3.2.1.22 Ensure 'Require Touch ID / Face ID authentication before AutoFill' is set to 'Enabled'

Information

This recommendation pertains to forcing re-authentication at each AutoFill operation.

Rationale:
A device may be accessed by an unauthorized user while unlocked. This recommendation provides defense-in-depth by forcing re-authentication before credentials will be populated by AutoFill.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

1. Open Apple Configurator.
2. Open the Configuration Profile.
3. In the left windowpane, click on the Restrictions tab.
4. In the right windowpane, under the tab Functionality, check the checkbox for Require Touch ID / Face ID authentication before AutoFill.
5. Deploy the Configuration Profile.

See Also

https://workbench.cisecurity.org/files/2141