Apple Platform Security

• Welcome
• Introduction
• Hardware Security and Biometrics
  • Hardware security overview
  • Secure Enclave
    • Secure Enclave overview
    • Dedicated Boot ROM
    • Anti-replay services
  • Dedicated AES engine
  • Touch ID and Face ID
    • Touch ID and Face ID overview
    • Touch ID security
    • Face ID security
    • Touch ID, Face ID, passcodes, and passwords
    • Facial matching
    • Face ID Diagnostics
    • Unlocking a device or user account
    • Securing purchases with Apple Pay
    • Other uses for Touch ID and Face ID
  • Hardware microphone disconnect in Mac
  • Express Cards with power reserve in iPhone
• System Security
  • System security overview
  • Random number generation
  • Secure boot
    • iOS and iPadOS secure boot chain
    • macOS boot modes
      • macOS boot process
      • macOS boot modes overview
      • recoveryOS and diagnostics environments
      • Internet recoveryOS and diagnostics environments
      • Microsoft Windows boot
      • Mac computers without an Apple T2 Security Chip
    • Startup Security Utility
      • Startup Security Utility overview
      • Full Security boot policy
      • Medium Security boot policy
      • Media boot policy
      • Firmware Password protection
  • Secure software updates
    • Secure software updates overview
    • Secure software update process
  • OS integrity in iOS and iPadOS
    • iOS and iPadOS system security overview
    • Kernel Integrity Protection
    • System Coprocessor Integrity Protection
    • Pointer Authentication Codes
    • Page Protection Layer
  • OS integrity in macOS
    • macOS system security overview
    • Mac firmware security
      • UEFI firmware overview
      • System Management Mode
      • DMA protections
      • Option ROMs
      • OROM sandbox
      • Peripheral firmware security
    • Mandatory access controls
    • System Integrity Protection
    • Kernel extensions
  • System security in watchOS
    • watchOS system security overview
    • Apple Watch usage
• Encryption and Data Protection
  • Encryption and Data Protection overview
  • Access to personal data
  • Role of Apple File System
  • Data Protection in iOS and iPadOS
    • Data Protection overview
    • How data files are created and protected
    • Data Protection classes
    • Accessing protected keys in recovery modes
    • Keychain data protection and data classes
      • Keychain data protection overview
      • Keychain data class protections
      • Keychain access control
  • Encryption in macOS
    • When FileVault is turned on
    • When FileVault is turned off
    • Deleting FileVault volumes
    • Preventing brute force attacks and malware
    • Managing FileVault
      • Using SecureToken
      • Using Bootstrap Token
      • When a user sets up a Mac on their own
      • When a Mac is provisioned by an organization
      • Using command-line tools
  • Passcodes and passwords
    • Passcodes
    • Activating data connections securely
    • Function of passwords
  • Authentication and digital signing
    • Digital signing and encryption
    • Keychain architecture in macOS
  • Keybags
    • Keybags overview in iOS and iPadOS
    • User keybag
    • Device keybag
    • Backup keybag
    • Escrow keybag
    • iCloud Backup keybag
• App Security
  • App security overview
  • App security in iOS and iPadOS
    • iOS and iPadOS app security overview
    • App code signing process
      • Mandatory code signing
      • How developers sign their apps
      • Verifying enterprise apps
    • Security of runtime process
      • Sandboxing
      • Use of entitlements
      • Further protections
    • Supporting extensions
    • Adopting Data Protection in apps
    • Joining an App Group
    • Verifying accessories
  • App security in macOS
    • macOS app security overview
    • App code signing process in macOS
    • Gatekeeper and runtime protection
    • Protecting against malware
    • Controlling app access to files
  • Secure features in Notes app
  • Secure features in Shortcuts app
• Services Security
  • Services security overview
  • Apple ID and Managed Apple ID
    • Apple ID and Managed Apple ID overview
    • Two-factor authentication
    • Two-step verification
    • Managed Apple IDs
  • iCloud
    • iCloud overview
    • iCloud Drive
    • iCloud Backup contents
    • CloudKit end-to-end encryption
  • Passcode and password management
    • Passcode and password management overview
    • Sign in with Apple
    • Automatic Strong Passwords
    • Password AutoFill
    • App access to saved passcodes
    • Password reuse and strength auditing
    • Sending passwords to other users or devices
    • Credential provider extensions
    • iCloud Keychain
      • iCloud Keychain overview
      • Keychain syncing
      • iCloud Keychain recovery
      • Escrow security
      • Safari integration
  • Apple Pay
    • Apple Pay overview
    • Apple Pay components
    • Secure Element and NFC controller
    • Credit, Debit, and Prepaid Cards
      • Credit, debit, and prepaid card provisioning overview
      • Adding a credit or debit card manually
      • Adding credit or debit cards from an iTunes Store account
      • Adding credit or debit cards from a card issuer’s app
      • Additional verification
    • Payment authorization
    • Transaction-specific dynamic security code
    • Pay with credit and debit cards in stores
    • Pay with credit and debit cards within apps
    • Paying with credit and debit cards on the web
    • Contactless passes
    • Render cards unusable
    • Suspending, removing, and erasing cards
    • Apple Cash
    • Apple Card
      • Apple Card application in the Wallet app
      • Apple Card payments and Apple Wallet pass details
    • Transit cards
    • Credit and debit cards for transit
    • Student ID cards
  • iMessage
    • iMessage overview
    • How iMessage sends and receives messages
    • iMessage name and photo sharing
  • Business Chat
  • FaceTime
  • Find My
    • Find My overview
    • End-to-end encryption
    • Locating missing devices
    • Keeping users and devices anonymous
    • Viewing offline devices
  • Continuity
    • Continuity overview
    • Handoff
    • Handoff between native apps and websites
    • Universal Clipboard
    • iPhone cellular call relay
    • iPhone Text Message Forwarding
    • Instant Hotspot
• Network Security
  • Network security overview
  • TLS
  • VPN
  • Wi-Fi Security
    • Protocol security
    • Deprecated protocols
    • Wi-Fi privacy
      • MAC address randomization
      • Wi-Fi frame sequence number randomization
      • Connections and hidden networks
    • Platform protections
  • Bluetooth security
  • Ultra Wideband technology
  • Single sign-on
    • Single sign-on
    • Extensible Single sign-on
  • AirDrop security
  • Wi-Fi password sharing
  • Firewall
• Developer Kits
  • Developer Kits overview
  • HomeKit
    • HomeKit identity
    • Communication with HomeKit accessories
    • Local data storage
    • Data synchronization between devices and users
    • Home data and apps
    • HomeKit and Siri
    • HomeKit IP cameras
    • HomeKit routers
    • iCloud remote access for HomeKit accessories
    • HomeKit TV Remote accessories
    • Apple TV profiles for HomeKit homes
  • HealthKit
    • HealthKit overview
    • Clinical health records and Health data integrity
    • Health data access by third-party apps
    • Medical ID for users
  • CloudKit
  • SiriKit
  • DriverKit
  • ReplayKit
    • Movie recording
    • Broadcasting
  • Camera and ARKit
• Secure Device Management
  • Secure device management overview
  • Pairing model
  • Passcode and password settings management
  • Configuration enforcement
  • Mobile device management (MDM)
  • Automated Device Enrollment
  • Apple Configurator 2
  • Device supervision
  • Device restrictions
  • Activation Lock
  • Lost Mode, remote wipe, and remote lock
  • Shared iPad
    • Shared iPad overview
    • Sign in to Shared iPad
    • Sign out of Shared iPad
  • Screen Time
• Apple’s Conformance History for Platform Security
  • ISO/IEC 27001 and ISO/IEC 27018 certifications
  • Cryptographic module validations (FIPS 140-X, ISO/IEC 19790)
  • Common Criteria Certifications (ISO/IEC 15408)
  • Additional Government approvals
  • Security configuration guides, certifications, and programs
• Glossary
• Document Revision History
• Copyright