8

iPhone backups may reside on a computer that is outside of IT Policy (Home PC) and therefore doesn't have any Corporate IT protections on it. If this home PC was stolen or hacked, then the iPhone backup data is vulnerable as well.

Considering that some iPhones support local encryption, and there are ways to prevent what devices can connect via Activesync, does it make sense to enforce that all backups of the device are encrypted?

How would you go about deploying this policy and reporting on compliance? As far as I know, the Apple deployment tool may help, but may not directly help in reporting.

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • 1
    Retagged, since this applies just as much to any mobile device (other smartphones, ipad, laptops, etc), and also to any other sync technology... – AviD Dec 02 '10 at 17:25
  • 1
    In addition to the technology solution in my answer, you might want to require that the devices are only synced with company-operated computers. –  Dec 02 '10 at 18:06

1 Answers1

11

I certainly think it would be useful to mandate that devices are backed up in an encrypted format, if the reason for using local encryption is that you intend the data to be encrypted ;).

On the iPhone side, you would implement the security policy using Apple's iPhone Configuration Utility to create configuration profiles that control how the device is set up. Part of that configuration profile is that you can mandate encrypted backups. That doesn't mean that it will only back up to encrypted media, it means that the backup is stored in an encrypted form with a supplied password. Interestingly, files encrypted with NSFileProtectionComplete are re-encrypted with a key derived from that password, so you can restore the backup with knowledge of the password not necessarily the hardware key. That's useful if you have to remote-wipe a device or replace it, but still want to restore the data from a backup.