• Off Topic

  • configure your iPhone to be secure and private

this guide requires erasing your iPhone and a Mac with Apple Configurator installed.

  1. Erase iPhone or start with a newly-bought one. make sure there's no activation lock if you decide to erase iPhone.
  2. on Mac, open Keychain Access and create a self-signed certificate for code signing. ECC 521 bits are the most strongest cipher.
  3. open Apple Configurator on Mac and create an organization in Apple Configuration-Settings. use the certificate created in step 2 as supervision identity.
  4. Turn on iPhone to the hello screen. connect iPhone to Mac. Supervise your iPhone.
  5. finish iPhone setup without logging Apple account. uninstall preinstalled apps you don't want.
  6. create a configuration profile using Apple Configurator. You can disable many privacy-invasive features using Restriction payload. sign your configuration profile using security cms -S -N "the_name_of_your_certificate" -i /path/to/your.mobileconfig -o /path/to/your/signed/output.mobileconfig
  7. drag the signed configuration profile to your iPhone in Apple Configurator to install it.
  8. If you need to use App Store, you can sign in Apple account in App Store rather than Settings to avoid enabling iCloud. If you need to cancel supervision, erase your iPhone. Keep your certificate at a secure place. Enable Lockdown mode.
  9. Here is an example of configuration profile. It turns off iCloud, Siri and many other features for privacy and attack surface reduction. It leaves Airdrop, Airplay and File Sharing with other PC/Mac on.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Restrictions</string>
			<key>PayloadType</key>
			<string>com.apple.applicationaccess</string>
			<key>PayloadUUID</key>
			<string>*****************************</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.applicationaccess.************************</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>allowApplePersonalizedAdvertising</key>
			<false/>
			<key>allowAssistant</key>
			<false/>
			<key>allowAssistantWhileLocked</key>
			<false/>
			<key>allowDiagnosticSubmission</key>
			<false/>
			<key>allowEnterpriseBookBackup</key>
			<false/>
			<key>allowEnterpriseBookMetadataSync</key>
			<false/>
			<key>allowLockScreenControlCenter</key>
			<false/>
			<key>allowLockScreenNotificationsView</key>
			<false/>
			<key>allowLockScreenTodayView</key>
			<false/>
			<key>allowManagedAppsCloudSync</key>
			<false/>
			<key>allowOpenFromManagedToUnmanaged</key>
			<false/>
			<key>allowPassbookWhileLocked</key>
			<false/>
			<key>forceAirDropUnmanaged</key>
			<true/>
			<key>forceAirPlayOutgoingRequestsPairingPassword</key>
			<true/>
			<key>forceEncryptedBackup</key>
			<true/>
			<key>forceLimitAdTracking</key>
			<true/>
			<key>forceOnDeviceOnlyDictation</key>
			<true/>
			<key>forceOnDeviceOnlyTranslation</key>
			<true/>
			<key>safariAllowAutoFill</key>
			<false/>
			<key>allowAccountModification</key>
			<false/>
			<key>allowActivityContinuation</key>
			<false/>
			<key>allowAirPrint</key>
			<false/>
			<key>allowAirPrintCredentialsStorage</key>
			<false/>
			<key>allowAirPrintiBeaconDiscovery</key>
			<false/>
			<key>allowAssistantUserGeneratedContent</key>
			<false/>
			<key>allowAutoUnlock</key>
			<false/>
			<key>allowBookstore</key>
			<false/>
			<key>allowChat</key>
			<false/>
			<key>allowCloudBackup</key>
			<false/>
			<key>allowCloudDocumentSync</key>
			<false/>
			<key>allowCloudKeychainSync</key>
			<false/>
			<key>allowCloudPhotoLibrary</key>
			<false/>
			<key>allowCloudPrivateRelay</key>
			<false/>
			<key>allowDefinitionLookup</key>
			<false/>
			<key>allowDiagnosticSubmissionModification</key>
			<false/>
			<key>allowDictation</key>
			<false/>
			<key>allowGameCenter</key>
			<false/>
			<key>allowGlobalBackgroundFetchWhenRoaming</key>
			<false/>
			<key>allowiPhoneWidgetsOnMac</key>
			<false/>
			<key>allowiTunes</key>
			<false/>
			<key>allowMultiplayerGaming</key>
			<false/>
			<key>allowMusicService</key>
			<false/>
			<key>allowNews</key>
			<false/>
			<key>allowPairedWatch</key>
			<false/>
			<key>allowPasswordProximityRequests</key>
			<false/>
			<key>allowPasswordSharing</key>
			<false/>
			<key>allowPodcasts</key>
			<false/>
			<key>allowPredictiveKeyboard</key>
			<false/>
			<key>allowProximitySetupToNewDevice</key>
			<false/>
			<key>allowRadioService</key>
			<false/>
			<key>allowSharedStream</key>
			<false/>
			<key>allowSpotlightInternetResults</key>
			<false/>
			<key>allowUnpairedExternalBootToRecovery</key>
			<false/>
			<key>allowVideoConferencing</key>
			<false/>
			<key>forceAirPrintTrustedTLSRequirement</key>
			<true/>
			<key>forceAuthenticationBeforeAutoFill</key>
			<true/>
			<key>allowGenmoji</key>
			<false/>
			<key>allowImagePlayground</key>
			<false/>
			<key>allowImageWand</key>
			<false/>
			<key>allowiPhoneMirroring</key>
			<false/>
			<key>allowPersonalizedHandwritingResults</key>
			<false/>
			<key>allowWritingTools</key>
			<false/>
			<key>allowMailSummary</key>
			<false/>
			<key>allowExternalIntelligenceIntegrations</key>
			<false/>
			<key>allowExternalIntelligenceIntegrationsSignIn</key>
			<false/>
			<key>allowFindMyDevice</key>
			<false/>
			<key>allowFindMyFriends</key>
			<false/>
			<key> allowFindMyFriendsModification</key>
			<false/>
			<key>allowUSBRestrictedMode</key>
			<true/>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>profile</string>
	<key>PayloadIdentifier</key>
	<string>******************************</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadUUID</key>
	<string>******************************</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>TargetDeviceType</key>
	<integer>1</integer>
</dict>
</plist>
    Upstate1618 changed the title to configure your iPhone to be secure and private .
    1. turn on automatic updates for iOS and apps. you may also wanna manage app permission and location permission for apps including system process.

      Upstate1618 Aah, I see. That makes the difference. Which do you like better? Graphene or iOS? Which iPhone do you use?

          BaronAfanas
          I just received my iPhone 13 last week. Which I like better doesn't matter cause you should configure every of your devices to be secure as much as possible whether or not it's GrapheneOS. I do like gos more because Apple is privileged on iOS while no third party personal data collector has privilege on gos. Apple makes many useful config only applicable to supervised iPhone because Apple doesn't want to give normal consumers more control on their own phone. Apple makes quitting Siri and iCloud very difficult and gives first party apps and system privileged access to diagnostic data and personalized ads. iPhone is not more private than stock Pixel. Apple is not inherently more private than Google. iPhone is more secure than other Android phones for sure because of complete monthly patches, secure element, verified boot and a few other things.

              Upstate1618 Hello, advertising is only present in the appstore application, so I assume you've looked into it?

                  leave it in its box in the Apple store, I know not very constructive, but damn effective...

                  Locart Personalised ads may also appear in Apple News and Stock.

                    That seems like a very complicated process, and it is not in any way clear what, if anything, is accomplished by it.

                      What does this do?

                      • KK8y

                        • Post #14

                        I'm searching for a comparison thread between Graphene security vs apple security...what are some things that make one more secure than the other?

                          AlanZ yes and they also say that it is second solid choice after GrapheneOS which also means they are not equal. Also iOS consistenly exhibits more critical vulnerabilities compared to recommended Pixels (especially when they run GrapheneOS). Having such development team on your side, with their unprecedently swift actions to mitigating vulnerabilities is an advantage.

                            secrec
                            The point of supervision is to apply your config profile in step 6. Many options are only applicapble to supervised iPhone.

                                Graphene1
                                No, GrapheneOS is superior to iPhone. For example, there're MTE, Sensors permission and 2FA unlock that iPhone does not have.

                                • K8y likes this.