3.2.1.13 Ensure 'Allow users to accept untrusted TLS certificates' is set to 'Disabled'

Information

This recommendation pertains to the acceptance of untrusted TLS certificates.

Rationale:

iOS devices maintain a list of trusted TLS certificate roots. An organization may add their own certificates to the list by using a configuration profile. Allowing users to bypass that list and accept self-signed or otherwise unverified certificates may increase the likelihood of an incident.

Impact:

The device automatically rejects untrusted HTTPS certificates without prompting the user.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Functionality, uncheck the checkbox for Allow users to accept untrusted TLS certificates.

Deploy the Configuration Profile.

See Also

https://workbench.cisecurity.org/benchmarks/15548