2.2.1.4 Ensure 'Force encrypted backups' is set to 'Enabled'

Information

This recommendation pertains to iTunes backup encryption of iOS and iPadOS devices.

Rationale:

Data that are stored securely on an iOS or iPadOS device may be trivially accessed from a local computer backup. Forcing the encryption of backups protects data from being compromised if the local host computer is compromised.

Use of back-ups is strongly advised as they allow to create a copy of data that can be recovered in the event of failures, such as hardware or software failure, data corruption, human-caused event, or accidental deletion of data. Back-up copies allow data to be restored from an earlier point in time to help recovering from an unexpected event.

Impact:

End users must configure a password for the encrypted backup, the complexity of which is not managed.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Functionality, check the checkbox for Force encrypted backups.

Deploy the Configuration Profile.

Additional Information:

This function does not apply to iCloud backups. iCloud backups are encrypted in transit and at rest by Apple.

See Also

https://workbench.cisecurity.org/benchmarks/6168

Item Details

Category: CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CP-9, 800-53|SC-28, CSCv7|10.4

Plugin: MDM

Control ID: c866972892ea09b8eac83c5d352ac8cb42960e9d20dcf9bd568e9e9527f28f5d