Entra ID CIS Assessment with SmartProfiler-SecID
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAlmost all CIS tests for InTune iOS are automated with SmartProfiler for InTune iOS.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Checks to make sure all InTune iOS recommended tests by CIS are configured in the Microsoft InTune.
The InTune iOS CIS Assessment by SmartProfiler can check to make sure you have configured Device and Compliance policies for iOS devices connecting to your corporate environment.
As part of your InTune for iOS CIS Assessment, validating CIS settings in the InTune Admin Center ensures that security best practices are applied and enforced on iOS Devices in your environment. It’s important to consistently monitor and audit Device and Compliance policies deployments to ensure compliance in the cloud through InTune Admin Center. SmartProfiler for InTune iOS CIS Assessment helps you understand if you have configured those settings recommended by CIS and NIST.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for InTune iOS CIS Assessment requires a Service Principal Account with necessary read-only permissions to execute all tests if you need to check InTune Device and Compliance Configuration in your InTune Admin Center.
SmartProfiler makes use of Entra App to ensure all settings are configured correctly in InTune Admin Center.
SmartProfiler utilizes Microsoft PowerShell Modules and Graph API to perform assessment in InTune Admin Center and on target devices.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for InTune iOS CIS Assessment is simple to use and execute in four-steps.
It depends on the number of resources in the Tenant. It typically takes 1 hour to perform Windows 10/11 InTune CIS Assessment for a Tenant having 30 GPOs.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for InTune iOS CIS Assessment.
Category | CISWB | Test | |
App Store-Doc Viewing-Gaming | CIS v1.0.0 | Ensure Block viewing corporate documents in unmanaged apps is set to Yes | |
App Store-Doc Viewing-Gaming | CIS v1.0.0 | Ensure Treat AirDrop as an unmanaged destination is set to Yes | |
App Store-Doc Viewing-Gaming | CIS v1.0.0 | Ensure Allow copy-paste to be affected by managed open-in is set to Yes | |
App Store-Doc Viewing-Gaming | CIS v1.0.0 | Ensure Block App Store is set to Yes | |
App Store-Doc Viewing-Gaming | CIS v1.0.0 | Ensure Block access to network drive in Files app is set to Yes | |
Built-in Apps | CIS v1.0.0 | Ensure Block Siri while device is locked is set to Yes | |
Built-in Apps | CIS v1.0.0 | Ensure Require Safari fraud warnings is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Force encrypted backup is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block managed apps from storing data in iCloud is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block backup of enterprise books is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block notes and highlights sync for enterprise books is set to | |
Cloud and Storage | CIS v1.0.0 | Ensure Block iCloud Photos sync is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block iCloud Photo Library is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block My Photo Stream is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block Handoff is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block iCloud backup is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block iCloud document and data sync is set to Yes | |
Cloud and Storage | CIS v1.0.0 | Ensure Block iCloud Keychain sync is set to Yes | |
Connected Devices | CIS v1.0.0 | Ensure Force Apple Watch wrist detection is set to Yes | |
Connected Devices | CIS v1.0.0 | Ensure Require AirPlay outgoing requests pairing password is set to Yes | |
Connected Devices | CIS v1.0.0 | Ensure Block Apple Watch auto unlock is set to Yes | |
Connected Devices | CIS v1.0.0 | Ensure Block iBeacon discovery of AirPrint printers is set to Yes | |
Connected Devices | CIS v1.0.0 | Ensure Block access to USB drive in Files app is set to Yes | |
General | CIS v1.0.0 | Ensure Block sending diagnostic and usage data to Apple is set to Yes | |
General | CIS v1.0.0 | Ensure Block screenshots and screen recording is set to Yes | |
General | CIS v1.0.0 | Ensure Block untrusted TLS certificates is set to Yes | |
General | CIS v1.0.0 | Ensure Force limited ad tracking is set to Yes | |
General | CIS v1.0.0 | Ensure Block trusting new enterprise app authors is set to Yes | |
General | CIS v1.0.0 | Ensure Limit Apple personalized advertising is set to Yes | |
General | CIS v1.0.0 | Ensure Block users from erasing all content and settings on device is set to Yes | |
General | CIS v1.0.0 | Ensure Block modification of device name is set to Yes | |
General | CIS v1.0.0 | Ensure Block configuration profile changes is set to Yes | |
General | CIS v1.0.0 | Ensure Allow activation lock is set to Yes | |
General | CIS v1.0.0 | Ensure Force automatic date and time is set to Yes | |
General | CIS v1.0.0 | Ensure Block VPN creation is set to Yes | |
Locked Screen Experience | CIS v1.0.0 | Ensure Block Control Center access in lock screen is set to Yes | |
Locked Screen Experience | CIS v1.0.0 | Ensure Block Notifications Center access in lock screen is set to Yes | |
Locked Screen Experience | CIS v1.0.0 | Ensure Block Today view in lock screen is set to Yes | |
Locked Screen Experience | CIS v1.0.0 | Ensure Block Wallet notifications in lock screen is set to Yes | |
Password | CIS v1.0.0 | Ensure Require password is set to Yes | |
Password | CIS v1.0.0 | Ensure Block simple passwords is set to Yes | |
Password | CIS v1.0.0 | Ensure Required password type is set to Alphanumeric | |
Password | CIS v1.0.0 | Ensure Minimum password length is set to 6 or greater | |
Password | CIS v1.0.0 | Ensure Maximum minutes after screen lock before password is required is set to Immediately | |
Password | CIS v1.0.0 | Ensure Maximum minutes of inactivity until screen locks is set to 2 or less | |
Password | CIS v1.0.0 | Ensure Block Touch ID and Face ID unlock is set to Yes | |
Password | CIS v1.0.0 | Ensure Block password proximity requests is set to Yes | |
Password | CIS v1.0.0 | Ensure Block password sharing is set to Yes | |
Password | CIS v1.0.0 | Ensure Require Touch ID or Face ID authentication for AutoFill of password or credit card information is set to Yes | |
Wireless | CIS v1.0.0 | Ensure Block voice dialing while device is locked is set to Yes | |
Lock Screen Message | CIS v1.0.0 | Ensure a Lock Screen Message has been set | |
Additional Recommendations | CIS v1.0.0 | Ensure the ability to remove the management profile does not exist | |
Additional Recommendations | CIS v1.0.0 | Ensure the ability to sync with computers has been blocked | |
Recommendations for Compliance Policies | CIS v1.0.0 | Ensure Jailbroken devices is set to Block | |
Recommendations for Compliance Policies | CIS v1.0.0 | Ensure Minimum OS version or Minimum OS build version has been defined | |
Recommendations for Compliance Policies | CIS v1.0.0 | Ensure Mark device noncompliant is set to Immediately | |
Recommendations for Compliance Policies | CIS v1.0.0 | Ensure Send email to end user is set to 3 days or less | |
Recommendations for Compliance Policies | CIS v1.0.0 | Ensure all devices are marked as compliant | |
Recommendations for Compliance Policies | CIS v1.0.0 | Ensure Mark devices with no compliance policy assigned as is set to Not compliant | |
Recommendations for Compliance Policies | CIS v1.0.0 | Ensure Compliance status validity period (days) is set to 7 or less |
Below tests, as recommended by Microsoft Azure globally, are not included in the Azure CIS Version 2.1.0 tests list. We recommend executing below tests as part of Microsoft Azure security & Compliance Assessment.
Azure-Infra | SP v1.0 | Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID |
Azure-Infra | SP v1.0 | Ensure Azure Administrative Units are used |
Azure-Infra | SP v1.0 | Ensure Azure Guests cannot invite other Guests |
Azure-Infra | SP v1.0 | Ensure privileged accounts have MFA Configured |
Azure-Infra | SP v1.0 | Ensure non-Admins cannot register custom applications |
Azure-Infra | SP v1.0 | Ensure no Guest Accounts in Azure Privileged groups |
Azure-Infra | SP v1.0 | Ensure Security Defaults is enabled |
Azure-Infra | SP v1.0 | Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent |
Azure-Infra | SP v1.0 | Ensure Conditional Access Policy with signin user-risk location as Factor |
Azure-Infra | SP v1.0 | Ensure no Guest accounts that are inactive for more than 45 days |
Azure-Infra | SP v1.0 | Conditional Access policy with Continuous Access Evaluation disabled |
Azure-Infra | SP v1.0 | AAD Connect sync account password reset |
Azure-Infra | SP v1.0 | Ensure Guest users are restricted |
Azure-Infra | SP v1.0 | Ensure user are configured with MFA |
Azure-Infra | SP v1.0 | Conditional Access Policy that disables admin token persistence |
Azure-Infra | SP v1.0 | Conditional Access Policy that does not require a password change from high risk users |
Azure-Infra | SP v1.0 | Conditional Access Policy that does not require MFA when sign-in risk has been identified |
Azure-Infra | SP v1.0 | Ensure Guest invites not accepted in last 30 days are identified |
Azure-Infra | SP v1.0 | Ensure Synced AAD Users not privileged Users in Azure |
Azure-Infra | SP v1.0 | Ensure No Private IP Addresses in Conditional Access policies |
Azure-Infra | SP v1.0 | Ensure Number Matching enabled in MFA |
Azure-Infra | SP v1.0 | Ensure AD privileged users are not synced to AAD |
Azure-Infra | SP v1.0 | Ensure no more than 5 Global Administrators |
Azure-Infra | SP v1.0 | Ensure SSO computer account with latest password |
Azure-Infra | SP v1.0 | Ensure RBCD is not applied to AZUREADSSOACC account |
Azure Entra ID | SP v1.0 | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra |
Azure Entra ID | SP v1.0 | Ensure Phishing-resistant MFA strength is required for Administrators |
Azure Entra ID | SP v1.0 | Ensure custom banned passwords lists are used |
Azure Entra ID | SP v1.0 | Ensure Restrict non-admin users from creating tenants is set to Yes |
Azure Entra ID | SP v1.0 | Ensure a dynamic group for guest users is created |
Azure Entra ID | SP v1.0 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue |
Azure Entra ID | SP v1.0 | Ensure that password hash sync is enabled for hybrid deployments |
Azure Entra ID | SP v1.0 | Ensure Privileged Identity Management is used to manage roles |
Azure Entra ID | SP v1.0 | Ensure Security Defaults is disabled on Azure Active Directory |
Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection user risk policies |
Azure Entra ID | SP v1.0 | Ensure the admin consent workflow is enabled |
Azure Entra ID | SP v1.0 | Ensure Microsoft Azure Management is limited to administrative roles |
Azure Entra ID | SP v1.0 | Ensure LinkedIn account connections is disabled |
Azure Entra ID | SP v1.0 | Ensure password protection is enabled for on-prem Active Directory |
Azure Entra ID | SP v1.0 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users |
Azure Entra ID | SP v1.0 | Ensure third party integrated applications are not allowed |
Azure Entra ID | SP v1.0 | Ensure user consent to apps accessing company data on their behalf is not allowed |
Azure Entra ID | SP v1.0 | Enable Conditional Access policies to block legacy authentication |
Azure Entra ID | SP v1.0 | Ensure Self service password reset enabled is set to All |
Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection sign-in risk policies |
Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users in administrative roles |
Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users |
Database Services-SQL Server – MySQL Database | SP v1.0 | Ensure to Enable In-Transit Encryption for MySQL Servers |
Virtual Machines | SP v1.0 | Approved Azure Machine Image in Use |
Virtual Machines | SP v1.0 | Azure Disk Encryption for Boot Disk Volumes |
Virtual Machines | SP v1.0 | Azure Disk Encryption for Non-Boot Disk Volumes |
Virtual Machines | SP v1.0 | Ensure Associated Load Balancers are configured |
Virtual Machines | SP v1.0 | Ensure Desired VM SKU Size are configured |
Virtual Machines | SP v1.0 | Ensure Virtual Machine Scale Sets are not empty |
Virtual Machines | SP v1.0 | Ensure Virtual Machines are configured with SSH Authentication Type |
Virtual Machines | SP v1.0 | Ensure Sufficient Daily Backup Retention Period is configured for Virtual Machines |
Virtual Machines | SP v1.0 | Ensure Sufficient Instant Restore Retention Period is configured for Virtual Machines |
Virtual Machines | SP v1.0 | Ensure No Unused Load Balancers are identified to reduce cost |
Virtual Machines | SP v1.0 | Ensure No Zone-Redundant Virtual Machine Scale Sets are present |
Virtual Machines | SP v1.0 | Ensure Premium SSD are disabled to reduce cost |
Virtual Machines | SP v1.0 | Ensure Accelerated Networking for Virtual Machines is enabled |
Virtual Machines | SP v1.0 | Ensure Auto-Shutdown of Virtual Machine is enabled to reduce cost |
Virtual Machines | SP v1.0 | Ensure Automatic Instance Repairs is enabled for Virtual Machines |
Virtual Machines | SP v1.0 | Ensure Automatic OS Upgrades is enabled for Virtual Machines |
Virtual Machines | SP v1.0 | Ensure Autoscale Notifications are configured for Virtual Machines |
Virtual Machines | SP v1.0 | Ensure Backups for Azure Virtual Machines are configured |
Virtual Machines | SP v1.0 | Ensure Encryption for App-Tier Disk Volumes are configured |
Virtual Machines | SP v1.0 | Ensure Encryption for Web-Tier Disk Volumes are configured |
Virtual Machines | SP v1.0 | Ensure Guest-Level Diagnostics for Virtual Machines is enabled |
Virtual Machines | SP v1.0 | Ensure Instance Termination Notifications for Virtual Machine Scale Sets is configured |
Virtual Machines | SP v1.0 | Ensure Just-In-Time Access for Virtual Machines is enabled |
Virtual Machines | SP v1.0 | Ensure Performance Diagnostics for Azure Virtual Machines is enabled |
Virtual Machines | SP v1.0 | Ensure System-Assigned Managed Identities are enabled |
Virtual Machines | SP v1.0 | Ensure Virtual Machine Boot Diagnostics is enabled |
Virtual Machines | SP v1.0 | Ensure Health Monitoring is configured for Virtual Machines |
Virtual Machines | SP v1.0 | Ensure Old Virtual Machine Disk Snapshots are removed |
Virtual Machines | SP v1.0 | Ensure Unattached Virtual Machine Disk Volumes are removed from Virtual Machines |
Virtual Machines | SP v1.0 | Ensure BYOK for Disk Volumes Encryption is used |
Virtual Machines | SP v1.0 | Enable Virtual Machine Access using Microsoft Entra ID Authentication |
Azure Subscription | SP v1.0 | Ensure Basic and Consumption SKU Should are not Used in Production |
Azure Subscription | SP v1.0 | Ensure Azure Cloud Budget Alerts are configured |
Azure Subscription | SP v1.0 | Ensure more than one Subscription Owners are assigned |
Azure Subscription | SP v1.0 | Ensure Not Allowed Resource Types Policy Assignment is in Use |
Azure Subscription | SP v1.0 | Ensure Tags are configured on the Resources |
Azure Subscription | SP v1.0 | Ensure to remove Custom Owner Roles from Subscriptions |
Azure Subscription | SP v1.0 | Ensure Resource Locking Administrator Role is configured |
Azure Subscription | SP v1.0 | Ensure no Subscription Administrator Custom Role are not configured |
Instead of manually checking InTune iOS Settings in InTune Admin Center, which could take a significant amount of time, SmartProfiler for InTune iOS CIS Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAbout SmartProfiler SmartProfiler for Active Directory and ACTIVE DIRECTORY is designed to mitigate security risks
Read MoreOrganizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read MoreCopyright © DynamicPacks Technologies