3.1.1 Ensure 'Controls when the profile can be removed' is set to 'Never'

Information

This recommendation pertains to the removal of a given configuration profile.

Rationale:

In this section of the benchmark, recommendations are for devices that are owned by the institution. Removal of the configuration profile should be at the discretion of the institution, not the end-user, in order to prevent weakening the device's security and exposing its data.

Solution

1. Open Apple Configurator.
2. Open the Configuration Profile.
3. In the left windowpane, click on the 'General' tab.
4. In the right windowpane, under the heading 'Security', set the menu 'Controls when the profile can be removed' to 'Never'.
5. Deploy the Configuration Profile.

Impact:

None.

See Also

https://workbench.cisecurity.org/files/1688