3.2.1.12 Ensure 'Allow Erase All Content and Settings' is set to 'Disabled'

Information

This recommendation pertains to the factory reset functionality of iOS and iPadOS devices.

Rationale:

An institutionally-owned device should not allow an end user to destroy data.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Functionality, uncheck the checkbox for Allow Erase All Content and Settings.

Deploy the Configuration Profile.

Additional Information:

An end-user may still employ Apple's Find My iPhone/iPad service to perform an Erase All Content and Settings. This also sets an activation lock on the device. Activation lock may be blocked using a Mobile Device Management (MDM) solution, but not via configuration profile.

For more information, see https://support.apple.com/en-us/HT202804

See Also

https://workbench.cisecurity.org/benchmarks/15548