Protecting your iOS device with mobile device policy
Since you aren’t going to go without a smart phone, you have to manage the risks inherent in having one. You know that it’s important to keep your device software updated, leaving you to choose between Apple and Google’s flagship Pixel. How can you do better, with enterprise-grade security features like always-on VPN, and blacklisting of apps and services? Google charges to manage devices (and focuses on features revolving about protecting company data rather than hardening your device generally), but iOS devices can be managed for free with Configuration Profiles. What features you choose to manage will vary by your usage and security posture; I created two sample policies which can be pulled from my github.
For this you will need:
- A machine running OSX
- Apple Configurator 2 (free)
- Cable to connect your iOS device to the Mac
Warning: this will wipe your phone.
Before you begin
The first time you apply a policy to make your phone a supervised device, it resets to factory condition (luckily, subsequent profile applications do not cause this to happen). Now is the time to check all your backups! Export your contacts or sync them with a cloud account, back up your photos with your app of choice, and make note of all accounts for which your phone is your second factor device. Either have backup codes for every account handy or disable multifactor for the next few minutes.
Re-installing apps after the initial wipe is a pain; we can set up a Blueprint to install all of them automatically. From Configurator 2, select Blueprints > Edit Blueprints and select New from the bottom left. Now click Add and select Apps. You’ll need to sign into the Apple store to add apps to the blueprint.
Disabling apps and native services
From within Configurator, press Cmd ⌘ + N to open a new Profile and navigate to sections via the tabs on the left.
In the Restrictions tab, with the Functionality header, uncheck anything you don’t want to allow — I was particularly concerned with Siri and iCloud, or anything labelled “sync” or “backup.” I disallowed trusting new app authors or accepting untrusted TLS certificates, and forced limited ad tracking.
Those who still remember the creepy entitlement allowed to Uber by Apple to record the screen can also disable screenshots and screen recordings.
In the Apps tab, I disabled everything, although you may want to allow very bare Safari if you want to be able to do things like download profiles and certificates from the web and have the correct app handle installation. I also went to Media Content to disallow all movies and TV shows.
If you know exactly what apps you want installed and no more, or are willing to update this policy every time you change your mind, you can even choose to whitelist what apps are able to be installed! At the bottom of the Apps tab, change Restrict App Usage to Only allow some apps and enter your whitelisted apps. In Media Content, under Allowed Content Ratings, set Apps to Don’t allow Apps.
Network hardening
If you have heard of Stingrays and other IMSI catchers, you may have seen some apps that will let you know if you’ve been caught, but none that can prevent association. I have T-Mobile, so I entered the APN information from this support article to my profile in the hopes that it will keep my phone associated to the network I expect it to be connected to. However, T-mobile support reps were not able to confirm that this would keep me safe.
The strongest defense is to leverage an encrypted tunnel for all of your traffic and to use apps that implement communication with end-to-end encryption.
Choose a VPN provider that offers IKEv2, the only protocol compatible with always-on VPN connections. This also allows forcing all traffic, including cellular data, through the VPN tunnel. In the VPN tab on the left, fill out the authentication information as given by your VPN provider, and add certificates in the Certificates tab if your connection requires it.
If you can’t set up a VPN natively, NordVPN attempts a kill-switch in their mobile app, which is an interesting but incomplete solution for all system traffic. However, installing any app represents some amount of trust in the developer, whereas adding a connection natively relies only on one’s existing trust in the operating system.
The advanced user should consider a proxy or other solution to block ads and trackers at the network edge; some VPN providers also offer this feature.
Other modifications
I assert that being paranoid about attention and mental well-being is just as important as being paranoid about security. Humane Tech’s list of suggestions calls for disabling notifications from apps that are not directly generated by a human. Notification choices can be enforced by policy in Configurator, and there are several available notification options. For example, I can set a badge on an app without allowing it to make a sound or clutter the lock screen or notifications. Ultimately, moving to a whitelist of a few apps may be the best way to avoid the temptation to install more.
Setting up the accessibility shortcut for greyscaling the screen was useful for me to make my home screen less shiny and appealing. Turning on Nightshift has also helped me wind down at nighttime. Unfortunately neither of these features can be set by profile.
In summary, Apple’s free management tools and commitment to patching make iOS an attractive choice for a mobile operating system.
