3.2.1.6 Review 'Allow iCloud Keychain' settings

Information

iCloud Keychain allows passwords associated with an Apple ID to be available for unencrypted use to the authenticated user for the Apple account. Organizations should review whether enterprise accounts might be stored unauthorized in Apple's personal cloud.

Rationale:

It is normal and expected for end users to configure their personal iCloud account on an institutionally-owned device. Because of this, disabling iCloud Keychain prevents OS-automated credential transfer to devices outside organizational control, thus reducing the risk for misuse of those credentials from unauthorized devices.

Impact:

Several risk aspects should be reviewed prior to disabling iCloud Keychain:

At this point, iCloud Keychain only stores passwords. Where Multi-Factor Authentication, Single-Sign-On, or device-based profiles are used, those credentials will not make use of iCloud Keychain synchronization. Mature enterprises should no longer be solely using password authentication, and thus should not be at risk through the use of iCloud Keychain.

iCloud Keychain synchronizes user passwords. A user presumably already knows these passwords and periodically changes them. They might also use passwords from an unauthorized device without iCloud synchronization. Ideally the institutionally-issued device has greater access than an unauthorized or public device to the authentication server. If the personal device cannot logically engage with the authentication service, then the risk of password synchronization is also greatly reduced.

Blocking the use of iCloud Keychain also blocks synchronization of non-enterprise-managed accounts that the user may need for their regular work. This also blocks the use of strong, unique password suggestions made available by Apple.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Restrictions tab.

In the right window pane, under the tab Functionality, uncheck the checkbox for Allow iCloud Keychain.

Deploy the Configuration Profile.

Additional Information:

This recommendation is not intended as advice against using the Keychain locally on an institutionally-owned device, nor is it intended to be taken as a recommendation to prevent iCloud Keychain from being used on end user-owned devices.

See Also

https://workbench.cisecurity.org/benchmarks/6168