Improving security posture of Managed/Corporate iOS Devices in InTune

InTune iOS Managed/Corporate Devices CIS Assessment v1.0.0

Complete Automation

Almost all CIS tests for InTune iOS are automated with SmartProfiler for InTune iOS.

Detailed Reporting

Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.

60 Tests

Checks to make sure all InTune iOS recommended tests by CIS are configured in the Microsoft InTune.

Check InTune Device Configruation and Compliance Policies

The InTune iOS CIS Assessment by SmartProfiler can check to make sure you have configured Device and Compliance policies for iOS devices connecting to your corporate environment.

InTune iOS Managed/Coprorate Devices CIS Assessment

As part of your InTune for iOS CIS Assessment, validating CIS settings in the InTune Admin Center ensures that security best practices are applied and enforced on iOS Devices in your environment. It’s important to consistently monitor and audit Device and Compliance policies deployments to ensure compliance in the cloud through InTune Admin Center. SmartProfiler for InTune iOS CIS Assessment helps you understand if you have configured those settings recommended by CIS and NIST.

The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.

Automation

Simple Requirement

SmartProfiler for InTune iOS CIS Assessment requires a Service Principal Account with necessary read-only permissions to execute all tests if you need to check InTune Device and Compliance Configuration in your InTune Admin Center.

An Entra App with necessary permissions

SmartProfiler makes use of Entra App to ensure all settings are configured correctly in InTune Admin Center.

PowerShell and Graph API

SmartProfiler utilizes Microsoft PowerShell Modules and Graph API to perform assessment in InTune Admin Center and on target devices.

Read-Only Operation

SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.

Quick Assessment

SmartProfiler for InTune iOS CIS Assessment is simple to use and execute in four-steps.

Register Tenant
Assessment Summary

Execute Assessment
Generate Report

View Details

Frequently Asked Questions

How long does it take to perform CIS Assessment?

It depends on the number of resources in the Tenant. It typically takes 1 hour to perform Windows 10/11 InTune CIS Assessment for a Tenant having 30 GPOs.
Does SmartProfiler write anything to the Target Tenant?

SmartProfiler for Azure CIS Assessment is a read-only product.
Can I rebrand the reports?

Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
Can I add multiple Azure Tenants in SmartProfiler?

SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.

List of Tests

CIS V1.0.0 Tests

Here is the list of tests included with SmartProfiler for InTune iOS CIS Assessment.

InTune iOS Tests

SmartProfiler Tests

InTune iOS Tests

SmartProfiler Tests

Why Choose SmartProfiler for InTune iOS CIS Assessment

Instead of manually checking InTune iOS Settings in InTune Admin Center, which could take a significant amount of time, SmartProfiler for InTune iOS CIS Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.

Fully Automated
Check Device and Compliance Policies and its status
Execute all 60 tests automatically
Add unlimited Microsoft 365 Tenants
Supports Latest CIS V1.0.0.

Download Now

What Client’s Say About Us

If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.

Kilva Dew

Systems Architect

The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.

Axon Detos

CEO

The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!

John Dona

Designer

SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.

Viral Joshi

IT Manager - BKT Tires

Category	CISWB	Test
App Store-Doc Viewing-Gaming	CIS v1.0.0	Ensure Block viewing corporate documents in unmanaged apps is set to Yes
App Store-Doc Viewing-Gaming	CIS v1.0.0	Ensure Treat AirDrop as an unmanaged destination is set to Yes
App Store-Doc Viewing-Gaming	CIS v1.0.0	Ensure Allow copy-paste to be affected by managed open-in is set to Yes
App Store-Doc Viewing-Gaming	CIS v1.0.0	Ensure Block App Store is set to Yes
App Store-Doc Viewing-Gaming	CIS v1.0.0	Ensure Block access to network drive in Files app is set to Yes
Built-in Apps	CIS v1.0.0	Ensure Block Siri while device is locked is set to Yes
Built-in Apps	CIS v1.0.0	Ensure Require Safari fraud warnings is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Force encrypted backup is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block managed apps from storing data in iCloud is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block backup of enterprise books is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block notes and highlights sync for enterprise books is set to
Cloud and Storage	CIS v1.0.0	Ensure Block iCloud Photos sync is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block iCloud Photo Library is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block My Photo Stream is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block Handoff is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block iCloud backup is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block iCloud document and data sync is set to Yes
Cloud and Storage	CIS v1.0.0	Ensure Block iCloud Keychain sync is set to Yes
Connected Devices	CIS v1.0.0	Ensure Force Apple Watch wrist detection is set to Yes
Connected Devices	CIS v1.0.0	Ensure Require AirPlay outgoing requests pairing password is set to Yes
Connected Devices	CIS v1.0.0	Ensure Block Apple Watch auto unlock is set to Yes
Connected Devices	CIS v1.0.0	Ensure Block iBeacon discovery of AirPrint printers is set to Yes
Connected Devices	CIS v1.0.0	Ensure Block access to USB drive in Files app is set to Yes
General	CIS v1.0.0	Ensure Block sending diagnostic and usage data to Apple is set to Yes
General	CIS v1.0.0	Ensure Block screenshots and screen recording is set to Yes
General	CIS v1.0.0	Ensure Block untrusted TLS certificates is set to Yes
General	CIS v1.0.0	Ensure Force limited ad tracking is set to Yes
General	CIS v1.0.0	Ensure Block trusting new enterprise app authors is set to Yes
General	CIS v1.0.0	Ensure Limit Apple personalized advertising is set to Yes
General	CIS v1.0.0	Ensure Block users from erasing all content and settings on device is set to Yes
General	CIS v1.0.0	Ensure Block modification of device name is set to Yes
General	CIS v1.0.0	Ensure Block configuration profile changes is set to Yes
General	CIS v1.0.0	Ensure Allow activation lock is set to Yes
General	CIS v1.0.0	Ensure Force automatic date and time is set to Yes
General	CIS v1.0.0	Ensure Block VPN creation is set to Yes
Locked Screen Experience	CIS v1.0.0	Ensure Block Control Center access in lock screen is set to Yes
Locked Screen Experience	CIS v1.0.0	Ensure Block Notifications Center access in lock screen is set to Yes
Locked Screen Experience	CIS v1.0.0	Ensure Block Today view in lock screen is set to Yes
Locked Screen Experience	CIS v1.0.0	Ensure Block Wallet notifications in lock screen is set to Yes
Password	CIS v1.0.0	Ensure Require password is set to Yes
Password	CIS v1.0.0	Ensure Block simple passwords is set to Yes
Password	CIS v1.0.0	Ensure Required password type is set to Alphanumeric
Password	CIS v1.0.0	Ensure Minimum password length is set to 6 or greater
Password	CIS v1.0.0	Ensure Maximum minutes after screen lock before password is required is set to Immediately
Password	CIS v1.0.0	Ensure Maximum minutes of inactivity until screen locks is set to 2 or less
Password	CIS v1.0.0	Ensure Block Touch ID and Face ID unlock is set to Yes
Password	CIS v1.0.0	Ensure Block password proximity requests is set to Yes
Password	CIS v1.0.0	Ensure Block password sharing is set to Yes
Password	CIS v1.0.0	Ensure Require Touch ID or Face ID authentication for AutoFill of password or credit card information is set to Yes
Wireless	CIS v1.0.0	Ensure Block voice dialing while device is locked is set to Yes
Lock Screen Message	CIS v1.0.0	Ensure a Lock Screen Message has been set
Additional Recommendations	CIS v1.0.0	Ensure the ability to remove the management profile does not exist
Additional Recommendations	CIS v1.0.0	Ensure the ability to sync with computers has been blocked
Recommendations for Compliance Policies	CIS v1.0.0	Ensure Jailbroken devices is set to Block
Recommendations for Compliance Policies	CIS v1.0.0	Ensure Minimum OS version or Minimum OS build version has been defined
Recommendations for Compliance Policies	CIS v1.0.0	Ensure Mark device noncompliant is set to Immediately
Recommendations for Compliance Policies	CIS v1.0.0	Ensure Send email to end user is set to 3 days or less
Recommendations for Compliance Policies	CIS v1.0.0	Ensure all devices are marked as compliant
Recommendations for Compliance Policies	CIS v1.0.0	Ensure Mark devices with no compliance policy assigned as is set to Not compliant
Recommendations for Compliance Policies	CIS v1.0.0	Ensure Compliance status validity period (days) is set to 7 or less

Azure-Infra	SP v1.0	Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID
Azure-Infra	SP v1.0	Ensure Azure Administrative Units are used
Azure-Infra	SP v1.0	Ensure Azure Guests cannot invite other Guests
Azure-Infra	SP v1.0	Ensure privileged accounts have MFA Configured
Azure-Infra	SP v1.0	Ensure non-Admins cannot register custom applications
Azure-Infra	SP v1.0	Ensure no Guest Accounts in Azure Privileged groups
Azure-Infra	SP v1.0	Ensure Security Defaults is enabled
Azure-Infra	SP v1.0	Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent
Azure-Infra	SP v1.0	Ensure Conditional Access Policy with signin user-risk location as Factor
Azure-Infra	SP v1.0	Ensure no Guest accounts that are inactive for more than 45 days
Azure-Infra	SP v1.0	Conditional Access policy with Continuous Access Evaluation disabled
Azure-Infra	SP v1.0	AAD Connect sync account password reset
Azure-Infra	SP v1.0	Ensure Guest users are restricted
Azure-Infra	SP v1.0	Ensure user are configured with MFA
Azure-Infra	SP v1.0	Conditional Access Policy that disables admin token persistence
Azure-Infra	SP v1.0	Conditional Access Policy that does not require a password change from high risk users
Azure-Infra	SP v1.0	Conditional Access Policy that does not require MFA when sign-in risk has been identified
Azure-Infra	SP v1.0	Ensure Guest invites not accepted in last 30 days are identified
Azure-Infra	SP v1.0	Ensure Synced AAD Users not privileged Users in Azure
Azure-Infra	SP v1.0	Ensure No Private IP Addresses in Conditional Access policies
Azure-Infra	SP v1.0	Ensure Number Matching enabled in MFA
Azure-Infra	SP v1.0	Ensure AD privileged users are not synced to AAD
Azure-Infra	SP v1.0	Ensure no more than 5 Global Administrators
Azure-Infra	SP v1.0	Ensure SSO computer account with latest password
Azure-Infra	SP v1.0	Ensure RBCD is not applied to AZUREADSSOACC account
Azure Entra ID	SP v1.0	Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra
Azure Entra ID	SP v1.0	Ensure Phishing-resistant MFA strength is required for Administrators
Azure Entra ID	SP v1.0	Ensure custom banned passwords lists are used
Azure Entra ID	SP v1.0	Ensure Restrict non-admin users from creating tenants is set to Yes
Azure Entra ID	SP v1.0	Ensure a dynamic group for guest users is created
Azure Entra ID	SP v1.0	Ensure Microsoft Authenticator is configured to protect against MFA fatigue
Azure Entra ID	SP v1.0	Ensure that password hash sync is enabled for hybrid deployments
Azure Entra ID	SP v1.0	Ensure Privileged Identity Management is used to manage roles
Azure Entra ID	SP v1.0	Ensure Security Defaults is disabled on Azure Active Directory
Azure Entra ID	SP v1.0	Enable Azure AD Identity Protection user risk policies
Azure Entra ID	SP v1.0	Ensure the admin consent workflow is enabled
Azure Entra ID	SP v1.0	Ensure Microsoft Azure Management is limited to administrative roles
Azure Entra ID	SP v1.0	Ensure LinkedIn account connections is disabled
Azure Entra ID	SP v1.0	Ensure password protection is enabled for on-prem Active Directory
Azure Entra ID	SP v1.0	Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
Azure Entra ID	SP v1.0	Ensure third party integrated applications are not allowed
Azure Entra ID	SP v1.0	Ensure user consent to apps accessing company data on their behalf is not allowed
Azure Entra ID	SP v1.0	Enable Conditional Access policies to block legacy authentication
Azure Entra ID	SP v1.0	Ensure Self service password reset enabled is set to All
Azure Entra ID	SP v1.0	Enable Azure AD Identity Protection sign-in risk policies
Azure Entra ID	SP v1.0	Ensure multifactor authentication is enabled for all users in administrative roles
Azure Entra ID	SP v1.0	Ensure multifactor authentication is enabled for all users
Database Services-SQL Server – MySQL Database	SP v1.0	Ensure to Enable In-Transit Encryption for MySQL Servers
Virtual Machines	SP v1.0	Approved Azure Machine Image in Use
Virtual Machines	SP v1.0	Azure Disk Encryption for Boot Disk Volumes
Virtual Machines	SP v1.0	Azure Disk Encryption for Non-Boot Disk Volumes
Virtual Machines	SP v1.0	Ensure Associated Load Balancers are configured
Virtual Machines	SP v1.0	Ensure Desired VM SKU Size are configured
Virtual Machines	SP v1.0	Ensure Virtual Machine Scale Sets are not empty
Virtual Machines	SP v1.0	Ensure Virtual Machines are configured with SSH Authentication Type
Virtual Machines	SP v1.0	Ensure Sufficient Daily Backup Retention Period is configured for Virtual Machines
Virtual Machines	SP v1.0	Ensure Sufficient Instant Restore Retention Period is configured for Virtual Machines
Virtual Machines	SP v1.0	Ensure No Unused Load Balancers are identified to reduce cost
Virtual Machines	SP v1.0	Ensure No Zone-Redundant Virtual Machine Scale Sets are present
Virtual Machines	SP v1.0	Ensure Premium SSD are disabled to reduce cost
Virtual Machines	SP v1.0	Ensure Accelerated Networking for Virtual Machines is enabled
Virtual Machines	SP v1.0	Ensure Auto-Shutdown of Virtual Machine is enabled to reduce cost
Virtual Machines	SP v1.0	Ensure Automatic Instance Repairs is enabled for Virtual Machines
Virtual Machines	SP v1.0	Ensure Automatic OS Upgrades is enabled for Virtual Machines
Virtual Machines	SP v1.0	Ensure Autoscale Notifications are configured for Virtual Machines
Virtual Machines	SP v1.0	Ensure Backups for Azure Virtual Machines are configured
Virtual Machines	SP v1.0	Ensure Encryption for App-Tier Disk Volumes are configured
Virtual Machines	SP v1.0	Ensure Encryption for Web-Tier Disk Volumes are configured
Virtual Machines	SP v1.0	Ensure Guest-Level Diagnostics for Virtual Machines is enabled
Virtual Machines	SP v1.0	Ensure Instance Termination Notifications for Virtual Machine Scale Sets is configured
Virtual Machines	SP v1.0	Ensure Just-In-Time Access for Virtual Machines is enabled
Virtual Machines	SP v1.0	Ensure Performance Diagnostics for Azure Virtual Machines is enabled
Virtual Machines	SP v1.0	Ensure System-Assigned Managed Identities are enabled
Virtual Machines	SP v1.0	Ensure Virtual Machine Boot Diagnostics is enabled
Virtual Machines	SP v1.0	Ensure Health Monitoring is configured for Virtual Machines
Virtual Machines	SP v1.0	Ensure Old Virtual Machine Disk Snapshots are removed
Virtual Machines	SP v1.0	Ensure Unattached Virtual Machine Disk Volumes are removed from Virtual Machines
Virtual Machines	SP v1.0	Ensure BYOK for Disk Volumes Encryption is used
Virtual Machines	SP v1.0	Enable Virtual Machine Access using Microsoft Entra ID Authentication
Azure Subscription	SP v1.0	Ensure Basic and Consumption SKU Should are not Used in Production
Azure Subscription	SP v1.0	Ensure Azure Cloud Budget Alerts are configured
Azure Subscription	SP v1.0	Ensure more than one Subscription Owners are assigned
Azure Subscription	SP v1.0	Ensure Not Allowed Resource Types Policy Assignment is in Use
Azure Subscription	SP v1.0	Ensure Tags are configured on the Resources
Azure Subscription	SP v1.0	Ensure to remove Custom Owner Roles from Subscriptions
Azure Subscription	SP v1.0	Ensure Resource Locking Administrator Role is configured
Azure Subscription	SP v1.0	Ensure no Subscription Administrator Custom Role are not configured