3.2.1.6 Ensure 'Allow iCloud Keychain' is set to 'Disabled'

Information

This recommendation pertains to iCloud performing Keychain synchronization.

Rationale:

It is normal and expected for end-users to configure their personal iCloud account on an institutionally owned device. Because of this, disabling iCloud Keychain prevents credential transfer to non-organizationally controlled devices and thus reduces the risk of those credentials being compromised.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Open Apple Configurator.

Open the Configuration Profile.

In the left windowpane, click on the Restrictions tab.

In the right windowpane, under the tab Functionality, uncheck the checkbox for Allow iCloud Keychain.

Deploy the Configuration Profile.

Additional Information:

This recommendation is not intended as advice against using the Keychain locally on an institutionally owned device. Nor is it intended to be taken as a recommendation to prevent iCloud Keychain from being used on end-user owned devices.

See Also

https://workbench.cisecurity.org/files/3064