BSI announces: Apple’s data protection is sufficient for authorities

MDM Service

October 13, 2022

The German Federal Office for Information Security (BSI) has determined that Apple's data protection for public authorities is sufficient after an intensive review of the embedded security measures of iOS and iPadOS devices. This decision is tantamount to releasing the devices to certain departments of government agencies and public institutions.

It is important to note here that the BSI requires that mobile devices that are freely available on the market are nevertheless used with additional security precautions in government agencies. These include a mobile device management system (MDM) and a virtual private network (VPN).
So even though Apple's data protection is sufficient for use in government agencies, iOS devices cannot simply be used as is, but must be secured with additional measures.
In the following article, we will now clarify what the use of an MDM to support Apple's data protection means for authorities in practice.

 

How exactly was  Apple's data protection for public authorities assessed?

In its announcement of 05.10.2022, the BSI states that Apple's security precautions already integrated in the system (especially in the applications e-mail, calendar and contacts) are sufficient to meet the authorities' lowest security level.

The lowest level of security is referred to as 'Classified Information - For Official Use Only' (abbreviated V-NfD) and is used for information that is kept under lock and key for government interest. This information may only be viewed and processed by authorized persons.

Accordingly, further security precautions must be taken when working with this information. These include, but are not limited to, access and rights management, the ability to erase data from the device, and certified data erasure at the end of the device's useful life.
In addition, it may be necessary to apply further BSI minimum standards for the secure use of IT. 

 

How can public institutions and authorities ensure data protection when using Apple devices?

 

In order to be able to use mobile devices such as iPhones and iPads securely for mobile work, it is important that additional software is installed that manages these devices on a higher level. Such software is a mobile device management system (MDM). An MDM is designed to include important security-related functions and to close security gaps that can arise when using mobile devices.
With the help of an MDM, it is possible to register mobile devices such as smartphones or tablets and their associated users in a central location.
Other functions of an MDM include installing and updating apps, setting up usage policies for mobile devices, defining authorizations, and much more.
The existing data protection on Apple devices is thus usefully supplemented by an MDM.

Why is the use of an MDM generally recommended when protecting company-owned devices?

 

An MDM provides a kind of secure platform in the background of the device on which the other apps can work. In addition, the restrictions and policies that can be assigned contribute to secure use by specifying which WIFI can be used, which apps can be installed and used, etc.
In combination with an operating system that is generally classified as secure, such as Apple's iOS and iPadOS, a device can be secured to such an extent that it can be considered for use in public institutions or authorities.
Apple devices in particular are characterized by longevity and a very stable operating system. This means that public authorities can acquire good devices on the open market. More flexible use of mobile devices not only contributes to greater effectiveness, but also ensures that public authorities and offices remain attractive employers. After all, a shortage of skilled workers is also on the horizon here.
According to the BSI, Apple works very closely with auditors and would like to continue working closely with the BSI in the future. The focus on data protection could help Apple to use these devices more often in public institutions.

But what does the BSI's classification that Apple's data protection is sufficient for authorities mean?

 

Information marked 'V-NfD' may only be processed by authorized persons. The applications used to process this information must meet the requirements for 'V-NfD'.

 

Information can be made accessible to different persons via an MDM.
If the information is stored in a separate folder structure, the MDM gains access to this interface. By assigning usage rights with the help of the MDM, access for unauthorized persons is prevented.
Access can also be partially prevented, e.g. if certain information can be accessed but not others.

Role management and the division of users into groups make it possible to set up different access rights via the MDM.
This means that all users who need access to certain applications and information can be assigned to the same group. The required applications can be sent directly to the mobile devices via an installation command.

 

 

Apple's data protection is basically suitable for public authorities. To further safeguard the use of mobile devices for work, it is advisable to define not only which applications may be used by whom, but also what may not be used for data protection reasons.

 

This challenge is more complex than one might first assume:
On the one hand, it is necessary to ensure that the restrictions that inevitably have to be imposed do not limit employees to such an extent that work cannot be done (or workarounds are used to try to escape the security precautions); on the other hand, only defaults can ensure that security and data protection regulations are complied with.

Defaults can be, for example, the definition of secure WI-FI connections to which the device is allowed to connect and the exclusion of all unsecured or unknown networks. Furthermore, certain websites can be completely blocked and only work-related online applications can be allowed.
Apps can also be completely excluded from download and use.
Desired apps do not have to be downloaded from the app store, but can also be sent directly to the device as a file, where they install automatically.

 

An important interface that is readily attacked by attackers is the transfer of data within the authority and/or with outsiders, such as clients or other public institutions. Therefore, data transfer must be specially secured.

 

Data transfer and information exchange are activities that make up a large part of the work in a public authority. Since this involves working with important and sometimes sensitive data, it is essential that this data is sent in a secure manner. To this end, certain data protection configurations can be made with the help of an MDM.
However, the direct use of a secure e-mail application, e.g. MobiVisor Secure Mail, which is embedded in the MDM and functions as a standalone e-mail application, is particularly recommended.

To communicate internally even more quickly and easily, a messenger can also be used. If this is part of the MDM, such as MobiVisor Messenger, secure communication is guaranteed.

Using a secure calendar app is also particularly important for data protection. It is often not considered that calendar apps store private and sensitive data, as they are linked to contact data, for example. Malicious calendar apps can tap the data in the process and pass it on to third parties.
Accordingly, the BSI's assessment that Apple's calendar app is sufficient for data protection for public authorities and that the devices are considered secure is particularly significant, because mobile work is almost impossible without a secure calendar app.

 

Apple's data protection is sufficient for public authorities. But in order to be able to use mobile devices such as iPhones or iPads there and in other institutions with particularly strict data protection regulations, they must be supplemented with security-relevant functions.

 

For device administration and security, it is important that the devices can be accessed quickly in the event of an emergency or for troubleshooting.
An MDM provides a central management platform for this purpose, via which administrators receive notifications in the event of a breach of usage guidelines. This makes it possible to determine at any time from which device the violation originated and to react quickly. The smartphone or tablet in question can either be blocked directly to prevent further breaches and access to the corporate network, or all data can be deleted remotely. The latter is also helpful should the mobile device be lost or stolen.
Since Apple's data protection is sufficient for government agencies, this means that there is automatically a higher level of data security due to the way the devices are set up. Still, it might make sense to set up the device specifically for work use only.

 

Mobile devices require a great deal of administrative effort in order to always remain technically up-to-date and to function without errors. Nevertheless, failures or errors can occur and must be rectified as quickly as possible.

 

The use of mobile devices, which are connected via various interfaces to the corporate network and all the resources available in it, requires a certain amount of practice, even for technically skilled employees. But it is not always the user who is at fault: sometimes the devices themselves do not work as they should. In this case, it is harmful to report the error too late and/or to allow too much time to elapse before correcting it, as this could increase the security gaps that have arisen. In order to be able to provide quick assistance, administrators can remotely connect to the device via MobiVisor MDM with the user's consent and identify the source of the error 1:1.

 

For an MDM to be used in an authority, it must meet certain requirements. Personal data must not be collected, nor must it be processed in any way.

 

When an MDM is used in a public institution or a public authority, it must be ensured that the hosting is secure and that no company data can be leaked to unauthorized persons. A first important step is hosting in Germany, as stricter protection applies here than in many other countries. MobiVisor MDM is also hosted in Germany. Furthermore, the MDM does not store any device or personal data, but only the data necessary to use and manage the device. This ensures that no data is disclosed in the event of access.

 

 

 

Conclusion:

 

♦ Apple's data protection is sufficient for use in public authorities, at the lowest security level.

♦ According to the BSI, the operating system of the devices must be supplemented with further security measures, e.g. a VPN and a mobile device management system

♦ MobiVisor offers you a secure all-round package for the use of mobile devices with our MDM and the MobiVisor VPN

♦ More flexible use of mobile devices keeps government agencies and public institutions attractive employers

You would like to know more about the usage of secure devices in your institution?
Just contact us!