iPhone

Get increased password protection on the iPhone

For companies who support iPhones or for users who simply want more security than the default 4-digit password, you can use the iPhone configuration utility to lock one down. Vincent Danen shows you how to use it.

The iPhone is a great device, capable of doing a lot of things. It is a phone, a gaming device, a PDA. You can check the weather, stocks, read online news articles, instant message, and keep your contacts and calendars in sync. You can store TODO lists and keep your password database on it.

The iPhone carries a lot of information in a small form factor. One that can be easily lost or stolen.

There are ways to prevent unwanted people from accessing your data should your phone fall into the wrong hands. In the Settings, you can assign a 4-digit passcode and enable auto-locking of the phone so that after a set number of minutes of inactivity, the passcode to unlock is required. And, for full security, if there are 10 failed passcode attempts, the iPhone can be configured to wipe all the data on the phone.

As with all password security, however, a four digit PIN isn't all that secure. True, there are a lot of combinations and if the phone is set to wipe data on 10 failed attempts, perhaps a four digit PIN is sufficient. But what if you want the ability to have a stronger passcode? The iPhone itself does not give you that ability, but the iPhone Configuration Utility does.

The iPhone Configuration Utility is available for both Windows and Mac. For Mac, you can download it here. When you download the DMG file, run the installer from the disk image to install the utility. The iPhone Configuration Utility is then installed into /Applications/Utilities/.

Once it is installed, launch iPhone Configuration Utility. From the Library pane on the left side, select Configuration Profiles. Next, select the New button from the toolbar. This creates a new configuration profile.

Fill out the fields in the Identity section as requested. This provides basic information about the profile. When done, select the Passcode section. Then click the Configure button. Here you get to define the criteria for the passcode on the iPhone.

There is a lot of information you can configure here. You can enforce the use of a passcode, meaning that one must be set. You can require alphanumeric characters, which allows you to use letters. You can set the minimum length, and a minimum number of non-alphanumeric characters. Here you can also define password aging: define whether or not the password must change every month, every year, or at another interval (up to 730 days). You can enforce mandatory auto-lock, and the number of unique passcodes required before allowing the re-use of an old passcode. You can also define the maximum number of failed attempts before wiping the device and mandating this; here you can allow up to 16 failed attempts before wiping rather than the default 10.

Click to enlarge.

For a company that provides iPhones to its employees, this allows you to create a nice security profile that enforces certain security practices. For individuals who want more flexibility than the four digit PIN, you can use this too.

There are a number of other items that can be configured as well: defaults for email, VPNs, wireless access, LDAP, and more. Likely these sections will only be of interest for companies that manage a larger number of iPhone devices; typical users will find nothing of interest here.

When finished configuring, click the Share button. You can sign the configuration profile if you wish, to provide added security, or select None. Apple Mail will then open with an attachment: your new iPhone security profile. Email it to an address that is accessed on your phone. Once the iPhone has received the email, select the .mobileconfig attachment and install the profile. When it is installed, you will be asked to change your passcode to one that meets the criteria of the configuration you just installed.

From this point forward, you will be able to use a more secure password or passphrase on the phone, instead of the default four-digit PIN.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

7 comments
travis.duffy
travis.duffy

Iphone and security do not belong in the same sentence. These toys are full of known exploits. If it had a 30 character password, it could still be cracked and all data retrieved from the device. If you want real security you use Blackberry and Blackberry Enterprise Server. What does the Department of Defense use? Blackberry

john
john

If you use Google Apps Sync or MS Exchange Active Sync for email, the administrator can enforce password policies and long alphanumeric passwords. As soon as a user tries to collect email, the iPhone will warn them to first set up a new unlock password. Furthermore an admin can remotely wipe the phone if it's lost. It's worth noting however that only the iPhone 3GS encrypts all the data on the phone.

O & G IT Guy
O & G IT Guy

Why does the user need to interact (ie open the email and attachment) for this policy to be implemented. From an IT perspective if you are managing many devices it seems hard to comprehend having to tell 500 users to open the attachment (especially after training them not to open suspicious attachments) to modify their device. In my experience users can have a difficult time following simple instructions, not to mention those people that won't run the attachment after they hear from their co-workers that they are going to have to set a stronger password, or that their device will automatically lock if they run the attachment. I can already hear them saying, "Oh sorry, I thought I did open that attachment. What do you mean that someone can see all my information on my lost phone, can't you do something about that!?!"

craddockj2002
craddockj2002

How can you get a software that will run on a PC. I have bought my wife an Iphone and I would like to use the security features tht wa brought out in the article. Any Ideas?

jainesh
jainesh

Thank you!! for the link.

Editor's Picks