SMART PROFILER
SECURITY ASSESSMENT REPORT
Technology: HTML Report
Tenant: DynamicPacksnet.onmicrosoft.com_M365-InTune-ORG
Assessment Date: 03/05/2025 16:10:14
This Introduction contains a global summary of the security scans performed on the company infrastructure with SmartProfiler-SecID. Detailed information about the scans can be found in the corresponding section in this report. The assessment was performed according to settings recommended by CIS. More Information about CIS can be found here: CIS Benchmarks. There are tests that also recommended by vendor have been performed too.
0Critical
50High
0Medium
0Low
3Passed
7Manual Check
Overall Security Score: 4.23%
OVERALL TENANT STATUS
5%
Shows overall score settings that need to be configured correctly in Tenant as per CIS Benchmark. These settings are recommended by CIS.
CIS SECURITY SCORE
Technology Categories and Status
CRTIICAL
HIGH
MEDIUM
LOW
PASSED
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.1.1 | Ensure Block viewing corporate documents in unmanaged apps is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block viewing corporate documents in unmanaged apps is set to Yes Description Item does not meet all the requirements as per test. Third-party keyboards may not function correctly with this restriction set. This prevents viewing corporate documents in unmanaged apps. By default, depending on per-app policies, the OS might allow corporate documents to be viewed in any app. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the App Store, Doc Viewing, Gaming heading 6. Set Block viewing corporate documents in unmanaged apps to Yes Associated Objects 
Affected Objects
|
| 3.1.2 | Ensure Treat AirDrop as an unmanaged destination is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Treat AirDrop as an unmanaged destination is set to Yes Description Item does not meet all the requirements as per test. This forces AirDrop to be considered an unmanaged drop target. This stops managed apps data from being sent via Airdrop. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the App Store, Doc Viewing, Gaming heading 6. Set Treat AirDrop as an unmanaged destination to Yes Associated Objects
Affected Objects
|
| 3.1.3 | Ensure Allow copy-paste to be affected by managed open-in is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Allow copy-paste to be affected by managed open-in is set to Yes Description Item does not meet all the requirements as per test. This enforces copy/paste restrictions based on configured Block viewing corporate documents in unmanaged apps and Block viewing non-corporate documents in corporate apps. This can ensure that copy/paste restrictions set by managed apps are enforced. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the App Store, Doc Viewing, Gaming heading 6. Set Allow copy/paste to be affected by managed open-in to Yes Associated Objects
Affected Objects
|
| 3.1.4 | Ensure Block App Store is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block App Store is set to Yes Description Item does not meet all the requirements as per test. This prevents access to the App Store on supervised devices. Blocking the App Store will deny users the ability to install apps that have not been explicitly approved by the organization. Allowing users to install apps could introduce malicious applications designed to exfiltrate information intentionally or unintentionally by a user. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the App Store, Doc Viewing, Gaming heading 6. Set Block App store to Yes Associated Objects
Affected Objects
|
| 3.1.5 | Ensure Block access to network drive in Files app is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block access to network drive in Files app is set to Yes Description Item does not meet all the requirements as per test. This prevents access to networked file shares, such as SMB network drives. Network drives can be used as an unmanaged storage location for transferring data to and from iOS/iPadOS devices. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the App Store, Doc Viewing, Gaming heading 6. Set Block access to network drive in Files app to Yes Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.2.1 | Ensure Block Siri while device is locked is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block Siri while device is locked is set to Yes Description Item does not meet all the requirements as per test. The end user must unlock the device before interacting with Siri. This prevents access to Siri when the device is locked. Accessing Siri on a locked device may allow unauthorized users to access information otherwise not available to them, such as messaging, contacts, and a variety of other data. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Built-in apps heading 6. Set Block Siri while device is locked to Yes Associated Objects
Affected Objects
|
| 3.2.2 | Ensure Require Safari fraud warnings is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Require Safari fraud warnings is set to Yes Description Item does not meet all the requirements as per test. This enforces the feature to display fraud warnings within the Safari web browser. Fraudulent websites masquerade as legitimate instances of financial, business, or other sensitive sites. They are designed to capture user credentials, often through phishing campaigns. Safari's fraudulent website warning feature helps protect end users from such sites. For increased security, the Safari web browser should be used to enforce fraud warnings. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Built-in apps heading 6. Set Require Safari fraud warnings to Yes Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.3.1 | Ensure Force encrypted backup is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Force encrypted backup is set to Yes Description Item does not meet all the requirements as per test. End users must configure a password for the encrypted backup, the complexity of which is not managed. This requires device backups to be stored in an encrypted state. Data that are stored securely on an iOS or iPadOS device may be trivially accessed from a local computer backup. Forcing the encryption of backups protects data from being compromised if the local host computer is compromised. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Force encrypted backup to Yes Associated Objects
Affected Objects
|
| 3.3.2 | Ensure Block managed apps from storing data in iCloud is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block managed apps from storing data in iCloud is set to Yes Description Item does not meet all the requirements as per test. Data created within apps on the device may be lost if the end user has not transferred it to another device. This prevents managed apps from storing and syncing data to the user's iCloud account. This recommendation addresses intentional or unintentional data leakage. It prevents a user from installing an application that is managed by the organization on a personal device and allowing iCloud to sync the managed application's data to the personal, non-managed application. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block managed apps from storing data in iCloud to Yes Associated Objects
Affected Objects
|
| 3.3.3 | Ensure Block backup of enterprise books is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block backup of enterprise books is set to Yes Description Item does not meet all the requirements as per test. This prevents backing up of enterprise books. This recommendation addresses intentional or unintentional data leakage. It prevents a user from backing up enterprise books (documents handled by the Books application). Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block backup of enterprise books to Yes Associated Objects
Affected Objects
|
| 3.3.4 | Ensure Block notes and highlights sync for enterprise books is set to | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block notes and highlights sync for enterprise books is set to Description Item does not meet all the requirements as per test. This prevents syncing notes and highlights in enterprise books. Notes and highlights of text created within enterprise books may contain sensitive information that should not be backed up. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2.Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block notes and highlights sync for enterprise books to Yes Associated Objects
Affected Objects
|
| 3.3.5 | Ensure Block iCloud Photos sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block iCloud Photos sync is set to Yes Description Item does not meet all the requirements as per test. This prevents photo stream syncing to iCloud. This stops the ability to share pictures and screenshots to cloud storage that can be accessed outside your organization's network or devices. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block iCloud Photos sync to Yes Associated Objects
Affected Objects
|
| 3.3.6 | Ensure Block iCloud Photo Library is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block iCloud Photo Library is set to Yes Description Item does not meet all the requirements as per test. This prevents photo Library syncing to iCloud. This stops the ability to share pictures and screenshots to cloud storage that can be accessed outside your organization's network or devices. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block iCloud Photo Library to Yes Associated Objects
Affected Objects
|
| 3.3.7 | Ensure Block My Photo Stream is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block My Photo Stream is set to Yes Description Item does not meet all the requirements as per test. This disables iCloud Photo Sharing. This stops the ability to share pictures and screenshots to cloud storage that can be accessed outside your organization's network or devices. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block My Photo Stream to Yes Associated Objects
Affected Objects
|
| 3.3.8 | Ensure Block Handoff is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block Handoff is set to Yes Description Item does not meet all the requirements as per test. Handoff does not enforce managed application boundaries. This allows managed application data to be moved to the unmanaged application space on another device, which may allow for intentional or unintentional data leakage This prevents Apple's Handoff data-sharing mechanism, allowing users to carry on tasks on another iOS/iPadOS or macOS device. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block Handoff to Yes Associated Objects
Affected Objects
|
| 3.3.9 | Ensure Block iCloud backup is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block iCloud backup is set to Yes Description Item does not meet all the requirements as per test. This prevents the function of iCloud on the device being backed up to iCloud. iCloud backups are encrypted in transit and at rest within Apple's infrastructure, but there is no protection against restoring a backup to an unmanaged device. This potentially allows for intentional or unintentional data leakage. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block iCloud backup to Yes Associated Objects
Affected Objects
|
| 3.3.10 | Ensure Block iCloud document and data sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block iCloud document and data sync is set to Yes Description Item does not meet all the requirements as per test. This prevents syncing of documents and data to iCloud. Managed devices are often connected to personal iCloud accounts. This is expected and normal. The data from managed devices, however, should not co-mingle with the end-user's personal data. This creates a potential avenue for intentional or unintentional data leakage. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block iCloud document and data sync to Yes Associated Objects
Affected Objects
|
| 3.3.11 | Ensure Block iCloud Keychain sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block iCloud Keychain sync is set to Yes Description Item does not meet all the requirements as per test. This prevents syncing of credentials with the iCloud Keychain. Keychain allows passwords associated with an Apple ID to be saved and available for use to the authenticated user for the Apple account. Enterprise credentials may be stored within Keychain, resulting in these credentials being stored within a user's Apple ID. Managed devices are often connected to personal iCloud accounts. This is expected and normal. The credentials from managed devices, however, should not co-mingle with the end-user's personal data. This creates a potential avenue for intentional or unintentional data leakage. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Cloud and Storage heading 6. Set Block iCloud Keychain sync to Yes Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.4.1 | Ensure Force Apple Watch wrist detection is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Force Apple Watch wrist detection is set to Yes Description Item does not meet all the requirements as per test. This restriction forces wrist detection to be enabled to paired Apple Watches. When enforced, the Apple Watch won't display notifications when it's not being worn. The Apple Watch will also lock itself when it has been removed from a user's wrist. Wrist detection prevents a removed Apple Watch from providing access to information not otherwise available. It will also automatically lock if the watch was removed. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Connected devices heading 6. Set Force Apple Watch wrist detection to Yes Associated Objects
Affected Objects
|
| 3.4.2 | Ensure Require AirPlay outgoing requests pairing password is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Require AirPlay outgoing requests pairing password is set to Yes Description Item does not meet all the requirements as per test. Users will have to authenticate to new Airplay devices via a password before first use. This restriction enforces the requirement of a pairing password when using AirPlay to stream content to a new Apple device. This will mitigate the risk of accidental casting of content to an incorrect screen. It will also reduce the effectiveness of a spoofing style attack. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Connected devices heading 6. Set Require AirPlay outgoing requests pairing password to Yes Associated Objects
Affected Objects
|
| 3.4.3 | Ensure Block Apple Watch auto unlock is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block Apple Watch auto unlock is set to Yes Description Item does not meet all the requirements as per test. This will restrict users from being able to automatically unlock their Apple Watch when they unlock their iOS/iPadOS device. If an Apple Watch is connected to the user's iOS/iPadOS device, but is not on their person, this could result in the user unintentionally unlocking their Apple Watch, allowing access to sensitive information on the device. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Connected devices heading 6. Set Block Apple Watch auto unlock to Yes Associated Objects
Affected Objects
|
| 3.4.4 | Ensure Block iBeacon discovery of AirPrint printers is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block iBeacon discovery of AirPrint printers is set to Yes Description Item does not meet all the requirements as per test. This blocks the iBeacon function that allows users to discover nearby AirPrint Printers. This will aim to prevent malicious network traffic phishing attacks using AirPrint beacons. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Connected devices heading 6. Set Block iBeacon discovery of AirPrint printers to Yes Associated Objects
Affected Objects
|
| 3.4.5 | Ensure Block access to USB drive in Files app is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block access to USB drive in Files app is set to Yes Description Item does not meet all the requirements as per test. This will prevent the Files app from accessing USB media to view and/or transfer files. The Files app provides a local file system and interface to USB media for iOS and iPadOS devices. In environments with sensitive data and strict data loss prevention policies, disabling the use of USB media with such devices may reduce the risk of intentional or unintentional data leakage. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Connected devices heading 6. Set Block access to USB drive in Files app to Yes2 Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.5.1 | Ensure Block sending diagnostic and usage data to Apple is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block sending diagnostic and usage data to Apple is set to Yes Description Item does not meet all the requirements as per test. Apple provides a mechanism to send diagnostic and analytics data back to them in order help improve the platform. This information sent to Apple may contain internal organizational information that should not be disclosed to third parties. Organizations should have knowledge of what is shared with vendors and other third parties, and should also be in full control of what is disclosed. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block sending diagnostic and usage data to Apple to Yes Associated Objects
Affected Objects
|
| 3.5.2 | Ensure Block screenshots and screen recording is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block screenshots and screen recording is set to Yes Description Item does not meet all the requirements as per test. Screenshots and screen recordings will be disabled entirely. This recommendation limits screen recording and the ability to screenshot from the device. Sensitive information displayed on the device may be captured by screenshot or screen recording into an unmanaged storage location intentionally or unintentionally by a user. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block screenshots and screen recording to Yes Associated Objects
Affected Objects
|
| 3.5.3 | Ensure Block untrusted TLS certificates is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block untrusted TLS certificates is set to Yes Description Item does not meet all the requirements as per test. The device automatically rejects untrusted HTTPS certificates without prompting the user. Services using self-signed certificates will not function. This recommendation blocks untrusted Transport Layer Security (TLS) certificates. iOS devices maintain a list of trusted TLS certificate roots. An organization may choose to add their own certificates to the list by using a configuration profile. Allowing users to bypass that list and accept self-signed or otherwise unverified/invalid certificates may increase the likelihood of an incident. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block untrusted TLS certificates to Yes Associated Objects
Affected Objects
|
| 3.5.4 | Ensure Force limited ad tracking is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Force limited ad tracking is set to Yes Description Item does not meet all the requirements as per test. This recommendation disables the ad identifier that is used to link advertisement information to a device. Having this enabled allows ad companies to better track and harvest information from a device. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Force limited ad tracking to Yes Associated Objects
Affected Objects
|
| 3.5.5 | Ensure Block trusting new enterprise app authors is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block trusting new enterprise app authors is set to Yes Description Item does not meet all the requirements as per test. This recommendation disables application installation by end users from outside the Apple App Store or Mobile Device Management (MDM) deployment. Allowing application installation by end users from outside of the Apple App Store or Mobile Device Management (MDM) may permit a user to intentionally or unintentionally install a malicious application. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block trusting new enterprise app authors to Yes Associated Objects
Affected Objects
|
| 3.5.6 | Ensure Limit Apple personalized advertising is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Limit Apple personalized advertising is set to Yes Description Item does not meet all the requirements as per test. Users will see generic advertising rather than targeted advertising. Apple has warned that this will reduce the number of relevant ads. Apple provides a framework that allows advertisers to target Apple users with advertisements relevant to them and their interests by means of a unique identifier. For such personalized advertisements to be delivered, however, detailed information is collected, correlated, and made available to advertisers. This information is valuable to both advertisers and attackers and has been used with other metadata to reveal users' identities. Disabling the use of a unique identifier helps hinder the tracking of users, which in turn supports protection of user data. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Limit Apple personalized advertising to Yes Associated Objects
Affected Objects
|
| 3.5.7 | Ensure Block users from erasing all content and settings on device is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block users from erasing all content and settings on device is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents the erase all content and settings option on devices. An organization-owned device should not allow an end user to destroy data and/or repurpose the device. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block users from erasing all content and settings on device to Yes Associated Objects
Affected Objects
|
| 3.5.8 | Ensure Block modification of device name is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block modification of device name is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents a user from having the ability to change the name of the device. The device name is visible and can be changed from this location: Settings > General > About Giving users the ability to change their device name at any point may hinder the functionality of device identification and asset tracking. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block modification of device name to Yes Associated Objects
Affected Objects
|
| 3.5.9 | Ensure Block configuration profile changes is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block configuration profile changes is set to Yes Description Item does not meet all the requirements as per test. Some services, such as WiFi access points that have been configured requiring a user to install a configuration profile, may be prevented from working by blocking their configuration profiles. This restriction prevents a user from intentionally or unintentionally installing additional configuration profiles. This adds an additional security control, so third-party and potentially malicious configuration profiles can not be installed. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block configuration profile changes to Yes Associated Objects
Affected Objects
|
| 3.5.10 | Ensure Allow activation lock is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Allow activation lock is set to Yes Description Item does not meet all the requirements as per test. This restriction enables Activation Lock on devices. This feature is commonly seen when a device is marked as lost in the Apple Find My app. The Activation Lock feature increases the security of the device, and restricts functionality if the device has been marked as lost or stolen. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Allow activation lock to Yes Associated Objects
Affected Objects
|
| 3.5.11 | Ensure Force automatic date and time is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Force automatic date and time is set to Yes Description Item does not meet all the requirements as per test. This restriction forces automatic date and time to be used on the device. The time zone updates only when the device can determine its location, such as when a device has a cellular connection or a Wi-Fi connection with location services enabled. Correct date and time settings are required for authentication protocols, file creation, modification dates, and log entries. Having this information accurate is important in incident response and forensic investigations. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Force automatic date and time to Yes Associated Objects
Affected Objects
|
| 3.5.12 | Ensure Block VPN creation is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block VPN creation is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents a user from intentionally or unintentionally creating VPN configuration. A VPN configuration can route traffic via unsecure systems if this has not been configured safely. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the General heading 6. Set Block VPN creation to Yes Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.6.1 | Ensure Block Control Center access in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block Control Center access in lock screen is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents access to the Control Center on the lock screen. Passcode/Face ID must be set for this to apply. When a device is lost or stolen, the Control Center may be used to enable airplane mode, thus preventing locating or erasing the device. Disabling Control Center forces a malicious actor to power down the device, which then discards the encryption key in memory. This makes some attacks based on physical possession more difficult. Further information such as media recently played, alarm information, and latest calculator history can also be seen. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Locked Screen Experience heading 6. Set Block Control Center access in lock screen to Yes Associated Objects
Affected Objects
|
| 3.6.2 | Ensure Block Notifications Center access in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block Notifications Center access in lock screen is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents access to the Notifications Center on the lock screen. This does not restrict or limit information displayed from notifications, only older notifications that are stored in the notification center. This is usually visible by swiping up on the lock screen. This will block older notifications from being displayed on the lock screen. The introduction of the notification center is a location where unaddressed notifications often reside. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Locked Screen Experience heading 6. Set Block Notifications Center access in lock screen to Yes Associated Objects
Affected Objects
|
| 3.6.3 | Ensure Block Today view in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block Today view in lock screen is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents access to the Today View and search on the lock screen. This can be seen by swiping left on the lock screen. A Passcode/Face ID must be set for this to apply. This will block sensitive information from being displayed on the lock screen. Today View allows widgets and reminders to be displayed, as well as the option to list installed applications and other Siri suggestions. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Locked Screen Experience heading 6. Set Block Today view in lock screen to Yes Associated Objects
Affected Objects
|
| 3.6.4 | Ensure Block Wallet notifications in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block Wallet notifications in lock screen is set to Yes Description Item does not meet all the requirements as per test. The device will need to be unlocked to access the Wallet. This restriction prevents access to the Apple Wallet while the screen is locked. Passcode/Face ID must be set for this to apply. This will block the option for the Apple Wallet to be used while the screen is locked. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Locked Screen Experience heading 6. Set Block Wallet notifications in lock screen to Yes Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.7.1 | Ensure Require password is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Require password is set to Yes Description Item does not meet all the requirements as per test. A user will need to set a password to use the device. This restriction enforces a password to be set on the device. This will block the option for the device to be used without a password. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Require password to Yes Associated Objects
Affected Objects
|
| 3.7.2 | Ensure Block simple passwords is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block simple passwords is set to Yes Description Item does not meet all the requirements as per test. Those with passwords that do not meet this requirement will be prompted to set a new device password. This restriction enforces a block on simple passwords on the device. Passwords such as 1234 and 0000 would be blocked. This will block the option for a simple password to be used on the device. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Block simple passwords to Yes Associated Objects
Affected Objects
|
| 3.7.3 | Ensure Required password type is set to Alphanumeric | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Required password type is set to Alphanumeric Description Item does not meet all the requirements as per test. Those with passwords that do not meet this requirement will be prompted to set a new device password. This restriction enforces an alphanumeric password on the device. Numeric-only passcode pins would not be allowed. Alphanumeric passwords provide a greater security posture by increasing the number of possible combinations, as well as not providing an indicator of password length. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Required password type to Alphanumeric Associated Objects
Affected Objects
|
| 3.7.4 | Ensure Minimum password length is set to 6 or greater | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Minimum password length is set to 6 or greater Description Item does not meet all the requirements as per test. Those with passwords that do not meet this requirement will be prompted to set a new device password. This restriction requires the password length set on the device to be 6 or greater. Longer passwords provide a greater security posture by increasing the number of possible combinations. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Minimum password length to 6 or greater Associated Objects
Affected Objects
|
| 3.7.5 | Ensure Maximum minutes after screen lock before password is required is set to Immediately | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Maximum minutes after screen lock before password is required is set to Immediately Description Item does not meet all the requirements as per test. This restriction disables any grace period where a password is not required to be entered after the screen has locked. This would make it impossible for the device to be picked up and used after the screen has locked. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Maximum minutes after screen lock before password is required to Immediately Associated Objects
Affected Objects
|
| 3.7.8 | Ensure Block password proximity requests is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block password proximity requests is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents proximity-based password sharing for nearby devices. Access to systems and applications should be provisioned by role, with credentials only being transferred through supported credential management systems. Additionally, credential sharing requests may be exploited through social engineering. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Block password proximity requests to Yes Associated Objects
Affected Objects
|
| 3.7.9 | Ensure Block password sharing is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block password sharing is set to Yes Description Item does not meet all the requirements as per test. This restriction prevents sharing credentials between devices, such as via AirDrop. Access to systems and applications should be provisioned by role, with credentials only being transferred through supported credential management systems. Additionally, credential sharing requests may be exploited through social engineering. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Block password sharing to Yes Associated Objects
Affected Objects
|
| 3.7.10 | Ensure Require Touch ID or Face ID authentication for AutoFill of password or credit card information is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Require Touch ID or Face ID authentication for AutoFill of password or credit card information is set to Yes Description Item does not meet all the requirements as per test. This restriction forces an authentication prompt before each AutoFill operation. A device may be accessed by an unauthorized user while unlocked. This recommendation provides defense-in-depth by forcing re-authentication before credentials will be populated by AutoFill. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Password heading 6. Set Require Touch ID or Face ID authentication for AutoFill of password or credit card information to Yes Associated Objects
Affected Objects
|
| 3.7.6 | Ensure Maximum minutes of inactivity until screen locks is set to 2 or less | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
X
TEST NAME Ensure Maximum minutes of inactivity until screen locks is set to 2 or less Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 3.7.7 | Ensure Block Touch ID and Face ID unlock is set to Yes | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
X
TEST NAME Ensure Block Touch ID and Face ID unlock is set to Yes Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.8.1 | Ensure Block voice dialing while device is locked is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Block voice dialing while device is locked is set to Yes Description Item does not meet all the requirements as per test. This restriction blocks initiating phone calls from a locked device. Voice dialing is handled separately from Siri. Allowing calls from a locked device may allow for the impersonation of the device owner, or other malicious actions. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Wireless heading 6. Set Block voice dialing while device is locked to Yes Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.9.1 | Ensure a Lock Screen Message has been set | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure a Lock Screen Message has been set Description Item does not meet all the requirements as per test. This recommendation applies to configuring a lock screen message. A lock screen message will allow an honest bystander to more easily return a lost device. This message need not identify the owner by name, but should reference a phone number or email address to contact (for example, the help desk of an organization). Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Configuration profiles 3. Select the profile which applies to the iOS/iPadOS device 4. Click edit, next to Configuration settings 5. Select the Lock Screen Message heading 6. Set If Lost, Return to... Message with an appropriate message Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.10.1 | Ensure the ability to remove the management profile does not exist | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
X 
TEST NAME Ensure the ability to remove the management profile does not exist Description Item does not meet all the requirements as per test. This recommendation denies the ability remove an installed configuration profile. Removal of the configuration profile (and all of it's configured security restrictions) should be at the discretion of the organization, not the end user, in order to prevent greatly weakening the device's security and exposing its data. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select iOS/iPadOS 3. Select iOS/iPadOS enrollment 4. Select Enrollment program tokens 5. Select the enrollment token which applies to the iOS/iPadOS device 6. Select Profiles 7. Select the profile which applies to the iOS/iPadOS device 8. Select Properties 9. Next to the Management Settings heading press Edit 10. Set Locked enrollment to Yes Associated Objects
Affected Objects
|
| 3.10.2 | Ensure the ability to sync with computers has been blocked | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure the ability to sync with computers has been blocked Description Item does not meet all the requirements as per test. This could potentially impact the use of recovery or forensic tools on locked or unlocked devices. This recommendation prevents the transfer of data to and from the device. This recommendation addresses intentional or unintentional data leakage. It prevents a user from using a computer to transfer information to or from. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select iOS/iPadOS 3. Select iOS/iPadOS enrollment 4. Select Enrollment program tokens 5. Select the enrollment token which applies to the iOS/iPadOS device 6. Select Profiles 7. Select the profile which applies to the iOS/iPadOS device 8. Select Properties 9. Next to the Management Settings heading press Edit 10. Set Sync with computers to Deny All Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 4.2 | Ensure Minimum OS version or Minimum OS build version has been defined | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Minimum OS version or Minimum OS build version has been defined Description Item does not meet all the requirements as per test. This recommendation ensures that outdated devices that do not adhere to the defined minimum OS version or minimum OS build version are blocked by the organization via the compliance policy. An up-to-date operating system helps provides the best possible protection against cyber threats. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Compliance policies 3. Select the compliance policy which applies to the iOS/iPadOS device 4. Select Properties 5. Select Edit in the Compliance settings section 6. Under the Device Properties heading 7. Set Minimum OS version or Minimum OS build version to a value that is representative of a recent iOS/iPadOS version or build number. Associated Objects
Affected Objects
|
| 4.1 | Ensure Jailbroken devices is set to Block | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 4.3 | Ensure Mark device noncompliant is set to Immediately | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Mark device noncompliant is set to Immediately Description Item does not meet all the requirements as per test. This recommendation ensures that devices which aren't compliant with the applied compliance policy are marked as not compliant immediately. Although this is the default, there is an option for this to be set between immediately and 365 days. As soon as a device is found to be non-compliant, it should be flagged immediately so that attention can be raised to this device via manual or scheduled automatic actioning. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Compliance policies 3. Select the compliance policy which applies to the iOS/iPadOS device 4. Select Properties 5. Select Edit in the Actions for noncompliance section 6. Set Mark device noncompliant to 0 which will resolve to immediately Associated Objects
Affected Objects
|
| 4.4 | Ensure Send email to end user is set to 3 days or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Send email to end user is set to 3 days or less Description Item does not meet all the requirements as per test. This recommendation ensures that devices that have been marked as not compliant will have an email sent to the assigned primary user of the device. An additional recipient (e.g. SOC or Intune administrator) should also be set. A message template must be created and selected. Action on non-compliant devices should be taken as soon as feasibly possible to reduce the impact of a device that is not compliant with the organization's compliance policy. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Compliance policies 3. Select the compliance policy which applies to the iOS/iPadOS device 4. Select Properties 5. Select Edit in the Actions for noncompliance section 6. Set Send email to end user to 3 (or less) which will resolve to 3 days Associated Objects
Affected Objects
|
| 4.5 | Ensure all devices are marked as compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure all devices are marked as compliant Description Item does not meet all the requirements as per test. This recommendation ensures that devices that are not compliant to the compliance policy are addressed by either being removed from the organization or ensuring they meet the defined compliance policy. Devices that aren't marked as compliant give an indicator as to which devices need attention from endpoint administrators. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Compliance policies 3. Select the compliance policy which applies to the iOS/iPadOS device 4. Select Device status 5. Address Not Compliant devices by either removing them or ensuring they meet the defiled compliance policy Associated Objects
Affected Objects
|
| 4.6 | Ensure Mark devices with no compliance policy assigned as is set to Not compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Mark devices with no compliance policy assigned as is set to Not compliant Description Item does not meet all the requirements as per test. This applies to all compliance policies within the directory, regardless of device type. This recommendation ensures that devices that do not have a compliance policy assigned to them are marked as not compliant. This recommendation helps to ensure that devices that don't have a configuration policy applied are marked as Not Compliant so they are able to be addressed by Intune administrators. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Compliance policies 3. Select Compliance policy settings 4. Set Mark devices with no compliance policy assigned as to Not compliant Associated Objects
Affected Objects
|
| 4.7 | Ensure Compliance status validity period (days) is set to 7 or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
X
TEST NAME Ensure Compliance status validity period (days) is set to 7 or less Description Item does not meet all the requirements as per test. This applies to all compliance policies within the directory, regardless of device type. This recommendation ensures that if devices do not check-in (report compliance status) within the defined validity period, they are marked as not compliant. This recommendation helps to ensure devices that have not reported compliance status in 7 days are treated as not compliant. If the default of 30 days is used, this period of time could mean devices may not follow compliance for up to 30 days before being marked as not compliant. Recommendation and Steps From the Microsoft Intune admin center: 1. Select Devices 2. Select Compliance policies 3. Select Compliance policy settings 4. Set Compliance status validity period (days) to 7 or less Associated Objects
Affected Objects
|
#TABLE_App-Store-Doc-Viewing-Gaming1#TABLE_Built-in-Apps2#TABLE_Cloud-and-Storage3#TABLE_Connected-Devices4#TABLE_General5#TABLE_Locked-Screen-Experience6#TABLE_Password7#TABLE_Wireless8#TABLE_Lock-Screen-Message9#TABLE_Additional-Recommendations10#TABLE_Recommendations-for-Compliance-Policies11
All Tests Table
Assessment Table satus contains status for both CIS Benchmark and SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.1.1 | Ensure Block viewing corporate documents in unmanaged apps is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.2 | Ensure Treat AirDrop as an unmanaged destination is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.3 | Ensure Allow copy-paste to be affected by managed open-in is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.4 | Ensure Block App Store is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.5 | Ensure Block access to network drive in Files app is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.2.1 | Ensure Block Siri while device is locked is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.2.2 | Ensure Require Safari fraud warnings is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.1 | Ensure Force encrypted backup is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.2 | Ensure Block managed apps from storing data in iCloud is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.3 | Ensure Block backup of enterprise books is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.4 | Ensure Block notes and highlights sync for enterprise books is set to | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.5 | Ensure Block iCloud Photos sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.6 | Ensure Block iCloud Photo Library is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.7 | Ensure Block My Photo Stream is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.8 | Ensure Block Handoff is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.9 | Ensure Block iCloud backup is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.10 | Ensure Block iCloud document and data sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.11 | Ensure Block iCloud Keychain sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.1 | Ensure Force Apple Watch wrist detection is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.2 | Ensure Require AirPlay outgoing requests pairing password is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.3 | Ensure Block Apple Watch auto unlock is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.4 | Ensure Block iBeacon discovery of AirPrint printers is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.5 | Ensure Block access to USB drive in Files app is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.1 | Ensure Block sending diagnostic and usage data to Apple is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.2 | Ensure Block screenshots and screen recording is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.3 | Ensure Block untrusted TLS certificates is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.4 | Ensure Force limited ad tracking is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.5 | Ensure Block trusting new enterprise app authors is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.6 | Ensure Limit Apple personalized advertising is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.7 | Ensure Block users from erasing all content and settings on device is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.8 | Ensure Block modification of device name is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.9 | Ensure Block configuration profile changes is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.10 | Ensure Allow activation lock is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.11 | Ensure Force automatic date and time is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.12 | Ensure Block VPN creation is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.1 | Ensure Block Control Center access in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.2 | Ensure Block Notifications Center access in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.3 | Ensure Block Today view in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.4 | Ensure Block Wallet notifications in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.1 | Ensure Require password is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.2 | Ensure Block simple passwords is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.3 | Ensure Required password type is set to Alphanumeric | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.4 | Ensure Minimum password length is set to 6 or greater | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.5 | Ensure Maximum minutes after screen lock before password is required is set to Immediately | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.8 | Ensure Block password proximity requests is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.9 | Ensure Block password sharing is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.10 | Ensure Require Touch ID or Face ID authentication for AutoFill of password or credit card information is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.8.1 | Ensure Block voice dialing while device is locked is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.9.1 | Ensure a Lock Screen Message has been set | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 4.2 | Ensure Minimum OS version or Minimum OS build version has been defined | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.6 | Ensure Maximum minutes of inactivity until screen locks is set to 2 or less | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 3.7.7 | Ensure Block Touch ID and Face ID unlock is set to Yes | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 4.1 | Ensure Jailbroken devices is set to Block | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 3.10.1 | Ensure the ability to remove the management profile does not exist | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 3.10.2 | Ensure the ability to sync with computers has been blocked | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.3 | Ensure Mark device noncompliant is set to Immediately | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.4 | Ensure Send email to end user is set to 3 days or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.5 | Ensure all devices are marked as compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.6 | Ensure Mark devices with no compliance policy assigned as is set to Not compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.7 | Ensure Compliance status validity period (days) is set to 7 or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
CIS Assessment Status Table
Assessment Table satus contains status for CIS Benchmark Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.1.1 | Ensure Block viewing corporate documents in unmanaged apps is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.2 | Ensure Treat AirDrop as an unmanaged destination is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.3 | Ensure Allow copy-paste to be affected by managed open-in is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.4 | Ensure Block App Store is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.1.5 | Ensure Block access to network drive in Files app is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.2.1 | Ensure Block Siri while device is locked is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.2.2 | Ensure Require Safari fraud warnings is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.1 | Ensure Force encrypted backup is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.2 | Ensure Block managed apps from storing data in iCloud is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.3 | Ensure Block backup of enterprise books is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.4 | Ensure Block notes and highlights sync for enterprise books is set to | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.5 | Ensure Block iCloud Photos sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.6 | Ensure Block iCloud Photo Library is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.7 | Ensure Block My Photo Stream is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.8 | Ensure Block Handoff is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.9 | Ensure Block iCloud backup is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.10 | Ensure Block iCloud document and data sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.3.11 | Ensure Block iCloud Keychain sync is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.1 | Ensure Force Apple Watch wrist detection is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.2 | Ensure Require AirPlay outgoing requests pairing password is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.3 | Ensure Block Apple Watch auto unlock is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.4 | Ensure Block iBeacon discovery of AirPrint printers is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.4.5 | Ensure Block access to USB drive in Files app is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.1 | Ensure Block sending diagnostic and usage data to Apple is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.2 | Ensure Block screenshots and screen recording is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.3 | Ensure Block untrusted TLS certificates is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.4 | Ensure Force limited ad tracking is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.5 | Ensure Block trusting new enterprise app authors is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.6 | Ensure Limit Apple personalized advertising is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.7 | Ensure Block users from erasing all content and settings on device is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.8 | Ensure Block modification of device name is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.9 | Ensure Block configuration profile changes is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.10 | Ensure Allow activation lock is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.11 | Ensure Force automatic date and time is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.5.12 | Ensure Block VPN creation is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.1 | Ensure Block Control Center access in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.2 | Ensure Block Notifications Center access in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.3 | Ensure Block Today view in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.6.4 | Ensure Block Wallet notifications in lock screen is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.1 | Ensure Require password is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.2 | Ensure Block simple passwords is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.3 | Ensure Required password type is set to Alphanumeric | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.4 | Ensure Minimum password length is set to 6 or greater | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.5 | Ensure Maximum minutes after screen lock before password is required is set to Immediately | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.8 | Ensure Block password proximity requests is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.9 | Ensure Block password sharing is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.10 | Ensure Require Touch ID or Face ID authentication for AutoFill of password or credit card information is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.8.1 | Ensure Block voice dialing while device is locked is set to Yes | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.9.1 | Ensure a Lock Screen Message has been set | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 4.2 | Ensure Minimum OS version or Minimum OS build version has been defined | High | Not Configured Correctly | Supervised Devices | CIS v1.0.0 | NO |
| 3.7.6 | Ensure Maximum minutes of inactivity until screen locks is set to 2 or less | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 3.7.7 | Ensure Block Touch ID and Face ID unlock is set to Yes | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 4.1 | Ensure Jailbroken devices is set to Block | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 3.10.1 | Ensure the ability to remove the management profile does not exist | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 3.10.2 | Ensure the ability to sync with computers has been blocked | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.3 | Ensure Mark device noncompliant is set to Immediately | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.4 | Ensure Send email to end user is set to 3 days or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.5 | Ensure all devices are marked as compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.6 | Ensure Mark devices with no compliance policy assigned as is set to Not compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.7 | Ensure Compliance status validity period (days) is set to 7 or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
SmartProfiler Assessment Tests Status Table
Assessment Table satus contains status for SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
All Manual Checks Table
Contains Manual Checks for both CIS Benchmark and SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.10.1 | Ensure the ability to remove the management profile does not exist | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 3.10.2 | Ensure the ability to sync with computers has been blocked | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.3 | Ensure Mark device noncompliant is set to Immediately | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.4 | Ensure Send email to end user is set to 3 days or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.5 | Ensure all devices are marked as compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.6 | Ensure Mark devices with no compliance policy assigned as is set to Not compliant | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
| 4.7 | Ensure Compliance status validity period (days) is set to 7 or less | Manual Check | NONE | Supervised Devices | CIS v1.0.0 | NO |
All Passed Checks Table
Contains Passed Checks for both CIS Benchmark and SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.7.6 | Ensure Maximum minutes of inactivity until screen locks is set to 2 or less | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 3.7.7 | Ensure Block Touch ID and Face ID unlock is set to Yes | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
| 4.1 | Ensure Jailbroken devices is set to Block | Passed | Configured Correctly | Supervised Devices | CIS v1.0.0 | YES |
Microsoft-Assessment.com
© 2025 DynamicPacks Technologies. All rights reserved.