Manage USB pairing for iOS and iPadOS devices
Managing which host computers iOS and iPadOS devices can pair with is important for security and user convenience. For example, the ability to securely plug into self-service stations for updating software or sharing a Mac computer’s internet connection requires a trust relationship between the iPhone or iPad and the host computer.
Device pairing is typically performed by the user when they connect their device to a host computer with a USB cable. A prompt appears on the user’s device asking them whether they want to establish a trust relationship with the computer.
The user is then asked to enter their passcode to confirm this decision. Any further connections with the same host computer are automatically trusted going forward. Users can clear pairing trust relationships by going to Settings > General > Reset > Reset Location & Privacy, or by erasing their device. Additionally, these trust records are removed if they go 30 days without being used.
MDM management of host pairing
An administrator can manage supervised Apple devices’ ability to manually trust host computers with the restriction Allow pairing with non-Apple Configurator 2 hosts. By disabling the host pairing ability (and distributing the correct supervision identities to their devices), the administrator ensures that only trusted computers which hold a valid supervision host certificate are allowed to access the iPhone and iPad devices in question over USB. If no supervision host certificate has been configured on the host computer, all pairing is disabled.
Note: The Apple device enrolment setting allow_pairing was deprecated with iOS 13 and iPadOS 13.1. Administrators should use the above guidance going forward as it provides the same level of control, while also allowing for trusted host access.
Securing unpaired restore workflows
Starting with iOS 14.5 and iPadOS 14.5, an unpaired host computer can’t restart a device into Recovery Mode and restore it without local physical interaction. Before this change, an unauthorised user could erase and restore a user’s device without directly interacting with the iPhone or iPad. All they needed was a USB connection (for example, offered as a charging facility) to the target device and a computer.
External boot to recovery restriction
By default, iOS 14.5 and iPadOS 14.5 now restrict this recovery capability to host computers that have been previously trusted. Administrators that want to opt out of this more secure behaviour can enable the restriction Allow putting an iOS or iPadOS device into Recovery Mode from an unpaired host.