Detections
Analytics
3.2.1.6 Review 'Allow iCloud Keychain' settings
Information
iCloud Keychain allows passwords associated with an Apple Account to be used by the authenticated user for their Apple Account. If an organization's users are using personal Apple Accounts with organization owned devices, than organizations should review whether enterprise passwords/passkeys/accounts are being stored in users' personal iCloud Keychain. To review the possibility of those enterprise credentials being stored, you can start by using your organization's MDM platform to verify which users are signed into their personal Apple Accounts and have iCloud Keychain syncing enabled.Note: In previous versions of the benchmark, we stated that iCloud Keychain was unencrypted. Apple has upgraded the encryption on iCloud Keychain to include end-to-end encryption under both the standard and advanced data protection options. To view more about iCloud encryption, plus the differences between the standard data protection and advanced data protection, you can read Apple's support article iCloud data security overview.
Rationale:
It is normal and expected for end users to configure their personal iCloud account on an institutionally-owned device. Because of this, disabling iCloud Keychain prevents OS-automated credential transfer to devices outside organizational control, thus reducing the risk for misuse of those credentials from unauthorized devices.
Impact:
Several risk aspects should be reviewed prior to disabling iCloud Keychain:
At this point, iCloud Keychain only stores passwords. Where Multi-Factor Authentication, Single-Sign-On, or device-based profiles are used, those credentials will not make use of iCloud Keychain synchronization. Mature enterprises should no longer be solely using password authentication, and thus should not be at risk through the use of iCloud Keychain.
iCloud Keychain synchronizes user passwords. A user presumably already knows these passwords and periodically changes them. They might also use passwords from an unauthorized device without iCloud synchronization. Ideally the institutionally-issued device has greater access than an unauthorized or public device to the authentication server. If the personal device cannot logically engage with the authentication service, then the risk of password synchronization is also greatly reduced.
Blocking the use of iCloud Keychain also blocks synchronization of non-enterprise-managed accounts that the user may need for their regular work. This also blocks the use of strong, unique password suggestions made available by Apple.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Open Apple Configurator.Open the Configuration Profile.
In the left window pane, click on the Restrictions tab.
In the right window pane, under the tab Functionality, uncheck the checkbox for Allow iCloud Keychain.
Deploy the Configuration Profile.
See Also
Item Details
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AC-20(1), 800-53|AC-20(2), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2
Plugin: MDM
Control ID: 5cb711634f9be739b18c376b673427a25cdae8b6063d8ed1e3243bb4e8ea6e32