3.2.1.14 Ensure 'Allow USB accessories while the device is locked' is set to 'Disabled'

Information

This recommendation pertains to allowing USB devices to communicate with a locked device.

Rationale:
Physical attacks against iOS devices have been developed that exploit the trust of physically connected accessories. This has lead to proof of concept data extraction and even commercially available hardware to perform the attacks. By requiring the device to be unlocked to remove data, this control reduces the probability of a successful data exfiltration.

Solution

1. Open Apple Configurator.
2. Open the Configuration Profile.
3. In the left windowpane, click on the Restrictions tab.
4. In the right windowpane, under the tab Functionality, uncheck the checkbox for Allow USB accessories while the device is locked.
5. Deploy the Configuration Profile.

Impact:
An end-user will not be to connected a USB accessory while the device is locked.

See Also

https://workbench.cisecurity.org/files/2141

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: MDM

Control ID: fc42b747d7ebb0d8de54c1a32549be532e03f443ace5e887e890557e789e7213