Cracks open in DSD’s iOS shield


Several signs have emerged over the past week that the long-held reluctance of the Federal Government’s peak security certification agency to approve of Apple devices being used in the public sector may finally be coming to an end.

Apple’s iPhone range was first released in Australia in mid-2008, and has enjoyed strong adoption by both public servants and politicians, with an increasing number of those working in Australia’s government departments and agencies picking up one of the handsets over the past three years. In addition, adoption and use of Apple’s iPad tablet has shown signs of increasingly rapidly over the past year since it launched in Australia.

However, despite that popularity, the Defence Signals Directorate, an agency responsible for certifying technology software and hardware as being safe for use by government workers, has not certified the Apple models as being safe for use by government workers. The agency’s Evaluated Products List — which aids in government purchasing of devices — lists only the Windows Mobile and BlackBerry operating systems as being certified for use.

Because of this, many parliamentarians and government bureaucrats currently carry two mobile phones — a BlackBerry for official access to government resources, and an iPhone or other device for informal work.

However, last week a number of signs emerged that all this may be set to change. Firstly, John Sheridan, the first assistant secretary of the Australian Government Information Management Office and a known iPad user, last week said on Twitter that the DSD’s evaluation of Apple’s iOS platform was slated to be complete by September this year. It appears this story was first broken by

If Apple achieves a positive rating from the agency, it could mean that a flood of government agencies will be able to officially add the Apple devices into their bulk purchasing plans over the next several years, along Research in Motion’s popular BlackBerry platform.

Secondly, Sheridan also noted that DSD had in the meantime published in June a guide to hardening the security on iOS devices (PDF) — including the iPod Touch, the iPhone and the iPad.

The guide stops short of approving the Apple devices for government use — stating up front that it does not constitute a DSD certification or formal evaluation of the iOS platform. In addition, DSD notes in the document that it does not recommend iOS for use at the Government’s ‘Protected’/’Restricted’ level — only for information cleared as being ‘Unclassified’ or ‘Unclassified in-confidence’.

However, DSD acknowledged in the guide that due to “the high level usage of iOS devices in Government”, it was working closely with Apple to evaluate the iOS platform, with an expected completion date, as Sheridan mentioned, of September this year.

In its document, DSD listed a number of policies which it suggested be applied to iPhones in use in government. They range from encryption on the device, to the use of passcode, to halting synching of information with an iTunes account, the use of two factor authentication with email, virtual private networks on demand and so on.

Generally, DSD’s suggestions for iPhone security become more restrictive the higher the security level of the information which is being accesses. For example, for a high-level Restricted/Protected information users, DSD recommends that only agency-approved applications be able to be installed on users’ iOS devices, and that an agency-controlled iTunes account be used. A whitelist could be used via mobile device management to ensure that only approved applications are installed.

DSD’s recommendations have the potential to also be used in wider settings than just in Government. The financial services and legal sectors, for example, are also seeing a rapid uptake in the use of iOS devices, with Westpac, for example, commonly using the iPad to share notes at executive management-level meetings. These sectors also share with governments a need to maintain protections around confidential data.

Image credit: Apple


  1. A month back Telstra ran a session which the Apple engineer who was sent to the DSD dungeon to complete the evaluation ran thru the iOS ‘security’. No doubt he was chained to a suitcase full of “the source code” which he had to take with him at the end of the day. Supposedly the hardening guide was “tomorrow or maybe the next day”. Weeks pass…

    Anyway, pretty much the Apple iPad is owned by Apple, is in constant contact with Apple and will always be controlled by Apple. You may send some commands to the iPad if Apple feel that it is acceptable.

    However, it’s good to see DSD coming out of their shell.

Comments are closed.