IT Professionals:
The University Information Security Office would like to bring attention to a security concern associated with iOS (and to a very narrow extent, macOS):
- iOS devices with manually configured wireless network settings may be revealing the passphrase(s) of account(s) used to sign into those wireless networks to anyone able to use the devices.
- macOS devices do not allow a user to view passwords in another user’s profile; however, any user with the password to a user account on a macOS device can view passwords in manually configured wireless settings in that account.
To mitigate this vulnerability, any unit which has deployed manually configured wireless settings on iOS devices should:
- Immediately change the password of the ADS account used on the devices to sign into the manually configured wireless network.
- Adjust the devices to forget the manually configured network.
- Avoid deploying devices with manually configured wireless network settings.
- Important: For shared/multi-user iOS devices, use Jamf Pro to push configuration profiles for wireless network settings.
- For single-user iOS devices, require end-users to configure the password for their wireless settings. These devices should not be shared.
Related Guidance:
- Configuring Wi-Fi for iOS
- Configuring Wi-Fi for macOS
- Get started with Apple device management with Jamf Pro
- About the Apple Device Enrollment Program (DEP) (IU Login required)
- Jamf Pro iPad and iPhone setup instructions (for HTS supported devices; IU Login required)
- Changing Configuration Profiles without Losing Wifi
If you have any questions or concerns, contact the UISO at uiso@iu.edu.
–IT Community Partnerships on behalf of the University Information Security Office