Apple has introduced changes in iOS 16.3 that more aggressively offers to save app passwords if Apple’s local “Keychain” is selected for Password AutoFill. On shared devices, passwords saved to local storage are a security and PHI risk.
This occurs when Apple’s Keychain plugin is enabled in Settings > Passwords > Password Options.
IMPORTANT: Be sure to uncheck “Keychain” in red to avoid unwanted local password storage.
If checked, iOS will cause a dialog to appear after authenticating to some apps such as Epic Rover.
The saved passwords are visible in Settings > Passwords to any future user of the device.
When Locker is checked but Keychain is unchecked, the above behavior is suppressed and passwords are not saved locally. Only the “Keychain” plugin will cause iOS to prompt to save passwords locally.
Remediation
Apple offers two methods to disable the Keychain plugin:
- Use an MDM restriction to disable AutoFill entirely. This will also disable GroundControl’s AutoFill feature.
- Visit each device and manually uncheck the Keychain entry in Settings > Passwords > Password Options. The Imprivata GroundControl Locker entry should remain checked to use GroundControl Password AutoFill features.
Unfortunately, Apple offers no way for apps such as GroundControl to detect this situation, so GroundControl can neither warn users nor report on device state. Although GroundControl can determine if its own AutoFill plugin is enabled or not, it can not determine the state of Apple’s Keychain plugin.
Imprivata has reported this issue to Apple. We encourage affected customers to also report this issue to Apple.