The Defence Signals Directorate (DSD) has certified iOS 5 for use by government agencies, allowing them to use iPhones and iPads for certain classified information.
Apple's iOS operating system has been in the process of being reviewed to see if it could be used by government agencies for over a year. At a Senate Estimates committee in February last year, first assistant secretary of the Australian Government Information Management Office John Sheridan said that DSD was working with Apple to determine to what level of confidentiality iOS would be suitable for the government's needs.
Today, the DSD cleared iOS for government agencies to use so long as the information that was being communicated and stored had a classification no higher than PROTECTED.
PROTECTED is the lowest level of classification in the Australian Government Security Classification system aside from publicly available information. The other three classifications are CONFIDENTIAL, SECRET and TOP SECRET in order of sensitivity.
The classification applies to iOS 5.1 or higher, meaning the new iPad would also be included in the evaluation.
Along with the classification, DSD has released its Hardening Guide for iOS 5 (PDF) to help users configure the device for secure use. It recommends a number of security measures that users should take, in accordance with DSD's Information Security Manual, such as disabling Siri's default ability to be used from a locked screen. It also states that the only native application in iOS 5 to make full use of data protection is Mail, and even this may not necessarily allow the device to safely store PROTECTED information.
"It is important for administrators to note that users can still move attachments out of Mail to other Apps that use lower data protection classes. This can happen if installed Apps have registered URL handlers for file types. For PROTECTED devices, agencies should not allow user installation of Apps," the guide read.
The guide also provides suggested policies where government agencies wish to use the device with unclassified or PROTECTED information. Regardless of use, it states passcodes must be enforced.
The suggested policies also indicate that it may be possible for government agencies to employ a bring-your-own device scheme, subject to individual agencies' decisions and the devices being managed by the agency, with the users agreeing to further enforceable acceptable use policies.