
books" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents syncing notes and highlights in enterprise books.

Rationale:
Notes and highlights of text created within enterprise books may contain sensitive
information that should not be backed up.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Synchronizing enterprise books notes and highlights not allowed
is displayed

Page 115
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 116
3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Photo Stream not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 117
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 118
3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm iCloud Photos not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 119
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 120
3.3.7 Ensure "Block My Photo Stream" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Shared Streams not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 121
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 122
3.3.8 Ensure "Block Handoff" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents Apple's Handoff data-sharing mechanism, allowing users to carry on
tasks on another iOS/iPadOS or macOS device.
Rationale:
Impact:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Handoff not allowed is displayed

Page 123
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 124
3.3.9 Ensure "Block iCloud backup" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents the function of iCloud on the device being backed up to iCloud.
Rationale:
iCloud backups are encrypted in transit and at rest within Apple's infrastructure, but
there is no protection against restoring a backup to an unmanaged device. This
potentially allows for intentional or unintentional data leakage.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm iCloud backup not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 125
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 126
3.3.10 Ensure "Block iCloud document and data sync" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents syncing of documents and data to iCloud.

Rationale:
Managed devices are often connected to personal iCloud accounts. This is expected
and normal. The data from managed devices, however, should not co-mingle with the
end-user's personal data. This creates a potential avenue for intentional or unintentional
data leakage.

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Documents in the Cloud not allowed is displayed

Page 127
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

13.4 Only Allow Access to Authorized Cloud Storage or

v7 Email Providers ● ●
Only allow access to authorized cloud storage or email providers.

Page 128
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This prevents syncing of credentials with the iCloud Keychain. Keychain allows
passwords associated with an Apple ID to be saved and available for use to the
authenticated user for the Apple account.
Rationale:
Enterprise credentials may be stored within Keychain, resulting in these credentials
being stored within a user's Apple ID.
Managed devices are often connected to personal iCloud accounts. This is expected
and normal. The credentials from managed devices, however, should not co-mingle with
the end-user's personal data. This creates a potential avenue for intentional or
unintentional data leakage.
Audit:

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm iCloud Keychain not allowed is displayed

Page 129
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

4.8 Uninstall or Disable Unnecessary Services on

v8 Enterprise Assets and Software
Uninstall or disable unnecessary services on enterprise assets and software,
● ●
such as an unused file sharing service, web application module, or service function.

15.3 Classify Service Providers

Classify service providers. Classification consideration may include one or more
v8 characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
● ●
classifications annually, or when significant enterprise changes occur that could
impact this Safeguard.

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 130
3.4 Connected Devices

Page 131
3.4.1 Ensure "Force Apple Watch wrist detection" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Wrist detection enforced on Apple Watch is displayed

Page 132
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 133
3.4.2 Ensure "Require AirPlay outgoing requests pairing
password" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Users will have to authenticate to new Airplay devices via a password before first use.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Connected devices heading
6. Verify that Require AirPlay outgoing requests pairing password is present
and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm AirPlay outgoing requests pairing password enforced is displayed

Page 134
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 135
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Connected devices heading
6. Verify that Block Apple Watch auto unlock is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Phone auto unlock not allowed is displayed

Page 136
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 137
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is set
to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This blocks the iBeacon function that allows users to discover nearby AirPrint Printers.

Rationale:
This will aim to prevent malicious network traffic phishing attacks using AirPrint
beacons.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Connected devices heading
6. Verify that Block iBeacon discovery of AirPrint printers is present and set
to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm AirPrint iBeacon discovery now allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 138
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 139
3.4.5 Ensure "Block access to USB drive in Files app" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This will prevent the Files app from accessing USB media to view and/or transfer files.

Rationale:
The Files app provides a local file system and interface to USB media for iOS and
iPadOS devices. In environments with sensitive data and strict data loss prevention
policies, disabling the use of USB media with such devices may reduce the risk of
intentional or unintentional data leakage.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Connected devices heading
6. Verify that Block access to USB drive in Files app is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm USB drives not accessible in Files app is displayed

Page 140
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

1.2 Address Unauthorized Assets

13.7 Manage USB Devices

v7 If USB storage devices are required, enterprise software should be used that
can configure systems to allow the use of specific devices. An inventory of such
● ●
devices should be maintained.

Page 141
3.5 General

Page 142
3.5.1 Ensure "Block sending diagnostic and usage data to Apple"
is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
Apple provides a mechanism to send diagnostic and analytics data back to them in
order help improve the platform. This information sent to Apple may contain internal
organizational information that should not be disclosed to third parties.
Rationale:
Organizations should have knowledge of what is shared with vendors and other third
parties, and should also be in full control of what is disclosed.

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Diagnostic submission not allowed is displayed

Page 143
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 144
3.5.2 Ensure "Block screenshots and screen recording" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Screenshots and screen recordings will be disabled entirely.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block screenshots and screen recording is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Screen capture not allowed is displayed

Page 145
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 146
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"
(Manual)
Profile Applicability:

• Level 2 - Supervised Devices

Description:
This recommendation blocks untrusted Transport Layer Security (TLS) certificates.

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block untrusted TLS certificates is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Establishing untrusted TLS connections not allowed is displayed

Page 147
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 148
3.5.4 Ensure "Force limited ad tracking" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Force limited ad tracking is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Requests to track from apps not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 149
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 150
3.5.5 Ensure "Block trusting new enterprise app authors" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block trusting new enterprise app authors is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Trusting enterprise apps not allowed is displayed

Page 151
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.3 Address Unauthorized Software

v8 Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more
● ● ●
frequently.

2.6 Address unapproved software

v7 Ensure that unauthorized software is either removed or the inventory is ● ● ●
updated in a timely manner

Page 152
3.5.6 Ensure "Limit Apple personalized advertising" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Limit Apple personalized advertising is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Apple personalized advertising not allowed is displayed

Page 153
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 154
3.5.7 Ensure "Block users from erasing all content and settings on
device" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction prevents the "erase all content and settings" option on devices.

Rationale:
An organization-owned device should not allow an end user to destroy data and/or
repurpose the device.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block users from erasing all content and settings on device is
present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Erase content and settings not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 155
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 156
3.5.8 Ensure "Block modification of device name" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction prevents a user from having the ability to change the name of the
device. The device name is visible and can be changed from this location: Settings >
General > About
Rationale:
Giving users the ability to change their device name at any point may hinder the
functionality of device identification and asset tracking.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block modification of device name is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Device name modification not allowed is displayed

Page 157
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

1.1 Establish and Maintain Detailed Enterprise Asset

Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all
enterprise assets with the potential to store or process data, to include: end-user
devices (including portable and mobile), network devices, non-computing/IoT
devices, and servers. Ensure the inventory records the network address (if static),
v8 hardware address, machine name, enterprise asset owner, department for each ● ● ●
asset, and whether the asset has been approved to connect to the network. For
mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure
physically, virtually, remotely, and those within cloud environments. Additionally, it
includes assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review and
update the inventory of all enterprise assets bi-annually, or more frequently.

9.1 Associate Active Ports, Services and Protocols to Asset

v7 Inventory
Associate active ports, services and protocols to the hardware assets in the
● ●
asset inventory.

Page 158
3.5.9 Ensure "Block configuration profile changes" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction prevents a user from intentionally or unintentionally installing additional
configuration profiles.
Rationale:
This adds an additional security control, so third-party and potentially malicious
configuration profiles can not be installed.
Impact:

Some services, such as WiFi access points that have been configured requiring a user
to install a configuration profile, may be prevented from working by blocking their
configuration profiles.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Block configuration profile changes is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Installing configuration profiles not allowed is displayed

Page 159
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 160
3.5.10 Ensure "Allow activation lock" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction enables Activation Lock on devices. This feature is commonly seen
when a device is marked as lost in the Apple Find My app.
Rationale:
The Activation Lock feature increases the security of the device, and restricts
functionality if the device has been marked as lost or stolen.
Audit:
From the Microsoft Intune admin center:

This restriction can not be audited from the device.

Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured

Page 161
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.13 Deploy a Data Loss Prevention Solution

Implement an automated tool, such as a host-based Data Loss Prevention
v8 (DLP) tool to identify all sensitive data stored, processed, or transmitted through ●
enterprise assets, including those located onsite or at a remote service provider,
and update the enterprise's sensitive data inventory.

14.5 Utilize an Active Discovery Tool to Identify Sensitive

Data
v7 Utilize an active discovery tool to identify all sensitive information stored, ●
processed, or transmitted by the organization's technology systems, including
those located onsite or at a remote service provider and update the organization's
sensitive information inventory.

Page 162
3.5.11 Ensure "Force automatic date and time" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction forces automatic date and time to be used on the device. The time zone
updates only when the device can determine its location, such as when a device has a
cellular connection or a Wi-Fi connection with location services enabled.
Rationale:
Correct date and time settings are required for authentication protocols, file creation,
modification dates, and log entries. Having this information accurate is important in
incident response and forensic investigations.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the General heading
6. Verify that Force automatic date and time is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Automatic date & time enforced is displayed

Page 163
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

8.4 Standardize Time Synchronization

v8 Standardize time synchronization. Configure at least two synchronized time ● ●
sources across enterprise assets, where supported.

6.1 Utilize Three Synchronized Time Sources

v7 Use at least three synchronized time sources from which all servers and
network devices retrieve time information on a regular basis so that timestamps
● ●
in logs are consistent.

Page 164
3.5.12 Ensure "Block VPN creation" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction prevents a user from intentionally or unintentionally creating VPN
configuration.
Rationale:
A VPN configuration can route traffic via unsecure systems if this has not been
configured safely.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm VPN creation not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 165
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.10 Encrypt Sensitive Data in Transit

v8 Encrypt sensitive data in transit. Example implementations can include: ● ●
Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

v7 14.4 Encrypt All Sensitive Information in Transit ● ●

Encrypt all sensitive information in transit.

Page 166
3.6 Locked Screen Experience

Page 167
3.6.1 Ensure "Block Control Center access in lock screen" is set
to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Control Center on lock screen not allowed is displayed

Page 168
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 169
3.6.2 Ensure "Block Notifications Center access in lock screen" is
set to "Yes" (Manual)
Profile Applicability:

• Level 2 - Supervised Devices

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Locked Screen Experience heading
6. Verify that Block Notifications Center access in lock screen is present and
set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Notifications view on lock screen not allowed is displayed

Page 170
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 171
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Locked Screen Experience heading
6. Verify that Block Today view in lock screen is present and set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Today view on lock screen not allowed is displayed

Page 172
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 173
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Locked Screen Experience heading
6. Verify that Block Wallet notifications in lock screen is present and set to
Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Passbook not allowed is displayed

Page 174
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 175
3.7 Password

Page 176
3.7.1 Ensure "Require password" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction enforces a password to be set on the device.
Rationale:
This will block the option for the device to be used without a password.
Impact:

A user will need to set a password to use the device.

Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Passcode required is present and its value is yes

Page 177
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 178
3.7.2 Ensure "Block simple passwords" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Impact:
Those with passwords that do not meet this requirement will be prompted to set a new
device password.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Simple passcodes allowed is present and its value is no

Page 179
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 180
3.7.3 Ensure "Required password type" is set to "Alphanumeric"
(Manual)
Profile Applicability:

• Level 2 - Supervised Devices

Those with passwords that do not meet this requirement will be prompted to set a new
device password.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Alphanumeric required is present and its value is yes

Page 181
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 182
3.7.4 Ensure "Minimum password length" is set to "6" or greater
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction requires the password length set on the device to be 6 or greater.

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Minimum length is present and its value is 6 or greater

Page 183
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

5.2 Use Unique Passwords

4.4 Use Unique Passwords

v7 Where multi-factor authentication is not supported (such as local administrator,
root, or service accounts), accounts will use passwords that are unique to that
● ●
system.

Page 184
3.7.5 Ensure "Maximum minutes after screen lock before
password is required" is set to "Immediately" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Max grace period is present and its value is Immediately

Page 185
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 186
3.7.6 Ensure "Maximum minutes of inactivity until screen locks" is
set to "2" or less (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction sets the maximum time of inactivity before the device will be
automatically locked.
Rationale:
This would mitigate the concern of a unattended device being picked up and used, as
the window of inactivity has been set.
Impact:

This is not enforced during certain activities, such as watching video content.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Tap Passcode
7. Confirm Max inactivity is present and its value is 2 minutes

Page 187
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 188
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to "Yes"
(Manual)
Profile Applicability:

• Level 2 - Supervised Devices

Description:
This restriction blocks Touch ID and Face ID being used to unlock the device. A
standard passcode/password will be the only form of authentication to unlock the
device.
If this is not set, passcode/password will still be required after a device power-cycle or
the device has been reported as lost.
Rationale:

This would address the concern of a malicious individual using the face/touch
identification of the device owner as a means of authentication to the device.
Impact:
A passcode/password will be required to unlock the device.
Audit:

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Touch ID unlock not allowed is displayed

Page 189
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 190
3.7.8 Ensure "Block password proximity requests" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction prevents proximity-based password sharing for nearby devices.

Rationale:
Access to systems and applications should be provisioned by role, with credentials only
being transferred through supported credential management systems. Additionally,
credential sharing requests may be exploited through social engineering.
Audit:

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Proximity password requests not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 191
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

Manage access control for assets remotely connecting to enterprise resources.
v8 Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
● ●
configuration process, and ensuring the operating system and applications are up-
to-date.

12.12 Manage All Devices Remotely Logging into Internal

Network
v7 Scan all enterprise devices remotely logging into the organization's network ●
prior to accessing the network to ensure that each of the organization's security
policies has been enforced in the same manner as local network devices.

Page 192
3.7.9 Ensure "Block password sharing" is set to "Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction prevents sharing credentials between devices, such as via AirDrop.
Rationale:
Access to systems and applications should be provisioned by role, with credentials only
being transferred through supported credential management systems. Additionally,
credential sharing requests may be exploited through social engineering.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Password Sharing is not allowed is displayed

Remediation:
From the Microsoft Intune admin center:

Page 193
Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

14.3 Train Workforce Members on Authentication Best

v8 Practices
Train workforce members on authentication best practices. Example topics
● ● ●
include MFA, password composition, and credential management.

12.12 Manage All Devices Remotely Logging into Internal

Network
v7 Scan all enterprise devices remotely logging into the organization's network prior ●
to accessing the network to ensure that each of the organization's security policies
has been enforced in the same manner as local network devices.

17.5 Train Workforce on Secure Authentication

v7 Train workforce members on the importance of enabling and utilizing secure ● ● ●
authentication.

Page 194
3.7.10 Ensure "Require Touch ID or Face ID authentication for
AutoFill of password or credit card information" is set to "Yes"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This restriction forces an authentication prompt before each AutoFill operation.
Rationale:
A device may be accessed by an unauthorized user while unlocked. This
recommendation provides defense-in-depth by forcing re-authentication before
credentials will be populated by AutoFill.
Audit:
From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Authentication before Auto Filling passwords enforced is displayed

Page 195
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.3 Configure Data Access Control Lists

14.6 Protect Information through Access Control Lists

Page 196
3.8 Wireless

Page 197
3.8.1 Ensure "Block voice dialing while device is locked" is set to
"Yes" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

From the Microsoft Intune admin center:

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Tap Restrictions
6. Confirm Voice dialing while locked not allowed is displayed

Page 198
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 199
3.9 Lock Screen Message

Page 200
3.9.1 Ensure a "Lock Screen Message" has been set (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation applies to configuring a lock screen message.
Rationale:
A lock screen message will allow an honest bystander to more easily return a lost
device. This message need not identify the owner by name, but should reference a
phone number or email address to contact (for example, the help desk of an
organization).
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the device features profile which applies to the iOS/iPadOS device
4. Under Configuration settings
5. Select the Lock Screen Message heading
6. Verify that "If Lost, Return to..." Message is present and has an appropriate
message associated with it

Or, from the device:

1. Wake the device

2. Verify on the lock screen that an appropriate message is displayed

Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Configuration profiles
3. Select the profile which applies to the iOS/iPadOS device
4. Click edit, next to Configuration settings
5. Select the Lock Screen Message heading
6. Set "If Lost, Return to..." Message with an appropriate message

Default Value:
Not configured

Page 201
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.3 Configure Automatic Session Locking on Enterprise

v7 16.11 Lock Workstation Sessions After Inactivity ● ● ●

Automatically lock workstation sessions after a standard period of inactivity.

Page 202
3.10 Additional Recommendations

Page 203
3.10.1 Ensure the ability to remove the management profile does
not exist (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation denies the ability remove an installed configuration profile.

Rationale:
Removal of the configuration profile (and all of it's configured security restrictions)
should be at the discretion of the organization, not the end user, in order to prevent
greatly weakening the device's security and exposing its data.
Audit:

From the Microsoft Intune admin center:

1. Select Devices
2. Select iOS/iPadOS
3. Select iOS/iPadOS enrollment
4. Select Enrollment program tokens
5. Select the enrollment token which applies to the iOS/iPadOS device
6. Select Profiles
7. Select the profile which applies to the iOS/iPadOS device
8. Select Properties
9. Ensure Locked enrollment is set to Yes

Or, from the device:

1. Tap Settings
2. Tap General
3. Tap VPN & Device Management
4. Tap <Profile Name>
5. Confirm the Remove Management button is not displayed

Page 204
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
References:

1. https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-
program-enroll-ios#create-an-apple-enrollment-profile

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 205
3.10.2 Ensure the ability to sync with computers has been
blocked (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation prevents the transfer of data to and from the device.

Rationale:
This recommendation addresses intentional or unintentional data leakage. It prevents a
user from using a computer to transfer information to or from.
Impact:
This could potentially impact the use of recovery or forensic tools on locked or unlocked
devices.
Audit:
From the Microsoft Intune admin center:

This restriction can not be audited from the device.

Page 206
Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured
References:

1. https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-
program-enroll-ios#create-an-apple-enrollment-profile

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

1.2 Address Unauthorized Assets

13.7 Manage USB Devices

v7 If USB storage devices are required, enterprise software should be used that
can configure systems to allow the use of specific devices. An inventory of such
● ●
devices should be maintained.

Page 207
4 Recommendations for Compliance Policies
This section provides both level 1 and level 2 Compliance Policy recommendations for
devices registered within Intune, regardless of whether they are in an supervised or
unsupervised state.

Page 208
4.1 Ensure "Jailbroken devices" is set to "Block" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation ensures that jailbroken devices have been blocked by the
organization via the compliance policy.
Rationale:
A jailbroken device may execute arbitrary code, compromise configuration profile
requirements, or open the device to exploits that are otherwise not possible.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Properties
5. Under the Compliance settings section
6. Under the Device Health heading
7. Verify that Jailbroken devices is present and set to Block

Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Properties
5. Select Edit in the Compliance settings section
6. Under the Device Health heading
7. Set Jailbroken devices to Block

Default Value:
Not configured

Page 209
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.2 Ensure Authorized Software is Currently Supported

Ensure that only currently supported software is designated as authorized in the
software inventory for enterprise assets. If software is unsupported, yet necessary
v8 for the fulfillment of the enterprise’s mission, document an exception detailing ● ● ●
mitigating controls and residual risk acceptance. For any unsupported software
without an exception documentation, designate as unauthorized. Review the
software list to verify software support at least monthly, or more frequently.

2.2 Ensure Software is Supported by Vendor

Ensure that only software applications or operating systems currently supported
v7 by the software's vendor are added to the organization's authorized software ● ● ●
inventory. Unsupported software should be tagged as unsupported in the inventory
system.

Page 210
4.2 Ensure "Minimum OS version" or "Minimum OS build version"
has been defined (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation ensures that outdated devices that do not adhere to the defined
minimum OS version or minimum OS build version are blocked by the organization via
the compliance policy.
Rationale:
An up-to-date operating system helps provides the best possible protection against
cyber threats.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Properties
5. Under the Compliance settings section
6. Under the Device Properties heading
7. Verify that Minimum OS version or Minimum OS build version is present and set
to a value that is representative of a recent iOS/iPadOS version or build number.

Remediation:
From the Microsoft Intune admin center:

Default Value:
Not configured

Page 211
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.3 Perform Automated Operating System Patch

v8 Management
Perform operating system updates on enterprise assets through automated
● ● ●
patch management on a monthly, or more frequent, basis.

7.4 Perform Automated Application Patch Management

v8 Perform application updates on enterprise assets through automated patch ● ● ●
management on a monthly, or more frequent, basis.

3.4 Deploy Automated Operating System Patch

Management Tools
v7 Deploy automated software update tools in order to ensure that the operating ● ● ●
systems are running the most recent security updates provided by the software
vendor.

3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.

Page 212
4.3 Ensure "Mark device noncompliant" is set to "Immediately"
(Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation ensures that devices which aren't compliant with the applied
compliance policy are marked as not compliant immediately. Although this is the default,
there is an option for this to be set between immediately and 365 days.
Rationale:
As soon as a device is found to be non-compliant, it should be flagged immediately so
that attention can be raised to this device via manual or scheduled automatic actioning.

Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Properties
5. Under the Actions for noncompliance heading
6. Verify that Mark device noncompliant is present and set to Immediately

Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Properties
5. Select Edit in the Actions for noncompliance section
6. Set Mark device noncompliant to 0 which will resolve to immediately

Default Value:

Immediately

Page 213
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 214
4.4 Ensure "Send email to end user" is set to "3 days" or less
(Manual)
Profile Applicability:

• Level 2 - Supervised Devices

Description:
This recommendation ensures that devices that have been marked as "not compliant"
will have an email sent to the assigned primary user of the device. An additional
recipient (e.g. SOC or Intune administrator) should also be set.
A message template must be created and selected.
Rationale:
Action on non-compliant devices should be taken as soon as feasibly possible to reduce
the impact of a device that is not compliant with the organization's compliance policy.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Properties
5. Under the Actions for noncompliance heading
6. Verify that Send email to end user is present and set to 3 days or less

Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Properties
5. Select Edit in the Actions for noncompliance section
6. Set Send email to end user to 3 (or less) which will resolve to 3 days

Default Value:
Not configured

Page 215
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 216
4.5 Ensure all devices are marked as "compliant" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation ensures that devices that are not compliant to the compliance
policy are addressed by either being removed from the organization or ensuring they
meet the defined compliance policy.
Rationale:
Devices that aren't marked as compliant give an indicator as to which devices need
attention from endpoint administrators.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Device status
5. Verify that the compliance status of all devices are set to "Compliant"

Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select the compliance policy which applies to the iOS/iPadOS device
4. Select Device status
5. Address "Not Compliant" devices by either removing them or ensuring they meet
the defiled compliance policy

Default Value:
Not configured

Page 217
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 218
4.6 Ensure "Mark devices with no compliance policy assigned as"
is set to "Not compliant" (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation ensures that devices that do not have a compliance policy
assigned to them are marked as not compliant.
Rationale:
This recommendation helps to ensure that devices that don't have a configuration policy
applied are marked as "Not Compliant" so they are able to be addressed by Intune
administrators.

Impact:
This applies to all compliance policies within the directory, regardless of device type.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select Compliance policy settings
4. Verify that Mark devices with no compliance policy assigned as is set to Not
compliant

Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select Compliance policy settings
4. Set Mark devices with no compliance policy assigned as to Not compliant

Default Value:

Compliant

Page 219
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 220
4.7 Ensure "Compliance status validity period (days)" is set to "7"
or less (Manual)
Profile Applicability:

• Level 1 - Supervised Devices

Description:
This recommendation ensures that if devices do not check-in (report compliance status)
within the defined validity period, they are marked as not compliant.
Rationale:
This recommendation helps to ensure devices that have not reported compliance status
in 7 days are treated as not compliant. If the default of 30 days is used, this period of
time could mean devices may not follow compliance for up to 30 days before being
marked as not compliant.
Impact:
This applies to all compliance policies within the directory, regardless of device type.
Audit:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select Compliance policy settings
4. Verify that Compliance status validity period (days) is set to 7 or less

Remediation:
From the Microsoft Intune admin center:

1. Select Devices
2. Select Compliance policies
3. Select Compliance policy settings
4. Set Compliance status validity period (days) to 7 or less

Default Value:
30

Page 221
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.1 Establish and Maintain a Secure Configuration Process

5.1 Establish Secure Configurations

v7 Maintain documented, standard security configuration standards for all ● ● ●
authorized operating systems and software.

Page 222
Appendix: Summary Table
CIS Benchmark Recommendation Set
Correctly

Yes No

1 Benchmark Guidance

2 Recommendations for Unsupervised (BYOD) Devices

2.1 App Store, Doc Viewing, Gaming

2.1.1 Ensure "Block viewing corporate documents in  

unmanaged apps" is set to "Yes" (Manual)

2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is  

set to "Yes" (Manual)

2.1.3 Ensure "Allow copy/paste to be affected by managed  

open-in" is set to "Yes" (Manual)

2.2 Built-in Apps

2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  

(Manual)

2.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  

(Manual)

2.3 Cloud and Storage

2.3.1 Ensure "Force encrypted backup" is set to "Yes"  

(Manual)

2.3.2 Ensure "Block managed apps from storing data in  

iCloud" is set to "Yes" (Manual)

2.3.3 Ensure "Block backup of enterprise books" is set to  

"Yes" (Manual)

2.3.4 Ensure "Block notes and highlights sync for enterprise  

books" is set to "Yes" (Manual)

2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  

(Manual)

Page 223
CIS Benchmark Recommendation Set
Correctly

Yes No

2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  

(Manual)

2.3.7 Ensure "Block My Photo Stream" is set to "Yes"  

(Manual)

2.3.8 Ensure "Block Handoff" is set to "Yes" (Manual)  

2.4 Connected Devices

2.4.1 Ensure "Force Apple Watch wrist detection" is set to  

"Yes" (Manual)

2.4.2 Ensure "Require AirPlay outgoing requests pairing  

password" is set to "Yes" (Manual)

2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  

(Manual)

2.5 General

2.5.1 Ensure "Block sending diagnostic and usage data to  

Apple" is set to "Yes" (Manual)

2.5.2 Ensure "Block screenshots and screen recording" is set  

to "Yes" (Manual)

2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  

(Manual)

2.5.4 Ensure "Force limited ad tracking" is set to "Yes"  

(Manual)

2.5.5 Ensure "Block trusting new enterprise app authors" is set  

to "Yes" (Manual)

2.5.6 Ensure "Limit Apple personalized advertising" is set to  

"Yes" (Manual)

2.6 Locked Screen Experience

Page 224
CIS Benchmark Recommendation Set
Correctly

Yes No

2.6.1 Ensure "Block Control Center access in lock screen" is  

set to "Yes" (Manual)

2.6.2 Ensure "Block Notifications Center access in lock  

screen" is set to "Yes" (Manual)

2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  

(Manual)

2.6.4 Ensure "Block Wallet notifications in lock screen" is set  

to "Yes" (Manual)

2.7 Password

2.7.1 Ensure "Require password" is set to "Yes" (Manual)  

2.7.2 Ensure "Block simple passwords" is set to "Yes"  

(Manual)

2.7.3 Ensure "Required password type" is set to  

"Alphanumeric" (Manual)

2.7.4 Ensure "Minimum password length" is set to "6" or  

greater (Manual)

2.7.5 Ensure "Maximum minutes after screen lock before  

password is required" is set to "Immediately" (Manual)

2.7.6 Ensure "Maximum minutes of inactivity until screen  

locks" is set to "2" or less (Manual)

2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to  

"Yes" (Manual)

2.8 Wireless

2.8.1 Ensure "Block voice dialing while device is locked" is set  

to "Yes" (Manual)

3 Recommendations for Supervised (Organization) Devices

3.1 App Store, Doc Viewing, Gaming

Page 225
CIS Benchmark Recommendation Set
Correctly

Yes No

3.1.1 Ensure "Block viewing corporate documents in  

unmanaged apps" is set to "Yes" (Manual)

3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is  

set to "Yes" (Manual)

3.1.3 Ensure "Allow copy/paste to be affected by managed  

open-in" is set to "Yes" (Manual)

3.1.4 Ensure "Block App Store" is set to "Yes" (Manual)  

3.1.5 Ensure "Block access to network drive in Files app" is  

set to "Yes" (Manual)

3.2 Built-in Apps

3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  

(Manual)

3.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  

(Manual)

3.3 Cloud and Storage

3.3.1 Ensure "Force encrypted backup" is set to "Yes"  

(Manual)

3.3.2 Ensure "Block managed apps from storing data in  

iCloud" is set to "Yes" (Manual)

3.3.3 Ensure "Block backup of enterprise books" is set to  

"Yes" (Manual)

3.3.4 Ensure "Block notes and highlights sync for enterprise  

books" is set to "Yes" (Manual)

3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  

(Manual)

3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  

(Manual)

Page 226
CIS Benchmark Recommendation Set
Correctly

Yes No

3.3.7 Ensure "Block My Photo Stream" is set to "Yes"  

(Manual)

3.3.8 Ensure "Block Handoff" is set to "Yes" (Manual)  

3.3.9 Ensure "Block iCloud backup" is set to "Yes" (Manual)  

3.3.10 Ensure "Block iCloud document and data sync" is set to  

"Yes" (Manual)

3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"  

(Manual)

3.4 Connected Devices

3.4.1 Ensure "Force Apple Watch wrist detection" is set to  

"Yes" (Manual)

3.4.2 Ensure "Require AirPlay outgoing requests pairing  

password" is set to "Yes" (Manual)

3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  

(Manual)

3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is  

set to "Yes" (Manual)

3.4.5 Ensure "Block access to USB drive in Files app" is set to  

"Yes" (Manual)

3.5 General

3.5.1 Ensure "Block sending diagnostic and usage data to  

Apple" is set to "Yes" (Manual)

3.5.2 Ensure "Block screenshots and screen recording" is set  

to "Yes" (Manual)

3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  

(Manual)

Page 227
CIS Benchmark Recommendation Set
Correctly

Yes No

3.5.4 Ensure "Force limited ad tracking" is set to "Yes"  

(Manual)

3.5.5 Ensure "Block trusting new enterprise app authors" is set  

to "Yes" (Manual)

3.5.6 Ensure "Limit Apple personalized advertising" is set to  

"Yes" (Manual)

3.5.7 Ensure "Block users from erasing all content and  

settings on device" is set to "Yes" (Manual)

3.5.8 Ensure "Block modification of device name" is set to  

"Yes" (Manual)

3.5.9 Ensure "Block configuration profile changes" is set to  

"Yes" (Manual)

3.5.10 Ensure "Allow activation lock" is set to "Yes" (Manual)  

3.5.11 Ensure "Force automatic date and time" is set to "Yes"  

(Manual)

3.5.12 Ensure "Block VPN creation" is set to "Yes" (Manual)  

3.6 Locked Screen Experience

3.6.1 Ensure "Block Control Center access in lock screen" is  

set to "Yes" (Manual)

3.6.2 Ensure "Block Notifications Center access in lock  

screen" is set to "Yes" (Manual)

3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  

(Manual)

3.6.4 Ensure "Block Wallet notifications in lock screen" is set  

to "Yes" (Manual)

3.7 Password

3.7.1 Ensure "Require password" is set to "Yes" (Manual)  

Page 228
CIS Benchmark Recommendation Set
Correctly

Yes No

3.7.2 Ensure "Block simple passwords" is set to "Yes"  

(Manual)

3.7.3 Ensure "Required password type" is set to  

"Alphanumeric" (Manual)

3.7.4 Ensure "Minimum password length" is set to "6" or  

greater (Manual)

3.7.5 Ensure "Maximum minutes after screen lock before  

password is required" is set to "Immediately" (Manual)

3.7.6 Ensure "Maximum minutes of inactivity until screen  

locks" is set to "2" or less (Manual)

3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to  

"Yes" (Manual)

3.7.8 Ensure "Block password proximity requests" is set to  

"Yes" (Manual)

3.7.9 Ensure "Block password sharing" is set to "Yes"  

(Manual)

3.7.10 Ensure "Require Touch ID or Face ID authentication for  

AutoFill of password or credit card information" is set to
"Yes" (Manual)

3.8 Wireless

3.8.1 Ensure "Block voice dialing while device is locked" is set  

to "Yes" (Manual)

3.9 Lock Screen Message

3.9.1 Ensure a "Lock Screen Message" has been set (Manual)  

3.10 Additional Recommendations

3.10.1 Ensure the ability to remove the management profile  

does not exist (Manual)

Page 229
CIS Benchmark Recommendation Set
Correctly

Yes No

3.10.2 Ensure the ability to sync with computers has been  

blocked (Manual)

4 Recommendations for Compliance Policies

4.1 Ensure "Jailbroken devices" is set to "Block" (Manual)  

4.2 Ensure "Minimum OS version" or "Minimum OS build  

version" has been defined (Manual)

4.3 Ensure "Mark device noncompliant" is set to  

"Immediately" (Manual)

4.4 Ensure "Send email to end user" is set to "3 days" or  

less (Manual)

4.5 Ensure all devices are marked as "compliant" (Manual)  

4.6 Ensure "Mark devices with no compliance policy  

assigned as" is set to "Not compliant" (Manual)

4.7 Ensure "Compliance status validity period (days)" is set  

to "7" or less (Manual)

Page 230
Appendix: CIS Controls v7 IG 1 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
2.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
2.3.1 Ensure "Force encrypted backup" is set to "Yes"  
2.3.8 Ensure "Block Handoff" is set to "Yes"  
2.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
2.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
2.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
2.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
2.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
2.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
2.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
2.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less

Page 231
Recommendation Set
Correctly
Yes No
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
2.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
3.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
3.1.4 Ensure "Block App Store" is set to "Yes"  
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
3.3.1 Ensure "Force encrypted backup" is set to "Yes"  
3.3.8 Ensure "Block Handoff" is set to "Yes"  
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"  
3.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
3.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is
 
set to "Yes"
3.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
3.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
3.5.7 Ensure "Block users from erasing all content and settings
 
on device" is set to "Yes"
3.5.9 Ensure "Block configuration profile changes" is set to
 
"Yes"
3.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
3.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"

Page 232
Recommendation Set
Correctly
Yes No
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
3.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
3.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
3.7.9 Ensure "Block password sharing" is set to "Yes"  
3.7.10 Ensure "Require Touch ID or Face ID authentication for
AutoFill of password or credit card information" is set to  
"Yes"
3.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.9.1 Ensure a "Lock Screen Message" has been set  
3.10.1 Ensure the ability to remove the management profile
 
does not exist
4.1 Ensure "Jailbroken devices" is set to "Block"  
4.2 Ensure "Minimum OS version" or "Minimum OS build
 
version" has been defined
4.3 Ensure "Mark device noncompliant" is set to
 
"Immediately"
4.4 Ensure "Send email to end user" is set to "3 days" or less  
4.5 Ensure all devices are marked as "compliant"  
4.6 Ensure "Mark devices with no compliance policy
 
assigned as" is set to "Not compliant"
4.7 Ensure "Compliance status validity period (days)" is set
 
to "7" or less

Page 233
Appendix: CIS Controls v7 IG 2 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
2.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
2.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
2.3.1 Ensure "Force encrypted backup" is set to "Yes"  
2.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
2.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
2.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
2.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
2.3.8 Ensure "Block Handoff" is set to "Yes"  
2.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
2.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
2.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
2.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
2.5.4 Ensure "Force limited ad tracking" is set to "Yes"  

Page 234
Recommendation Set
Correctly
Yes No
2.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
2.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"
2.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
2.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
2.7.1 Ensure "Require password" is set to "Yes"  
2.7.2 Ensure "Block simple passwords" is set to "Yes"  
2.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
2.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
2.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
2.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
2.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
3.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
3.1.4 Ensure "Block App Store" is set to "Yes"  
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
3.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
3.3.1 Ensure "Force encrypted backup" is set to "Yes"  

Page 235
Recommendation Set
Correctly
Yes No
3.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
3.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
3.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
3.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
3.3.8 Ensure "Block Handoff" is set to "Yes"  
3.3.9 Ensure "Block iCloud backup" is set to "Yes"  
3.3.10 Ensure "Block iCloud document and data sync" is set to
 
"Yes"
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"  
3.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
3.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is
 
set to "Yes"
3.4.5 Ensure "Block access to USB drive in Files app" is set to
 
"Yes"
3.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
3.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
3.5.4 Ensure "Force limited ad tracking" is set to "Yes"  
3.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
3.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"
3.5.7 Ensure "Block users from erasing all content and settings
 
on device" is set to "Yes"

Page 236
Recommendation Set
Correctly
Yes No
3.5.8 Ensure "Block modification of device name" is set to
 
"Yes"
3.5.9 Ensure "Block configuration profile changes" is set to
 
"Yes"
3.5.11 Ensure "Force automatic date and time" is set to "Yes"  
3.5.12 Ensure "Block VPN creation" is set to "Yes"  
3.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
3.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
3.7.1 Ensure "Require password" is set to "Yes"  
3.7.2 Ensure "Block simple passwords" is set to "Yes"  
3.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
3.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
3.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
3.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
3.7.9 Ensure "Block password sharing" is set to "Yes"  
3.7.10 Ensure "Require Touch ID or Face ID authentication for
AutoFill of password or credit card information" is set to  
"Yes"
3.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.9.1 Ensure a "Lock Screen Message" has been set  
3.10.1 Ensure the ability to remove the management profile
 
does not exist

Page 237
Recommendation Set
Correctly
Yes No
3.10.2 Ensure the ability to sync with computers has been
 
blocked
4.1 Ensure "Jailbroken devices" is set to "Block"  
4.2 Ensure "Minimum OS version" or "Minimum OS build
 
version" has been defined
4.3 Ensure "Mark device noncompliant" is set to
 
"Immediately"
4.4 Ensure "Send email to end user" is set to "3 days" or less  
4.5 Ensure all devices are marked as "compliant"  
4.6 Ensure "Mark devices with no compliance policy
 
assigned as" is set to "Not compliant"
4.7 Ensure "Compliance status validity period (days)" is set
 
to "7" or less

Page 238
Appendix: CIS Controls v7 IG 3 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
2.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
2.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
2.3.1 Ensure "Force encrypted backup" is set to "Yes"  
2.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
2.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
2.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
2.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
2.3.8 Ensure "Block Handoff" is set to "Yes"  
2.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
2.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
2.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
2.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
2.5.4 Ensure "Force limited ad tracking" is set to "Yes"  

Page 239
Recommendation Set
Correctly
Yes No
2.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
2.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"
2.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
2.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
2.7.1 Ensure "Require password" is set to "Yes"  
2.7.2 Ensure "Block simple passwords" is set to "Yes"  
2.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
2.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
2.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
2.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
2.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
3.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
3.1.4 Ensure "Block App Store" is set to "Yes"  
3.1.5 Ensure "Block access to network drive in Files app" is set
 
to "Yes"
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  

Page 240
Recommendation Set
Correctly
Yes No
3.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
3.3.1 Ensure "Force encrypted backup" is set to "Yes"  
3.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
3.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
3.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
3.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
3.3.8 Ensure "Block Handoff" is set to "Yes"  
3.3.9 Ensure "Block iCloud backup" is set to "Yes"  
3.3.10 Ensure "Block iCloud document and data sync" is set to
 
"Yes"
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"  
3.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
3.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is
 
set to "Yes"
3.4.5 Ensure "Block access to USB drive in Files app" is set to
 
"Yes"
3.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
3.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
3.5.4 Ensure "Force limited ad tracking" is set to "Yes"  
3.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
3.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"

Page 241
Recommendation Set
Correctly
Yes No
3.5.7 Ensure "Block users from erasing all content and settings
 
on device" is set to "Yes"
3.5.8 Ensure "Block modification of device name" is set to
 
"Yes"
3.5.9 Ensure "Block configuration profile changes" is set to
 
"Yes"
3.5.10 Ensure "Allow activation lock" is set to "Yes"  
3.5.11 Ensure "Force automatic date and time" is set to "Yes"  
3.5.12 Ensure "Block VPN creation" is set to "Yes"  
3.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
3.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
3.7.1 Ensure "Require password" is set to "Yes"  
3.7.2 Ensure "Block simple passwords" is set to "Yes"  
3.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
3.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
3.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
3.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
3.7.8 Ensure "Block password proximity requests" is set to
 
"Yes"
3.7.9 Ensure "Block password sharing" is set to "Yes"  
3.7.10 Ensure "Require Touch ID or Face ID authentication for
AutoFill of password or credit card information" is set to  
"Yes"

Page 242
Recommendation Set
Correctly
Yes No
3.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.9.1 Ensure a "Lock Screen Message" has been set  
3.10.1 Ensure the ability to remove the management profile
 
does not exist
3.10.2 Ensure the ability to sync with computers has been
 
blocked
4.1 Ensure "Jailbroken devices" is set to "Block"  
4.2 Ensure "Minimum OS version" or "Minimum OS build
 
version" has been defined
4.3 Ensure "Mark device noncompliant" is set to
 
"Immediately"
4.4 Ensure "Send email to end user" is set to "3 days" or less  
4.5 Ensure all devices are marked as "compliant"  
4.6 Ensure "Mark devices with no compliance policy
 
assigned as" is set to "Not compliant"
4.7 Ensure "Compliance status validity period (days)" is set
 
to "7" or less

Page 243
Appendix: CIS Controls v7 Unmapped
Recommendations
Recommendation Set
Correctly
Yes No
No unmapped recommendations to CIS Controls v7.0  

Page 244
Appendix: CIS Controls v8 IG 1 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
2.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
2.3.1 Ensure "Force encrypted backup" is set to "Yes"  
2.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
2.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
2.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
2.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
2.3.8 Ensure "Block Handoff" is set to "Yes"  
2.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
2.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
2.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
2.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
2.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"

Page 245
Recommendation Set
Correctly
Yes No
2.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
2.7.1 Ensure "Require password" is set to "Yes"  
2.7.2 Ensure "Block simple passwords" is set to "Yes"  
2.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
2.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
2.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
2.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
2.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
3.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
3.1.4 Ensure "Block App Store" is set to "Yes"  
3.1.5 Ensure "Block access to network drive in Files app" is set
 
to "Yes"
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
3.3.1 Ensure "Force encrypted backup" is set to "Yes"  
3.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
3.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
3.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"

Page 246
Recommendation Set
Correctly
Yes No
3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
3.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
3.3.8 Ensure "Block Handoff" is set to "Yes"  
3.3.9 Ensure "Block iCloud backup" is set to "Yes"  
3.3.10 Ensure "Block iCloud document and data sync" is set to
 
"Yes"
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"  
3.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
3.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is
 
set to "Yes"
3.4.5 Ensure "Block access to USB drive in Files app" is set to
 
"Yes"
3.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
3.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
3.5.7 Ensure "Block users from erasing all content and settings
 
on device" is set to "Yes"
3.5.8 Ensure "Block modification of device name" is set to
 
"Yes"
3.5.9 Ensure "Block configuration profile changes" is set to
 
"Yes"
3.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
3.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"

Page 247
Recommendation Set
Correctly
Yes No
3.7.1 Ensure "Require password" is set to "Yes"  
3.7.2 Ensure "Block simple passwords" is set to "Yes"  
3.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
3.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
3.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
3.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
3.7.9 Ensure "Block password sharing" is set to "Yes"  
3.7.10 Ensure "Require Touch ID or Face ID authentication for
AutoFill of password or credit card information" is set to  
"Yes"
3.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.9.1 Ensure a "Lock Screen Message" has been set  
3.10.1 Ensure the ability to remove the management profile
 
does not exist
3.10.2 Ensure the ability to sync with computers has been
 
blocked
4.1 Ensure "Jailbroken devices" is set to "Block"  
4.2 Ensure "Minimum OS version" or "Minimum OS build
 
version" has been defined
4.3 Ensure "Mark device noncompliant" is set to
 
"Immediately"
4.4 Ensure "Send email to end user" is set to "3 days" or less  
4.5 Ensure all devices are marked as "compliant"  
4.6 Ensure "Mark devices with no compliance policy
 
assigned as" is set to "Not compliant"
4.7 Ensure "Compliance status validity period (days)" is set
 
to "7" or less

Page 248
Page 249
Appendix: CIS Controls v8 IG 2 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
2.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
2.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
2.3.1 Ensure "Force encrypted backup" is set to "Yes"  
2.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
2.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
2.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
2.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
2.3.8 Ensure "Block Handoff" is set to "Yes"  
2.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
2.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
2.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
2.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
2.5.4 Ensure "Force limited ad tracking" is set to "Yes"  

Page 250
Recommendation Set
Correctly
Yes No
2.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
2.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"
2.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
2.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
2.7.1 Ensure "Require password" is set to "Yes"  
2.7.2 Ensure "Block simple passwords" is set to "Yes"  
2.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
2.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
2.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
2.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
2.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
3.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
3.1.4 Ensure "Block App Store" is set to "Yes"  
3.1.5 Ensure "Block access to network drive in Files app" is set
 
to "Yes"
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  

Page 251
Recommendation Set
Correctly
Yes No
3.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
3.3.1 Ensure "Force encrypted backup" is set to "Yes"  
3.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
3.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
3.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
3.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
3.3.8 Ensure "Block Handoff" is set to "Yes"  
3.3.9 Ensure "Block iCloud backup" is set to "Yes"  
3.3.10 Ensure "Block iCloud document and data sync" is set to
 
"Yes"
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"  
3.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
3.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is
 
set to "Yes"
3.4.5 Ensure "Block access to USB drive in Files app" is set to
 
"Yes"
3.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
3.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
3.5.4 Ensure "Force limited ad tracking" is set to "Yes"  
3.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
3.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"

Page 252
Recommendation Set
Correctly
Yes No
3.5.7 Ensure "Block users from erasing all content and settings
 
on device" is set to "Yes"
3.5.8 Ensure "Block modification of device name" is set to
 
"Yes"
3.5.9 Ensure "Block configuration profile changes" is set to
 
"Yes"
3.5.11 Ensure "Force automatic date and time" is set to "Yes"  
3.5.12 Ensure "Block VPN creation" is set to "Yes"  
3.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
3.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
3.7.1 Ensure "Require password" is set to "Yes"  
3.7.2 Ensure "Block simple passwords" is set to "Yes"  
3.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
3.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
3.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
3.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
3.7.8 Ensure "Block password proximity requests" is set to
 
"Yes"
3.7.9 Ensure "Block password sharing" is set to "Yes"  
3.7.10 Ensure "Require Touch ID or Face ID authentication for
AutoFill of password or credit card information" is set to  
"Yes"
3.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"

Page 253
Recommendation Set
Correctly
Yes No
3.9.1 Ensure a "Lock Screen Message" has been set  
3.10.1 Ensure the ability to remove the management profile
 
does not exist
3.10.2 Ensure the ability to sync with computers has been
 
blocked
4.1 Ensure "Jailbroken devices" is set to "Block"  
4.2 Ensure "Minimum OS version" or "Minimum OS build
 
version" has been defined
4.3 Ensure "Mark device noncompliant" is set to
 
"Immediately"
4.4 Ensure "Send email to end user" is set to "3 days" or less  
4.5 Ensure all devices are marked as "compliant"  
4.6 Ensure "Mark devices with no compliance policy
 
assigned as" is set to "Not compliant"
4.7 Ensure "Compliance status validity period (days)" is set
 
to "7" or less

Page 254
Appendix: CIS Controls v8 IG 3 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
2.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
2.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
2.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  
2.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
2.3.1 Ensure "Force encrypted backup" is set to "Yes"  
2.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
2.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
2.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
2.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
2.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
2.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
2.3.8 Ensure "Block Handoff" is set to "Yes"  
2.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
2.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
2.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
2.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
2.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
2.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
2.5.4 Ensure "Force limited ad tracking" is set to "Yes"  

Page 255
Recommendation Set
Correctly
Yes No
2.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
2.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"
2.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
2.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
2.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
2.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
2.7.1 Ensure "Require password" is set to "Yes"  
2.7.2 Ensure "Block simple passwords" is set to "Yes"  
2.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
2.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
2.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
2.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
2.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
2.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.1.1 Ensure "Block viewing corporate documents in
 
unmanaged apps" is set to "Yes"
3.1.2 Ensure "Treat AirDrop as an unmanaged destination" is
 
set to "Yes"
3.1.3 Ensure "Allow copy/paste to be affected by managed
 
open-in" is set to "Yes"
3.1.4 Ensure "Block App Store" is set to "Yes"  
3.1.5 Ensure "Block access to network drive in Files app" is set
 
to "Yes"
3.2.1 Ensure "Block Siri while device is locked" is set to "Yes"  

Page 256
Recommendation Set
Correctly
Yes No
3.2.2 Ensure "Require Safari fraud warnings" is set to "Yes"  
3.3.1 Ensure "Force encrypted backup" is set to "Yes"  
3.3.2 Ensure "Block managed apps from storing data in
 
iCloud" is set to "Yes"
3.3.3 Ensure "Block backup of enterprise books" is set to "Yes"  
3.3.4 Ensure "Block notes and highlights sync for enterprise
 
books" is set to "Yes"
3.3.5 Ensure "Block iCloud Photos sync" is set to "Yes"  
3.3.6 Ensure "Block iCloud Photo Library" is set to "Yes"  
3.3.7 Ensure "Block My Photo Stream" is set to "Yes"  
3.3.8 Ensure "Block Handoff" is set to "Yes"  
3.3.9 Ensure "Block iCloud backup" is set to "Yes"  
3.3.10 Ensure "Block iCloud document and data sync" is set to
 
"Yes"
3.3.11 Ensure "Block iCloud Keychain sync" is set to "Yes"  
3.4.1 Ensure "Force Apple Watch wrist detection" is set to
 
"Yes"
3.4.2 Ensure "Require AirPlay outgoing requests pairing
 
password" is set to "Yes"
3.4.3 Ensure "Block Apple Watch auto unlock" is set to "Yes"  
3.4.4 Ensure "Block iBeacon discovery of AirPrint printers" is
 
set to "Yes"
3.4.5 Ensure "Block access to USB drive in Files app" is set to
 
"Yes"
3.5.1 Ensure "Block sending diagnostic and usage data to
 
Apple" is set to "Yes"
3.5.2 Ensure "Block screenshots and screen recording" is set
 
to "Yes"
3.5.3 Ensure "Block untrusted TLS certificates" is set to "Yes"  
3.5.4 Ensure "Force limited ad tracking" is set to "Yes"  
3.5.5 Ensure "Block trusting new enterprise app authors" is set
 
to "Yes"
3.5.6 Ensure "Limit Apple personalized advertising" is set to
 
"Yes"

Page 257
Recommendation Set
Correctly
Yes No
3.5.7 Ensure "Block users from erasing all content and settings
 
on device" is set to "Yes"
3.5.8 Ensure "Block modification of device name" is set to
 
"Yes"
3.5.9 Ensure "Block configuration profile changes" is set to
 
"Yes"
3.5.10 Ensure "Allow activation lock" is set to "Yes"  
3.5.11 Ensure "Force automatic date and time" is set to "Yes"  
3.5.12 Ensure "Block VPN creation" is set to "Yes"  
3.6.1 Ensure "Block Control Center access in lock screen" is
 
set to "Yes"
3.6.2 Ensure "Block Notifications Center access in lock screen"
 
is set to "Yes"
3.6.3 Ensure "Block Today view in lock screen" is set to "Yes"  
3.6.4 Ensure "Block Wallet notifications in lock screen" is set to
 
"Yes"
3.7.1 Ensure "Require password" is set to "Yes"  
3.7.2 Ensure "Block simple passwords" is set to "Yes"  
3.7.3 Ensure "Required password type" is set to
 
"Alphanumeric"
3.7.4 Ensure "Minimum password length" is set to "6" or
 
greater
3.7.5 Ensure "Maximum minutes after screen lock before
 
password is required" is set to "Immediately"
3.7.6 Ensure "Maximum minutes of inactivity until screen
 
locks" is set to "2" or less
3.7.7 Ensure "Block Touch ID and Face ID unlock" is set to
 
"Yes"
3.7.8 Ensure "Block password proximity requests" is set to
 
"Yes"
3.7.9 Ensure "Block password sharing" is set to "Yes"  
3.7.10 Ensure "Require Touch ID or Face ID authentication for
AutoFill of password or credit card information" is set to  
"Yes"

Page 258
Recommendation Set
Correctly
Yes No
3.8.1 Ensure "Block voice dialing while device is locked" is set
 
to "Yes"
3.9.1 Ensure a "Lock Screen Message" has been set  
3.10.1 Ensure the ability to remove the management profile
 
does not exist
3.10.2 Ensure the ability to sync with computers has been
 
blocked
4.1 Ensure "Jailbroken devices" is set to "Block"  
4.2 Ensure "Minimum OS version" or "Minimum OS build
 
version" has been defined
4.3 Ensure "Mark device noncompliant" is set to
 
"Immediately"
4.4 Ensure "Send email to end user" is set to "3 days" or less  
4.5 Ensure all devices are marked as "compliant"  
4.6 Ensure "Mark devices with no compliance policy
 
assigned as" is set to "Not compliant"
4.7 Ensure "Compliance status validity period (days)" is set
 
to "7" or less

Page 259
Appendix: CIS Controls v8 Unmapped
Recommendations
Recommendation Set
Correctly
Yes No
No unmapped recommendations to CIS Controls v8.0  

Page 260
Appendix: Change History
Date Version Changes for this version

February 2, 2024 1.0.0 Draft Release

February 27, 2024 1.0.0 Initial Release

Page 261

Microsoft 365 Communityver1fromMS
No ratings yet
Microsoft 365 Communityver1fromMS
741 pages
E GOVSecurity
No ratings yet
E GOVSecurity
75 pages
Microsoft Intune Gotchas - Gartner 4.6.23
100% (1)
Microsoft Intune Gotchas - Gartner 4.6.23
24 pages
First Review PPT Prazwal
No ratings yet
First Review PPT Prazwal
18 pages
85K
No ratings yet
85K
1,459 pages
CIS Microsoft 365 Foundations Benchmark v4.0.0
No ratings yet
CIS Microsoft 365 Foundations Benchmark v4.0.0
449 pages
Microsoft 365 Troubleshoot Admintoc 2
No ratings yet
Microsoft 365 Troubleshoot Admintoc 2
462 pages
An Investigation Into The Selection and Colors of Little Red Dots and Active Galactic Nuclei
100% (1)
An Investigation Into The Selection and Colors of Little Red Dots and Active Galactic Nuclei
18 pages
INTUNE Instructor Handout-V1.7
No ratings yet
INTUNE Instructor Handout-V1.7
210 pages
MD-102 Endpoint Administrator Updated Dumps
No ratings yet
MD-102 Endpoint Administrator Updated Dumps
59 pages
Free ML Accounts (Part 2) by B4 Bad Bro's
64% (11)
Free ML Accounts (Part 2) by B4 Bad Bro's
3 pages
CIS Microsoft Azure Foundations Benchmark v2.1.0
No ratings yet
CIS Microsoft Azure Foundations Benchmark v2.1.0
575 pages
Azure Active Directory Saas Apps
No ratings yet
Azure Active Directory Saas Apps
12,391 pages
Wetting-Layer-Assisted Synthesis of Inverted Cdse/Pbse Quantum Dots and Their Photophysical and Photo-Electrical Properties
No ratings yet
Wetting-Layer-Assisted Synthesis of Inverted Cdse/Pbse Quantum Dots and Their Photophysical and Photo-Electrical Properties
39 pages
Roadmap On Quantum Magnetic Materials: Antonija Grubišić Čabo
No ratings yet
Roadmap On Quantum Magnetic Materials: Antonija Grubišić Čabo
87 pages
About Softprom by ERC
No ratings yet
About Softprom by ERC
26 pages
Equatorial Deformation of Homogeneous Spherical Fluid Vesicles by A Rigid Ring
No ratings yet
Equatorial Deformation of Homogeneous Spherical Fluid Vesicles by A Rigid Ring
30 pages
Topological Junction States in Graphene Nanoribbons: A Route To Topological Chemistry
No ratings yet
Topological Junction States in Graphene Nanoribbons: A Route To Topological Chemistry
28 pages
An Expert System For Financial and Accou
No ratings yet
An Expert System For Financial and Accou
12 pages
Certified Penetration Tester
No ratings yet
Certified Penetration Tester
14 pages
Itinerant Ferromagnetism From One-Dimensional Mobility: T/V I T/V T/V N N
No ratings yet
Itinerant Ferromagnetism From One-Dimensional Mobility: T/V I T/V T/V N N
21 pages
Entropy Spectroscopy of A Bilayer Graphene Quantum Dot: Adamc@phys - Ethz.ch
No ratings yet
Entropy Spectroscopy of A Bilayer Graphene Quantum Dot: Adamc@phys - Ethz.ch
17 pages
Hunting For The Candidates of Changing-Look Blazar Using Clustering Analysis
No ratings yet
Hunting For The Candidates of Changing-Look Blazar Using Clustering Analysis
13 pages
Scattering Meets Absorption in Dark Matter Detection: Pieter Braat, Anh Vu Phan, Marieke Postma, and Susanne Westhoff
No ratings yet
Scattering Meets Absorption in Dark Matter Detection: Pieter Braat, Anh Vu Phan, Marieke Postma, and Susanne Westhoff
38 pages
Intune Web Guide Link
No ratings yet
Intune Web Guide Link
22 pages
Exchange of Meteorites Between The Terrestrial Planets and The Moon
No ratings yet
Exchange of Meteorites Between The Terrestrial Planets and The Moon
6 pages
ARGtek ARG-1210 QIG
No ratings yet
ARGtek ARG-1210 QIG
18 pages
A Statistical Mechanics Derivation and Implementation of Non-Conservative Phase Field Models For Front Propagation in Elastic Media
No ratings yet
A Statistical Mechanics Derivation and Implementation of Non-Conservative Phase Field Models For Front Propagation in Elastic Media
18 pages
Tesmn 0605
No ratings yet
Tesmn 0605
2 pages
Tesmn 0602
No ratings yet
Tesmn 0602
2 pages
MD 102
100% (2)
MD 102
142 pages
C-TPAT Slides
No ratings yet
C-TPAT Slides
10 pages
How To Generate A San (Subject Alternative Names) SSL CSR With Openssl
No ratings yet
How To Generate A San (Subject Alternative Names) SSL CSR With Openssl
2 pages
ISO 9001 2008 Gap Analysis Tool
No ratings yet
ISO 9001 2008 Gap Analysis Tool
10 pages
Microcanonical Phase Space and Entropy in Curved Spacetime
No ratings yet
Microcanonical Phase Space and Entropy in Curved Spacetime
26 pages
Windows Client
No ratings yet
Windows Client
1,208 pages
EPBCS - Student Guide
No ratings yet
EPBCS - Student Guide
23 pages
Portmeirion Group UK Limited Acknowledgement For Order 100075241
No ratings yet
Portmeirion Group UK Limited Acknowledgement For Order 100075241
2 pages
Sky - At.night - Magazine November.2012
No ratings yet
Sky - At.night - Magazine November.2012
110 pages
Insights On Galaxy Evolution From Interpretable Sparse Feature Networks
No ratings yet
Insights On Galaxy Evolution From Interpretable Sparse Feature Networks
10 pages
Secura: Burglar Alarm System
No ratings yet
Secura: Burglar Alarm System
3 pages
iOS - Enroll To Intune in iOS Device
No ratings yet
iOS - Enroll To Intune in iOS Device
36 pages
Canon
No ratings yet
Canon
3 pages
Microsoft Intune-1
No ratings yet
Microsoft Intune-1
14 pages
Softmart EndUser Pricelist
No ratings yet
Softmart EndUser Pricelist
45 pages
Intelmebxsettings v02
No ratings yet
Intelmebxsettings v02
8 pages
Microsoft 365 Security and Compliance Capabilities
No ratings yet
Microsoft 365 Security and Compliance Capabilities
15 pages
Guide To Playing Dominant 7ths For Piano
No ratings yet
Guide To Playing Dominant 7ths For Piano
3 pages
A Privacy-Preserving Pay-By-Phone Parking System
No ratings yet
A Privacy-Preserving Pay-By-Phone Parking System
10 pages
CIS Microsoft 365 Foundations Benchmark v1.2.0
100% (1)
CIS Microsoft 365 Foundations Benchmark v1.2.0
199 pages
Simulado Completo MD-102 1
No ratings yet
Simulado Completo MD-102 1
275 pages
Tesmn 0604
No ratings yet
Tesmn 0604
2 pages
Research: Artificial Intelligence
No ratings yet
Research: Artificial Intelligence
4 pages
MD 102
No ratings yet
MD 102
10 pages
Spyology Activity Kit
0% (1)
Spyology Activity Kit
4 pages
Intune IOS
No ratings yet
Intune IOS
8 pages
SafeNet MobilePASS+ Setup Guide For Android
No ratings yet
SafeNet MobilePASS+ Setup Guide For Android
12 pages
App Protection Policies
No ratings yet
App Protection Policies
9 pages
Watermarking Scheme For Color Images: International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
No ratings yet
Watermarking Scheme For Color Images: International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
4 pages
Mobile Device Managment at Microsoft TCS W10
No ratings yet
Mobile Device Managment at Microsoft TCS W10
13 pages
Safety Metrics
No ratings yet
Safety Metrics
44 pages
Interview Questions and Answer
No ratings yet
Interview Questions and Answer
2 pages
Deploy Chatbot On Wordpress PDF
No ratings yet
Deploy Chatbot On Wordpress PDF
27 pages
FAA 8130-3 Airworthiness Apprvl Tag1
0% (1)
FAA 8130-3 Airworthiness Apprvl Tag1
3 pages
Best Practices For Integrating OS X With Active Directory
No ratings yet
Best Practices For Integrating OS X With Active Directory
20 pages
Microsoft 365 E5 Update Webinar January 15 2019
No ratings yet
Microsoft 365 E5 Update Webinar January 15 2019
26 pages
MD102
No ratings yet
MD102
312 pages
iOS Device Enrollment Guide v2
No ratings yet
iOS Device Enrollment Guide v2
15 pages
Intune Migration-Android-Quick Start Guide
No ratings yet
Intune Migration-Android-Quick Start Guide
18 pages
ABB ICSTT-SDS-8471 - en Plantguard TMR 120 VDC Digital Output Module P8471
No ratings yet
ABB ICSTT-SDS-8471 - en Plantguard TMR 120 VDC Digital Output Module P8471
2 pages
Step-By-Step App Deployment Via Microsoft Intune
No ratings yet
Step-By-Step App Deployment Via Microsoft Intune
8 pages
Microsoft Intune
No ratings yet
Microsoft Intune
47 pages
Mac Enrollment Guide
No ratings yet
Mac Enrollment Guide
15 pages
iOS - Enroll To Intune in iOS Device
No ratings yet
iOS - Enroll To Intune in iOS Device
34 pages
Getting Started With Intune Migrations
No ratings yet
Getting Started With Intune Migrations
37 pages
Intune - L200 - Intune Product Overview - FINAL
No ratings yet
Intune - L200 - Intune Product Overview - FINAL
46 pages
Enroll Devices in Microsoft Intune
No ratings yet
Enroll Devices in Microsoft Intune
227 pages
Olympia Lab Guide v3.28
No ratings yet
Olympia Lab Guide v3.28
115 pages
Intune Implementation TMINUS
No ratings yet
Intune Implementation TMINUS
61 pages
Introduction To Microsoft Enterprise Mobility + Security: Antonio Maio
No ratings yet
Introduction To Microsoft Enterprise Mobility + Security: Antonio Maio
26 pages
Sony klv-22bx300 klv-26bx300 klv-32bx300 klv-40bx400 SM
No ratings yet
Sony klv-22bx300 klv-26bx300 klv-32bx300 klv-40bx400 SM
24 pages
Tech Module 5 - Device Management
No ratings yet
Tech Module 5 - Device Management
51 pages
Module 03 - Windows 365
No ratings yet
Module 03 - Windows 365
47 pages
MSFT CertPoster Digital
No ratings yet
MSFT CertPoster Digital
1 page
Ms 101
No ratings yet
Ms 101
244 pages
md-102 7
No ratings yet
md-102 7
18 pages
MD 102T00 ENU PowerPoint - 05
No ratings yet
MD 102T00 ENU PowerPoint - 05
36 pages
Exercise 2 Complete The Configuration of Your Office 365 Tenant PDF
No ratings yet
Exercise 2 Complete The Configuration of Your Office 365 Tenant PDF
2 pages
EOP Best Practices and Recommendations
No ratings yet
EOP Best Practices and Recommendations
111 pages
MD 102 Demo
100% (1)
MD 102 Demo
15 pages
MD 102T00 ENU PowerPoint - 04
No ratings yet
MD 102T00 ENU PowerPoint - 04
35 pages
Microsoft Intune Datasheet PDF
No ratings yet
Microsoft Intune Datasheet PDF
2 pages
Microsoft Intune Datasheet
50% (2)
Microsoft Intune Datasheet
2 pages
PDF
No ratings yet
PDF
398 pages
Module 1: Office 365 Services Overview Lab: Office 365 Services Overview
No ratings yet
Module 1: Office 365 Services Overview Lab: Office 365 Services Overview
6 pages
MAM Policy
No ratings yet
MAM Policy
3 pages
WorkshopPLUS - Managing Windows 10 Devices With Microsoft Intune and Autopilot
No ratings yet
WorkshopPLUS - Managing Windows 10 Devices With Microsoft Intune and Autopilot
2 pages
MD 100T00A ENU TrainerPrepGuide
No ratings yet
MD 100T00A ENU TrainerPrepGuide
7 pages
Off-Boarding Data Removal Certificate Template-1
No ratings yet
Off-Boarding Data Removal Certificate Template-1
3 pages
Mps Katalog Gradior en Kap1
No ratings yet
Mps Katalog Gradior en Kap1
9 pages
Microsoft Defender For Office 365 20220517150752
No ratings yet
Microsoft Defender For Office 365 20220517150752
42 pages
6625 - Configuring Power BI Mobile Apps With Microsoft Intune - WSG
No ratings yet
6625 - Configuring Power BI Mobile Apps With Microsoft Intune - WSG
5 pages
Enrolling An Android Device in InTune
No ratings yet
Enrolling An Android Device in InTune
15 pages
Microsoft - Examcollectionpremium.70 416.v2015!10!15.by - Rabz.90q
No ratings yet
Microsoft - Examcollectionpremium.70 416.v2015!10!15.by - Rabz.90q
85 pages
Implementation For Azure AD-Intune
No ratings yet
Implementation For Azure AD-Intune
5 pages
Oracle Golden Gate Deployment Architecture
No ratings yet
Oracle Golden Gate Deployment Architecture
4 pages
Microsoft Security Solution Orientation Guide
No ratings yet
Microsoft Security Solution Orientation Guide
5 pages
70-688 8.1 LM Worksheet Lab 12
No ratings yet
70-688 8.1 LM Worksheet Lab 12
7 pages
Active Directory Rights Management Services A Clear and Concise Reference
From Everand
Active Directory Rights Management Services A Clear and Concise Reference
Gerardus Blokdyk
No ratings yet
AppDynamics Third Edition
From Everand
AppDynamics Third Edition
Gerardus Blokdyk
No ratings yet