3.2.1.12 Ensure 'Allow users to accept untrusted TLS certificates' is set to 'Disabled'

Information

This recommendation pertains to the acceptance of untrusted TLS certificates.

Rationale:
iOS and iPadOS devices maintain a list of trusted TLS certificate roots. An organization may add their own certificates to the list by way of a configuration profile. Allowing users to bypass that list and accept self-signed or otherwise unverified certificates may increase the likelihood of an incident.

Solution

1. Open Apple Configurator.
2. Open the Configuration Profile.
3. In the left windowpane, click on the Restrictions tab.
4. In the right windowpane, under the tab Functionality, uncheck the checkbox for Allow users to accept untrusted TLS certificates.
5. Deploy the Configuration Profile.

Impact:
The device automatically rejects untrusted HTTPS certificates without prompting the user.

See Also

https://workbench.cisecurity.org/files/2141