← Patterns / SP-024

iPhone Pattern

Mobile devices are among the most frequently lost and stolen computing assets in any organisation. An iPhone carrying corporate email, documents, VPN credentials, and authentication tokens represents a concentrated data breach risk that walks out of the office every day. This pattern establishes the security controls needed to protect corporate data on iOS devices, layered on top of the device-independent security practices that apply to all endpoints. The iPhone's security architecture provides a strong foundation to build on. Hardware-based encryption (the Secure Enclave), mandatory code signing for applications, sandboxed app execution, and a curated App Store significantly reduce the attack surface compared to other mobile platforms. However, the enterprise must still make deliberate decisions about configuration, policy, and management to translate these platform capabilities into effective organisational security. A default-configured iPhone connected to corporate email is not a secured device. Device encryption is the first and most important control. iOS encrypts all data on the device by default when a passcode is enabled, using hardware-backed AES-256 encryption tied to the device's unique identifier and the user's passcode. The security value of this encryption depends entirely on passcode strength -- a four-digit numeric passcode provides minimal protection against a determined attacker, while a six-digit or alphanumeric passcode makes brute-force extraction significantly harder. Enterprise policy must mandate minimum passcode complexity and auto-lock timeouts. Remote wipe provides the time-critical safety net when a device is lost or stolen. The combination of device encryption and remote wipe capability gives the organisation a short window -- between the device being reported missing and an attacker potentially gaining access -- to erase the device. This requires that the device has a data connection; an attacker who immediately places the device in airplane mode or a Faraday bag can prevent the wipe command from reaching the device. MDM enrollment and Find My iPhone/Find My network capabilities are essential for this control to function. Application control addresses the software supply chain risk. While the App Store's review process provides a baseline level of assurance, enterprise environments need additional control over which applications can be installed, which can access corporate data, and how data flows between personal and managed applications. Mobile Device Management (MDM) and Mobile Application Management (MAM) platforms enable managed app deployment, per-app VPN, data loss prevention policies, and containerisation that separates corporate data from personal data on the same device.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06
Assess
ATT&CK This pattern addresses 245 techniques across 13 tactics View on ATT&CK Matrix →
image/svg+xml App Developer iPhone User Corporate Security Officer Hacker, Criminal Apple iTunes App Store Client Mod AC-01 Access ControlPolicies and Proced.. AC-02 Account Management AC-03 Access Enforcement AC-04 Information FlowEnforcement AC-05 Separation Of Duties AC-06 Least Privilege AC-07 Unsuccessful LoginAttempts AC-08 System UseNotification AC-09 Previous LogonNotification AC-10 Concurrent SessionControl AC-11 Session Lock AC-12 Session Termination AC-13 Supervision AndReview -- Access Co.. AC-14 Permitted ActionsWithout Identificat.. AC-15 Automated Marking AC-16 Automated Labeling AC-17 Remote Access AC-18 Wireless AccessRestrictions AC-19 Access Control ForPortable And Mobile.. AC-20 Use Of ExternalInformation Systems AT-01 Security AwarenessAnd Training Policy.. AT-02 Security Awareness AT-03 Security Training AT-04 Security TrainingRecords AT-05 Contacts WithSecurity Groups And.. AU-01 Audit AndAccountability Poli.. AU-02 Auditable Events AU-03 Content Of AuditRecords AU-04 Audit StorageCapacity AU-05 Response To AuditProcessing Failures AU-06 Audit Monitoring,Analysis, And Repor.. AU-07 Audit Reduction AndReport Generation AU-08 Time Stamps AU-09 Protection Of AuditInformation AU-10 Non-Repudiation AU-11 Audit RecordRetention CA-01 Certification,Accreditation, And .. CA-02 Security Assessments CA-03 Information SystemConnections CA-04 SecurityCertification CA-05 Plan Of Action AndMilestones CA-06 SecurityAccreditation CA-07 ContinuousMonitoring CM-01 ConfigurationManagement Policy A.. CM-02 BaselineConfiguration CM-03 ConfigurationChange Control CM-04 MonitoringConfiguration Chang.. CM-05 Access RestrictionsFor Change CM-06 ConfigurationSettings CM-07 Least Functionality CM-08 Information SystemComponent Inventory CP-01 ContingencyPlanning Policy And.. CP-02 Contingency Plan CP-03 Contingency Training CP-04 Contingency PlanTesting And Exercis.. CP-05 Contingency PlanUpdate CP-06 Alternate StorageSite CP-07 AlternateProcessing Site CP-08 TelecommunicationsServices CP-09 Information SystemBackup CP-10 Information SystemRecovery And Recons.. IA-01 Identification AndAuthentication Poli.. IA-02 User IdentificationAnd Authentication IA-03 DeviceIdentification And .. IA-04 IdentifierManagement IA-05 AuthenticatorManagement IA-06 AuthenticatorFeedback IA-07 CryptographicModule Authenticati.. IR-01 Incident ResponsePolicy And Procedur.. IR-02 Incident ResponseTraining IR-03 Incident ResponseTesting And Exercis.. IR-04 Incident Handling IR-05 Incident Monitoring IR-06 Incident Reporting IR-07 Incident ResponseAssistance MA-01 System MaintenancePolicy And Procedur.. MA-02 ControlledMaintenance MA-03 Maintenance Tools MA-04 Remote Maintenance MA-05 MaintenancePersonnel MA-06 Timely Maintenance MP-01 Media ProtectionPolicy And Procedur.. MP-02 Media Access MP-03 Media Labeling MP-04 Media Storage MP-05 Media Transport MP-06 Media SanitizationAnd Disposal PE-01 Physical AndEnvironmental Prote.. PE-02 Physical AccessAuthorizations PE-03 Physical AccessControl PE-04 Access Control ForTransmission Medium PE-05 Access Control ForDisplay Medium PE-06 Monitoring PhysicalAccess PE-07 Visitor Control PE-08 Access Records PE-09 Power Equipment AndPower Cabling PE-10 Emergency Shutoff PE-11 Emergency Power PE-12 Emergency Lighting PE-13 Fire Protection PE-14 Temperature AndHumidity Controls PE-15 Water DamageProtection PE-16 Delivery And Removal PE-17 Alternate Work Site PE-18 Location OfInformation System .. PE-19 Information Leakage PL-01 Security PlanningPolicy And Procedur.. PL-02 System Security Plan PL-03 System SecurityPlan Update PL-04 Rules Of Behavior PL-05 Privacy ImpactAssessment PL-06 Security-RelatedActivity Planning PS-01 Personnel SecurityPolicy And Procedur.. PS-02 PositionCategorization PS-03 Personnel Screening PS-04 PersonnelTermination PS-05 Personnel Transfer PS-06 Access Agreements PS-07 Third-PartyPersonnel Security PS-08 Personnel Sanctions RA-01 Risk AssessmentPolicy And Procedur.. RA-02 SecurityCategorization RA-03 Risk Assessment RA-04 Risk AssessmentUpdate RA-05 VulnerabilityScanning SA-01 System And ServicesAcquisition Policy .. SA-02 Allocation OfResources SA-03 Life Cycle Support SA-04 Acquisitions SA-05 Information SystemDocumentation SA-06 Software UsageRestrictions SA-07 User InstalledSoftware SA-08 SecurityEngineering Princip.. SA-09 ExternalInformation System .. SA-10 DeveloperConfiguration Manag.. SA-11 Developer SecurityTesting SC-01 System AndCommunications Prot.. SC-02 ApplicationPartitioning SC-03 Security FunctionIsolation SC-04 Information Remnance SC-05 Denial Of ServiceProtection SC-06 Resource Priority SC-07 Boundary Protection SC-08 TransmissionIntegrity SC-09 TransmissionConfidentiality SC-10 Network Disconnect SC-11 Trusted Path SC-12 Cryptographic KeyEstablishment And M.. SC-14 Public AccessProtections SC-15 CollaborativeComputing SC-16 Transmission OfSecurity Parameters SC-17 Public KeyInfrastructure Cert.. SC-18 Mobile Code SC-19 Voice Over InternetProtocol SC-20 Secure Name /Address Resolution .. SC-21 Secure Name /Address Resolution .. SC-22 Architecture AndProvisioning For Na.. SC-23 Session Authenticity SI-01 System AndInformation Integri.. SI-02 Flaw Remediation SI-03 Malicious CodeProtection SI-04 Information SystemMonitoring Tools An.. SI-05 Security Alerts AndAdvisories SI-06 SecurityFunctionality Verif.. SI-07 Software AndInformation Integri.. SI-08 Spam Protection SI-09 Information InputRestrictions SI-10 InformationAccuracy, Completen.. SI-11 Error Handling SI-12 Information OutputHandling And Retent.. Application sandboxing, hardware based encryption, local and remote wipe, app-signing Enforces data encryption, usesPBKDF2 to derive key frompassword, implements SRP, offers 2factor authentication SC-13 Use Of Cryptography Publishes coding guidelines, screensapps before publishing, removesapps once known as malware Configures passcode policy andremote wipe. Configures VPN accessto corporate servers. Steals iPhone, brutes force guessespasscode, reads out all informationfrom iPhone. Sets auto lock with password/passcode,updates apps and iOS, activates the killswitch, encrypts backup and more...

Click any control badge to view its details. Download SVG

Key Control Areas

  • Security Awareness for Mobile Users (AT-02, PL-04): User awareness (AT-02) is foundational for mobile security because the device operates outside the physical and network controls of the corporate environment. Users must understand their responsibilities: enabling passcodes, reporting lost devices immediately, avoiding untrusted Wi-Fi networks, recognising mobile phishing, and understanding what corporate data is on their device. Rules of behaviour (PL-04) should explicitly cover acceptable use of mobile devices -- what corporate data may be stored, what applications may be installed alongside corporate apps, whether personal use is permitted on corporate devices, and the consequences of jailbreaking or circumventing security controls. These rules must be acknowledged before the user receives device access.
  • Cryptography and Device Encryption (SC-13, IA-07): Use of cryptography (SC-13) governs the encryption of data at rest on the device. iOS provides hardware-backed AES-256 encryption via the Secure Enclave, but its effectiveness depends on passcode policy -- enforce minimum six-digit or alphanumeric passcodes via MDM. Cryptographic module authentication (IA-07) covers the integrity of the encryption implementation itself and the authentication mechanisms used to unlock the device, including biometrics (Face ID, Touch ID) and their integration with the Secure Enclave. Ensure that corporate VPN and email connections use certificate-based authentication with certificates stored in the device's keychain, protected by the Secure Enclave.
  • Application and Software Control (SA-03, SA-07): User-installed software control (SA-07) is critical in an enterprise mobile context. Define policies for which App Store applications are permitted or blocked, deploy enterprise applications through MDM, and prevent installation of applications from untrusted sources. Detect and respond to jailbroken devices, which bypass the iOS security model entirely. Life cycle support (SA-03) covers the device lifecycle from provisioning through to decommissioning: initial MDM enrollment and configuration, ongoing OS update management, application updates, and secure device wiping at end of life or when an employee departs. Maintain a device inventory with hardware identifiers, assigned users, OS versions, and compliance status.
  • Access Agreements and Acceptable Use (PS-06): Access agreements (PS-06) formalise the terms under which a user receives access to corporate resources on a mobile device. For corporate-owned devices, the agreement covers acceptable use, monitoring scope, and the organisation's right to wipe the device. For BYOD (bring your own device), the agreement must address the more complex question of organisational rights over a personal device: what corporate data is stored, the organisation's right to selectively wipe corporate data, and the user's obligations regarding device security. Without a clear, signed agreement, the organisation's ability to enforce security policy or perform remote wipe on personal devices is legally and practically compromised.
  • Malicious Code Protection (SI-03): While iOS's sandboxing and mandatory code signing provide strong protection against traditional malware, the threat landscape is not zero. Mobile-specific threats include malicious profiles, enterprise certificate abuse, and sophisticated spyware (such as Pegasus-class exploits) that target iOS vulnerabilities. MDM-deployed threat detection capabilities, regular OS patching, and monitoring for indicators of compromise (unusual data exfiltration, unexpected profiles, jailbreak indicators) provide layered protection. Ensure that the MDM platform can detect and quarantine non-compliant devices -- for example, devices running outdated iOS versions with known vulnerabilities.

When to Use

Apply this pattern whenever iPhones carry corporate or sensitive data, including email, documents, credentials, or access to corporate applications. It applies to both corporate-owned and BYOD devices that access organisational resources. It is mandatory in regulated industries (financial services, healthcare, government) where data protection regulations require encryption and remote wipe capability for mobile devices handling regulated data. Use it when employees travel internationally with devices containing sensitive data, where physical theft and border device inspection are elevated risks.

When NOT to Use

If an iPhone is used purely for personal purposes with no corporate data, email, or application access, this pattern does not apply. The pattern is designed for iOS devices and does not directly apply to Android -- while the principles are similar, the control implementations differ significantly. This pattern addresses device-level security; it does not cover the network security of mobile connections (see the Wireless patterns SP-006 and SP-007) or application-level security of mobile apps beyond basic installation control.

Typical Challenges

BYOD environments create tension between organisational security requirements and user privacy expectations -- users resist MDM enrollment on personal devices due to concerns about monitoring and remote wipe scope. Maintaining consistent security policy across a fleet of devices running different iOS versions is difficult, particularly when users delay OS updates. The short window for remote wipe effectiveness means that device loss reporting procedures must be fast and available 24/7 -- a device reported missing on Monday morning after being lost Friday evening may already be compromised. Jailbreaking detection is a cat-and-mouse game as new techniques emerge to hide jailbreak status from MDM checks. Enterprise applications distributed outside the App Store require management of enterprise signing certificates, which have been abused for malware distribution. Cost and operational overhead of MDM platforms for smaller organisations can be significant.

Threat Resistance

Unless an attacker is able to shield the phone from data connections, the combination of remote wipe and device encryption gives the organisation a short time window to activate remote wipe after a device is detected as stolen. Hardware encryption protected by a strong passcode resists physical data extraction by opportunistic thieves and criminals with low technical capability. Application sandboxing and mandatory code signing resist malware installation and data leakage between applications. MDM-enforced configuration prevents users from weakening security settings. These methods protect against opportunistic theft and casual data compromise. Targeted attacks against a specific person's iPhone by a sophisticated adversary with the intent to steal data from that specific device (nation-state level, Pegasus-class exploits) require additional protection mechanisms beyond what this pattern covers, including physical security awareness, high-value target protocols, and potentially hardware-level protections.

Assumptions

These recommendations are suggested on top of accepted best practices that are independent of the device type, such as network security, identity management, and data classification. The organisation has or is willing to deploy a Mobile Device Management (MDM) platform capable of enforcing configuration profiles, deploying certificates, and issuing remote wipe commands. Users have been informed about and consented to enterprise management of their device (particularly relevant for BYOD). The device maintains periodic data connectivity to receive management commands, including remote wipe. iOS is kept reasonably up to date, as the encryption and security model depends on the integrity of the operating system.

Developing Areas

  • Managed Apple IDs versus personal Apple IDs in enterprise environments remain a source of architectural friction. Apple Business Manager supports managed Apple IDs for corporate device management, but they lack feature parity with personal Apple IDs -- no personal iCloud, limited App Store access, and reduced Continuity features. Many organisations still allow personal Apple IDs on corporate devices as a pragmatic compromise, undermining the managed app ecosystem. Apple is progressively closing this gap, but the transition to fully managed identities requires rethinking the BYOD model that most enterprises depend on.
  • EU Digital Markets Act sideloading requirements are creating new security challenges for enterprise iOS management. The DMA requires Apple to allow alternative app marketplaces and direct app installation outside the App Store in the EU, fundamentally undermining one of the strongest security controls in the iOS ecosystem -- the curated App Store with mandatory code review. Enterprise MDM policies will need to evolve to restrict sideloading on managed devices, but the enforcement mechanisms and MDM profile capabilities for controlling alternative marketplace access are still maturing.
  • Apple Lockdown Mode for high-risk users represents an emerging tier in enterprise mobile security architecture. Designed for journalists, activists, and executives targeted by state-sponsored spyware, Lockdown Mode dramatically restricts the device's attack surface by disabling JIT compilation, most message attachment types, and incoming FaceTime from unknown contacts. Organisations protecting high-value targets are beginning to mandate Lockdown Mode via MDM profiles, but the usability impact is significant and no established framework exists for determining which users should operate in this mode versus standard configuration.
  • MDM bypass techniques continue to evolve as a cat-and-mouse game between Apple's security model and adversaries. Techniques including profile removal on unsupervised devices, USB-C exploit chains, and carrier-level attacks that intercept MDM commands create gaps in enterprise mobile security. Apple's move toward requiring device supervision for full MDM control has helped, but many organisations still manage a mixed fleet of supervised and unsupervised devices with inconsistent security postures.
AT: 1IA: 1PL: 1PS: 1SA: 2SC: 1SI: 1
AT-02 Security Awareness
IA-07 Cryptographic Module Authentication
PL-04 Rules Of Behavior
PS-06 Access Agreements
SA-03 Life Cycle Support
SA-07 User Installed Software
SC-13 Use Of Cryptography
SI-03 Malicious Code Protection