Cyber Essentials for iPhone / iOS: configuration guide
Exactly what Cyber Essentials v3.3 requires on iPhones and iPads - passcode, auto-update, supported-OS, Find My, and the MDM settings that evidence compliance cleanly.
Cyber Essentials for iPhone / iOS: configuration guide
Cyber Essentials v3.3 treats every iPhone and iPad used for work as in-scope end-user device. The scheme requires a 6-character minimum passcode, automatic updates on, supported OS version (iOS 17 or later as of 2026), device encryption (automatic on every supported iPhone), and that the device not be jailbroken. Corporate devices add MDM enrolment and a policy to enforce the above; BYOD devices used for email/Teams/Slack are covered either by full MDM or by App Protection policies (MAM) inside the apps.
1. What the scheme actually tests
Cyber Essentials v3.3's controls applied to iOS:
| Control | iOS requirement |
|---|---|
| Firewall | Not applicable on iOS (no user-exposed firewall surface) |
| Secure configuration | Passcode enforced, auto-lock, jailbreak blocked |
| Security update management | Automatic Updates on; supported iOS version |
| User access control | Each device tied to a single user; MFA on the IdP |
| Malware protection | iOS sandbox + App Store review satisfies the scheme's Option 3 (whitelist) |
2. Corporate-owned (Supervised) iPhones
For devices enrolled via Apple Business Manager + Intune / Jamf / Kandji / Mosyle, push a Configuration Profile with:
Passcode payload
- Require passcode: true
- Allow simple: false
- Minimum length: 6 (Cyber Essentials requires 6+ for mobile; for bespoke policies set 8)
- Maximum grace period for device lock: 0
- Maximum auto-lock: 2 minutes
- Maximum failed attempts: 10 (wipe on threshold for corporate)
Restrictions payload
- Allow installing apps: Managed App Store only (optional)
- Allow screen capture: business decision
- Force encrypted backups: true
- Allow pairing with non-Configurator hosts: false (supervised only)
Software Update payload (supervised)
- Force automatic software updates: true
- Force delayed software updates: false, or max 30 days
Wi-Fi / VPN payloads as needed - pre-configured Wi-Fi, per-app VPN tunnelling.
3. BYOD iPhones
The cleaner pattern for BYOD is Mobile Application Management (MAM) without full device enrolment:
- Intune App Protection Policy (or Jamf App Config, or Mosyle's equivalent) targeting Outlook, Teams, OneDrive, SharePoint, Edge:
- Require PIN to open the app (6-digit minimum)
- Block copy/paste to non-managed apps
- Encrypt app data at rest
- Wipe app data when the user leaves the organisation or the device is jailbroken
- Require iOS 17 or later to access
This satisfies user-access-control and secure-configuration without asserting control over the personal device.
4. Supported-OS window
Apple typically supports the current and previous major release with security patches. As of 2026 that means iOS 17 and iOS 18 are in the supported window, and iOS 16 is on its way out.
- Create a compliance rule in your MDM blocking access to corporate email from devices on iOS < 17.
- Forced software updates accelerate the tail of devices stuck on old versions.
5. Jailbreak detection
- MDM-managed devices: your MDM reports jailbreak status automatically (Intune, Jamf, Kandji, Mosyle all do).
- BYOD via MAM: App Protection Policy detects jailbreak and wipes app data on detection.
- No-MDM BYOD is out of Cyber Essentials scope for corporate data - either enrol in MDM, enrol in MAM, or stop accessing corporate data from the device.
6. Evidence assessors expect
- Compliance report from your MDM listing every managed iPhone with OS version, passcode compliance, jailbreak status
- App Protection Policy configuration export for the BYOD tail
- Inventory count matched against IdP user count
- Auto-update policy configuration screenshot
7. Common failure points
1. A small tail of executives on iPhones still running iOS 16, usually because they defer updates. Force updates via MDM with short deferral windows.
2. BYOD iPhones accessing webmail via Safari - bypasses App Protection Policies entirely. Block legacy Exchange ActiveSync and require Outlook mobile.
3. Missing supervision on older corporate phones means you cannot force-update them. Wipe and re-enrol via Apple Business Manager.
4. Configurations that allow 4-digit PINs - fails the 6-character-minimum clause.
What Fig checks
Our CE readiness scan reviews Intune / Jamf / Kandji compliance reports for iOS fleets against each v3.3 clause above and flags the tail of old-OS or unmanaged devices before you submit. Typical iOS-heavy organisations pass first-time at >95% after fixing the top 1–2 issues surfaced.
Start Cyber Essentials - from £299.99 + VAT | Pricing tiers | CE Plus slot
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demoMore from Technical Guides