Information
This recommendation pertains to allowing USB devices to communicate with a locked device.
Rationale:
Physical attacks against iOS devices have been developed that exploit the trust of physically connected accessories. This has lead to proof of concept data extraction and even commercially available hardware to perform the attacks. By requiring the device to be unlocked to remove data, this control reduces the probability of a successful data exfiltration.
Solution
1. Open Apple Configurator.
2. Open the Configuration Profile.
3. In the left windowpane, click on the Restrictions tab.
4. In the right windowpane, under the tab Functionality, uncheck the checkbox for Allow USB accessories while the device is locked.
5. Deploy the Configuration Profile.
Impact:
An end-user will not be able to connect their device to a USB accessory while the device is locked.