3.2.1.19 Ensure 'Allow USB accessories while the device is locked' is set to 'Disabled'

Information

This recommendation pertains to allowing USB devices communicate with a locked device.

Rationale:

Physical attacks against iOS and iPadOS devices have been developed that exploit the trust of physically-connected accessories. This has led to proof-of-concept data extraction and even commercially available hardware designed to perform such attacks. By requiring the device to be unlocked in order to remove data, this control reduces the probability of a successful data extraction.

Impact:

An end user will not be able to connect their device to a USB accessory while the device is locked.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Functionality, uncheck the checkbox for Allow USB accessories while the device is locked.

Deploy the Configuration Profile.

See Also

https://workbench.cisecurity.org/benchmarks/15548

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8(3), CSCv7|13.7

Plugin: MDM

Control ID: c90d3e42aec1fe41f0f5e2d12d7e569d69eb20a495c8ef40649a5781f3ff95e3