2.2.1.5 Ensure 'Allow users to accept untrusted TLS certificates' is set to 'Disabled'

Information

This recommendation pertains to the acceptance of untrusted TLS certificates.

Rationale:

iOS devices maintain a list of trusted TLS certificate roots. An organization may add their own certificates to the list by way of a configuration profile. Allowing users to bypass that list and accept self-signed or otherwise unverified certificates may increase the likelihood of an incident.

Solution

1. Open Apple Configurator.
2. Open the Configuration Profile.
3. In the left windowpane, click on the 'Restrictions' tab.
4. In the right windowpane, under the tab 'Functionality', 'uncheck' the checkbox for 'Allow users to accept untrusted TLS certificates'.
5. Deploy the Configuration Profile.

Impact:

The device automatically rejects untrusted HTTPS certificates without prompting the user. Services using self-signed certificates will not function.

See Also

https://workbench.cisecurity.org/files/1688

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: MDM

Control ID: 66dc75fa182c508a740d79230521f2947076a397361e1e8504064a33ef3f703a