CCI-000097 in U Apple iOS-iPadOS 16 BYOAD V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-331290
Group ID
V-257105
Rule Version
AIOS-16-703600
Rule Title
Apple iOS/iPadOS 16 must not allow backup to remote systems (managed applications data stored in iCloud).
Rule ID
SV-257105r904215_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information.

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable
False
Check Content

Review configuration settings to confirm "Allow managed apps to store data in iCloud" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow managed apps to store data in iCloud" is unchecked.

Alternatively, verify the text "<key>allowManagedAppsCloudSync</key> <false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN &Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Managed apps cloud sync not allowed" is listed.

If "Allow managed apps to store data in iCloud" is checked in the Apple iOS/iPadOS management tool, "<key>allowManagedAppsCloudSync</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Managed apps cloud sync not allowed", this is a finding.

Check System
C-60790r904213_chk
Fix Reference
F-60731r904214_fix
Fix Text

Install a configuration profile to prevent DOD applications from storing data in iCloud.

Identities
CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

  • 800-53 :: AC-20 (2)
  • 800-53 Rev. 4 :: AC-20 (2)
  • 800-53 Rev. 5 :: AC-20 (2)
  • 800-53A :: AC-20 (2).1
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
Group Title
PP-MDF-993300
Group ID
V-257129
Rule Version
AIOS-16-712000
Rule Title
A managed photo app must be used to take and store work-related photos.
Rule ID
SV-257129r904287_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The iOS Photos app is unmanaged and may sync photos with a device user's personal iCloud account. Therefore, work-related photos must not be taken via the iOS camera app or stored in the Photos app. A managed photo app must be used to take and manage work-related photos.

SFR ID: NA

Documentable
False
Check Content

Review configuration settings to confirm a managed photos app is installed on the iOS device.

This check procedure is performed on the iPhone and iPad.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the DOD Configuration Profile from the Apple iOS/iPadOS management tool.

5. Tap "Apps".

6. Verify a photo capture and management app is listed.

If a managed photo capture and management app is not installed on the iPhone and iPad, this is a finding.

Check System
C-60814r904285_chk
Fix Reference
F-60755r904286_fix
Fix Text

Install a managed photos app to take and manage work-related photos.

Identities
CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

  • 800-53 :: AC-20 (2)
  • 800-53 Rev. 4 :: AC-20 (2)
  • 800-53 Rev. 5 :: AC-20 (2)
  • 800-53A :: AC-20 (2).1
Group Title
PP-MDF-993300
Group ID
V-257133
Rule Version
AIOS-16-714600
Rule Title
Apple iOS/iPadOS 16 must disable copy/paste of data from managed to unmanaged applications.
Rule ID
SV-257133r904299_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Require managed pasteboard" is set to "True".

If "Require managed pasteboard" is not set to "True", this is a finding.

Check System
C-60818r904297_chk
Fix Reference
F-60759r904298_fix
Fix Text

Configure the Apple iOS configuration profile to disable copy/paste of data from managed to unmanaged applications.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

In the MDM console, set "Require managed pasteboard" to "True".

Identities
CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

  • 800-53 :: AC-20 (2)
  • 800-53 Rev. 4 :: AC-20 (2)
  • 800-53 Rev. 5 :: AC-20 (2)
  • 800-53A :: AC-20 (2).1
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
UNCLASSIFIED