Security and privacy for iPhone and iPad
Overview
Security and privacy features on iPhone and iPad help protect users. Know how to explain to users how apps access location services and personal and organizational data, including how a device management service configures these settings.
Find My and Activation Lock can’t be used with managed devices, but user-owned devices with an unmanaged Apple Account can still turn on Find My and Activation Lock. By actively assisting users in configuring security settings, updating software, and understanding privacy features, you can help them mitigate risks associated with mobile device usage.
App access privacy
On iPhone and iPad, users can grant apps permission to access different types of information on their device. In Privacy & Security settings, users can review which apps they allow to access certain information, as well as grant or deny any future access. This permission might include access to Location Services, Camera, Microphone, or other locations. For a complete list, see About privacy and Location Services in iOS, iPadOS, and watchOS. An app won’t appear on the list until it asks for permission to use data. Users can add or remove permission from any app that asks for access to data. An app can use the data type in the setting only if the user gives the app permission.
Location Services
With a user’s permission, Location Services allows apps (including Maps, Camera, and Weather) and websites to use information from cellular, Wi-Fi, GPS networks, and Bluetooth to determine a user’s location. Help users understand how to turn on or off these settings to optimize app performance while balancing privacy concerns. Guide users in customizing location access for individual apps, ensuring that they share their location data only with trusted apps, thus safeguarding user privacy and conserving battery life.
Find My and Activation Lock
Depending on an organization’s device management settings and security policies, users can turn on Find My and Activation Lock on iPhone and iPad. When users face issues locating their devices, guide them through the process of using the Find My app, including turning on location services and accessing iCloud to pinpoint their device’s location. In cases where devices are lost or stolen, explain how to activate Lost Mode, providing reassurance by guiding users on how to remotely lock their device and display a custom message with contact details. Find My includes Activation Lock—a feature that’s designed to prevent anyone else from using a device if it’s ever lost or stolen. Activation Lock turns on automatically when the user turns on Find My on their device. After it’s turned on, Apple securely stores a user’s Apple Account on its activation servers and links it to their device. The user’s Apple Account password or device passcode is required before anyone can turn off Find My, erase a device, or reactivate and use a device.
In some deployments, device management might restrict Activation Lock on Apple devices for users. Two types of Activation Lock settings are available:
Organization-linked Activation Lock requires Apple School Manager or Apple Business Manager and is generally simpler to manage for organizations. It allows a device management service to fully control enabling and disabling Activation Lock through server-side interactions.
User-linked Activation Lock requires the user to have an unmanaged Apple Account (not a Managed Apple Account) and to turn on Find My. This method allows the user to lock an organization-linked device to their unmanaged Apple Account if the service has allowed Activation Lock. User-linked activation lock can also be cleared by a device management bypass code.
Note: Some services support both Activation Lock methods; if an attempt is made to use both, the first successful Activation Lock event takes precedence.
Stolen Device Protection for iPhone
When Stolen Device Protection is turned on, certain actions have additional security requirements when a user’s iPhone is away from familiar locations such as home or work. To help further protect critical security settings, there are also additional security requirements for certain actions on the web or other Apple devices. The user can’t update these security settings on the web at account.apple.com.
Users might have to wait a period of time before they can update these security settings on a new device.
Biometric authentication
With Stolen Device Protection, if a user’s iPhone isn’t in a familiar location, the user must authenticate with Face ID or Touch ID before they can take certain actions, including the following:
Use passwords or passkeys saved in the Passwords app.
Use payment methods saved in Safari (AutoFill).
Turn off Lost Mode.
Erase all content and settings.
Apply for a new Apple Card.
View their Apple Card or Apple Cash virtual card number.
Take certain Apple Cash and Savings actions in the Wallet app (for example, Apple Cash or Savings transfers).
Use their iPhone to set up a new device.
Security delay
With Stolen Device Protection, the user may need to wait an hour before using their iPhone to make changes to critical security settings or their Apple Account. If their iPhone isn’t in a familiar location, they must authenticate with Face ID or Touch ID, wait for the security delay to end, and authenticate with Face ID or Touch ID again to update settings such as the following:
Change an Apple Account password.
Sign out of an Apple Account.
Update Apple Account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact).
Add or remove Face ID or Touch ID.
Change the iPhone passcode.
Select the Reset All Settings option.
Enroll in a device management service.
Turn off Stolen Device Protection.
If they use their iPhone to change their Apple Account password, the location of their devices may not be visible at iCloud.com for a period of time.
Their device may end the security delay early after it detects that it has arrived at a familiar location.
In the event that a device is stolen, the security delay is designed to prevent a thief from performing critical operations so that the owner can mark the device as lost and make sure that their Apple Account is secure.
When the device is in a familiar location, these additional steps aren’t required, and the user can use the device passcode like usual. Familiar locations typically include home, work, and certain other locations where the user regularly uses their iPhone.
Stolen Device Protection can also be set to always require these additional security measures, even when the device is in a familiar location.