CCI-000097 in U Apple iOS-iPadOS 17 V2R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED

Group Title

PP-MDF-993300

Group ID

V-258355

Rule Version

AIOS-17-012000

Rule Title

A managed photo app must be used to take and store work-related photos.

Rule ID

SV-258355r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The iOS Photos app is unmanaged and may sync photos with a device user's personal iCloud account. Therefore, work-related photos must not be taken via the iOS camera app or stored in the Photos app. A managed photo app must be used to take and manage work-related photos.

SFR ID: NA

Documentable

False

Check Content

Review configuration settings to confirm a managed photos app is installed on the iOS device.

This check procedure is performed on the iPhone and iPad.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the DOD Configuration Profile from the Apple iOS/iPadOS management tool.

5. Tap "Apps".

6. Verify a photo capture and management app is listed.

If a managed photo capture and management app is not installed on the iPhone and iPad, this is a finding.

Check System

C-62096r927746_chk

Fix Reference

F-62020r927747_fix

Fix Text

Install a managed photos app to take and manage work-related photos.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

Group Title

PP-MDF-993300

Group ID

V-258356

Rule Version

AIOS-17-012200

Rule Title

Apple iOS/iPadOS 17 must implement the management setting: enable USB Restricted Mode.

Rule ID

SV-258356r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The USB lightning port on an iOS device can be used to access data on the device. The required settings ensure the Apple device password is entered before a previously trusted USB accessory can connect to the device.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This is a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow USB Restricted Mode" is enabled.

This check procedure is performed on both the device management tool and the iPhone and iPad device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow USB Restricted Mode" is checked (set to "True").

On the iPhone/iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify there is no listing for "USB Accessories while locked allowed".

If "Allow USB Restricted Mode" is not enabled in the management tool and there is a restriction listed in the profile on the Apple device, this is a finding.

Note: The default configuration setting for "allow USB Restricted Mode" is "True" in most MDM products. This is the required setting. When set correctly, nothing will be listed in the Restrictions profile, and the user will be able to toggle USB accessories on/off.

Note: "Allow USB Restricted Mode" may be called "Allow USB accessories while device is locked" in some MDM consoles. The required logic is to disable USB accessory connections when the device is locked.

Check System

C-62097r927749_chk

Fix Reference

F-62021r927750_fix

Fix Text

Install a configuration profile to configure "Allow USB Restricted Mode" to "True" in the management tool. This a supervised-only control.

Note: This control is called "Allow USB accessories while device is locked" in Apple Configurator, and the control logic is opposite to what is listed here. Ensure the MDM policy rule is set correctly (to disable USB accessory connections when the device is locked).

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258359

Rule Version

AIOS-17-012500

Rule Title

Apple iOS/iPadOS 17 must implement the management setting: disable AirDrop.

Rule ID

SV-258359r959010_rule

Rule Severity

● Low

Rule Weight

10.0

Vuln Discussion

AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has gained access to the information broadcast by this feature, the attacker may distribute this sensitive information very quickly and without DOD's control or awareness. By disabling this feature, the risk of mass data exfiltration will be mitigated.

Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Determine if the site authorizing official (AO) has approved the use of AirDrop for unmanaged data transfer. Look for a document showing approval. If AirDrop is not approved, review configuration settings to confirm it is disabled. If approved, this requirement is not applicable.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the authorizing official [AO] has not approved the use of AirDrop for unmanaged data transfer).

If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures:

This check procedure is performed on both the device management tool and the iPhone and iPad device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow AirDrop" is unchecked.

On the iPhone/iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirDrop not allowed" or "Sharing managed documents using Airdrop not allowed" is listed.

If the AO has not approved AirDrop and "AirDrop not allowed" is not listed in the management tool and on the Apple device, this is a finding.

Check System

C-62100r927758_chk

Fix Reference

F-62024r927759_fix

Fix Text

If the AO has not approved the use of AirDrop for unmanaged data transfer, install a configuration profile to disable the "Allow AirDrop" control in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258360

Rule Version

AIOS-17-012600

Rule Title

Apple iOS/iPadOS 17 must implement the management setting: disable paired Apple Watch.

Rule ID

SV-258360r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Authorizing official (AO) approval is required before an Apple Watch (DOD owned or personally owned) can be paired with a DOD-owned iPhone to ensure the AO has evaluated the risk in having sensitive DOD data transferred to and stored on an Apple Watch in their operational environment.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Determine if the site AO has approved the use of Apple Watch with DOD-owned iPhones. Look for a document showing approval. If not approved, review configuration settings to confirm "Allow Paired Watch" is disabled. If approved, this requirement is not applicable.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the AO has not approved the use of Apple Watch for unmanaged data transfer).

If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures:

This check procedure is performed on both the device management tool and the iPhone.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow Paired Watch" is unchecked.

On the iPhone:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Paired Apple Watch not allowed" is listed.

If the AO has not approved pairing an Apple Watch with a DOD-owned iPhone and "Paired Apple Watch not allowed" is not listed both in the management tool and on the Apple device, this is a finding.

Check System

C-62101r927761_chk

Fix Reference

F-62025r927762_fix

Fix Text

If the AO has not approved the use of Apple Watch with DOD-owned iPhones, install a configuration profile to disable the Apple Watch control in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258361

Rule Version

AIOS-17-012650

Rule Title

Apple iOS/iPadOS 17 must implement the management setting: approved Apple Watches must be managed by an MDM.

Rule ID

SV-258361r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Determine if the site AO has approved the use of Apple Watch with DOD-owned iPhones. Look for a document showing approval. If not approved, this requirement is not applicable.

If approved, verify on the MDM server that the Apple Watch is being managed by the MDM. Have the MDM system administrator show that the Apple Watch is being managed by the MDM.

If the AO has approved pairing an Apple Watch with a DOD-owned iPhone and the Apple Watch is not being managed by the site MDM server, this is a finding.

Note: The iPhone paired to the Apple Watch must be supervised for the MDM to manage the Apple Watch.

Check System

C-62102r927764_chk

Fix Reference

F-62026r927765_fix

Fix Text

If the AO has not approved the use of Apple Watch with DOD-owned iPhones, this requirement is not applicable.

If the AO has approved the use of Apple Watch with DOD-owned iPhones, enroll the Apple Watch in MDM management.

Note: The iPhone paired to the Apple Watch must be supervised for the MDM to manage the Apple Watch.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258362

Rule Version

AIOS-17-012700

Rule Title

Apple iOS/iPadOS 17 must disable "Password AutoFill" in browsers and applications.

Rule ID

SV-258362r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone and iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Password AutoFill is not allowed" is disabled.

This check procedure is performed on both the iOS/iPadOS device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Password AutoFill is not allowed" is unchecked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Password AutoFill is not allowed" is listed.

If "Password AutoFill is not allowed" is not enabled in the iOS/iPadOS management tool and on the Apple device, this is a finding.

Check System

C-62103r927767_chk

Fix Reference

F-62027r927768_fix

Fix Text

Install a configuration profile to disable allow Password AutoFill in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258363

Rule Version

AIOS-17-012800

Rule Title

Apple iOS/iPadOS 17 must disable allow setting up new nearby devices.

Rule ID

SV-258363r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

This control allows Apple device users to request passwords from nearby devices. This could lead to a compromise of the device password with an unauthorized person or device. DOD Apple device passwords must not be shared.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow setting up new nearby devices" is disabled.

This check procedure is performed on both the iOS/iPadOS device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Proximity setup to a new device is not allowed" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Proximity setup to a new device is not allowed" is not listed.

If "Proximity setup to a new device is not allowed" is disabled in the iOS/iPadOS management tool and on the Apple device, this is a finding.

Check System

C-62104r927770_chk

Fix Reference

F-62028r927771_fix

Fix Text

Install a configuration profile to disable allow setting up new nearby devices in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258364

Rule Version

AIOS-17-012900

Rule Title

Apple iOS/iPadOS 17 must disable password proximity requests.

Rule ID

SV-258364r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

This control allows one Apple device to be notified to share its password with a nearby device. This could lead to a compromise of the device password with an unauthorized person or device. DOD Apple device passwords must not be shared.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow Password Proximity Requests" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow Password Proximity Requests" is unchecked.

On the iPhone and iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Proximity password requests not allowed" is listed.

If "Proximity password requests not allowed" is not listed in the management tool and on the Apple device, this is a finding.

Check System

C-62105r935482_chk

Fix Reference

F-62029r935483_fix

Fix Text

Install a configuration profile to disable "allow password proximity requests" in the management tool. This is a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258365

Rule Version

AIOS-17-013000

Rule Title

Apple iOS/iPadOS 17 must disable password sharing.

Rule ID

SV-258365r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

This control allows sharing passwords between Apple devices using AirDrop. This could lead to a compromise of the device password with an unauthorized person or device. DOD Apple device passwords must not be shared.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Password Sharing is not allowed" is enabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Password Sharing is not allowed" is checked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Password Sharing is not allowed" is listed.

If "Password Sharing is not allowed" is not enabled in the management tool and on the Apple device, this is a finding.

Check System

C-62106r927776_chk

Fix Reference

F-62030r927777_fix

Fix Text

Install a configuration profile to disable allow password proximity sharing in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258366

Rule Version

AIOS-17-013100

Rule Title

Apple iOS/iPadOS 17 must disable "Find My Friends" in the "Find My" app.

Rule ID

SV-258366r959010_rule

Rule Severity

● Low

Rule Weight

10.0

Vuln Discussion

This control does not share a DOD user's location but encourages location sharing between DOD mobile device users, which can lead to operational security (OPSEC) risks. Sharing the location of a DOD mobile device is a violation of AIOS-17-011700.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Find My Friends" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow Find My Friends" and "Allow modifying Find My Friends" are unchecked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow Find My Friends" is not listed and "Changing Find My Friends settings not allowed" is listed.

If "Allow Find My Friends" and "Allow modifying Find My Friends" are not disabled in the management tool and on the Apple device "Allow Find My Friends" is listed and "Changing Find My Friends settings not allowed" is not listed, this is a finding.

Check System

C-62107r927779_chk

Fix Reference

F-62031r927780_fix

Fix Text

Install a configuration profile to disable "Find My Friends" in the Find My app and "Allow modifying Find My Friends" in the management tool. This a supervised-only control.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258367

Rule Version

AIOS-17-013200

Rule Title

The Apple iOS/iPadOS 17 must be supervised by the MDM.

Rule ID

SV-258367r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

When an iOS/iPadOS is not supervised, the DOD mobile service provider cannot control when new iOS/iPadOS updates are installed on site-managed devices. Most updates should be installed immediately to mitigate new security vulnerabilities, while some sites need to test each update prior to installation to ensure critical missions are not adversely impacted by the update.

Several password and data protection controls can be implemented only when an Apple device is supervised.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Review configuration settings to confirm site-managed iOS/iPadOS devices are supervised.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify all managed Apple devices are supervised (verification procedure will vary by MDM product).

Note: If the Apple device is not managed by an MDM and supervision is set up via Apple Configurator, this procedure is not applicable.

On the iPhone and iPad:

1. Open the Settings app.

2. Verify a message similar to the following appears on the screen: "This iPad is supervised by (name of site DOD mobile service provider)."

If site-managed iOS/iPadOS devices are not supervised, this is a finding.

Check System

C-62108r927782_chk

Fix Reference

F-62032r927783_fix

Fix Text

Use one of the following methods to supervise iOS and iPadOS devices managed by the DOD mobile service provider.

Method 1:

- Register all current and new iOS and iPadOS devices in the DOD mobile service provider's Automated Device Management/Apple Business Manager (ABM) account.

- Enable supervision of managed iOS/iPadOS devices in the MDM.

Method 2:

- Configure each iOS/iPadOS device using the Apple Configurator tool for Supervision.

- This method is usually only appropriate when MDM management of the DOD Apple device is not appropriate or an older device cannot be registered in ABM.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258371

Rule Version

AIOS-17-014300

Rule Title

Apple iOS/iPadOS 17 must disable "Allow network drive access in Files access".

Rule ID

SV-258371r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Allowing network drive access by the Files app could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and compromise of sensitive DOD information and systems.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow network drive access in Files access" is unchecked.

On the iPhone and iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Network drives not accessible in Files app" is listed.

If "Allow network drive access in Files access" is not disabled in the management tool and "Network drives not accessible in Files app" is not listed in Profile Restrictions on the Apple device, this is a finding.

Check System

C-62112r927794_chk

Fix Reference

F-62036r927795_fix

Fix Text

Install a configuration profile to disable "Allow network drive access in Files access".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258372

Rule Version

AIOS-17-014400

Rule Title

Apple iOS/iPadOS 17 must disable connections to Siri servers for the purpose of dictation.

Rule ID

SV-258372r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information. Dictation information could contain sensitive DOD information and therefore should not leave the DOD control.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Disable connections to Siri servers for the purpose of dictation" is disabled.

This check procedure is performed on the device management tool.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Disable connections to Siri servers for the purpose of dictation" is checked.

If connections to Siri servers are not disabled for dictation, this is a finding.

Check System

C-62113r927797_chk

Fix Reference

F-62037r927798_fix

Fix Text

Configure the Apple iOS configuration profile to disable connections to Siri servers for the purpose of dictation. This a supervised-only control.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

In the MDM console, select "disable connections to Siri servers for the purpose of dictation".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258373

Rule Version

AIOS-17-014500

Rule Title

Apple iOS/iPadOS 17 must disable connections to Siri servers for the purpose of translation.

Rule ID

SV-258373r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information. Translation information could contain sensitive DOD information and therefore should not leave the DOD control.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This check procedure is performed on the device management tool.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Disable connections to Siri servers for the purpose of translation" is checked.

If connections to Siri servers are not disabled for translation, this is a finding.

Check System

C-62114r927800_chk

Fix Reference

F-62038r927801_fix

Fix Text

Configure the Apple iOS configuration profile to disable connections to Siri servers for the purpose of translation.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

In the MDM console, select "disable connections to Siri servers for the purpose of translation".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-993300

Group ID

V-258374

Rule Version

AIOS-17-014600

Rule Title

Apple iOS/iPadOS 17 must disable copy/paste of data from managed to unmanaged applications.

Rule ID

SV-258374r959010_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Require managed pasteboard" is set to "True".

If "Require managed pasteboard" is not set to "True", this is a finding.

Check System

C-62115r927803_chk

Fix Reference

F-62039r927804_fix

Fix Text

Configure the Apple iOS configuration profile to disable copy/paste of data from managed to unmanaged applications.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

In the MDM console, set "Require managed pasteboard" to "True".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-333250

Group ID

V-259187

Rule Version

AIOS-17-003200

Rule Title

Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud document and data synchronization).

Rule ID

SV-259187r958524_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Note: This requirement is not applicable if the authorizing official (AO) has approved users' full access to the Apple App Store for downloading unmanaged (personal) apps and syncing personal data on the device with personal cloud data storage accounts. The site must have an AO-signed document showing the AO has assumed the risk for users' full access to the Apple App Store.

Review configuration settings to confirm "Allow iCloud documents & data" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

This requirement will become "Supervised only" in a future iOS/iPadOS release.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow iCloud documents & data" is unchecked.

Alternatively, verify the text "<key>allowCloudDocumentSync</key> <false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the policy.

5. Tap "Restrictions".

6. Verify "Documents in the Cloud not allowed" is listed.

Note: This also verifies that iCloud Drive and iCloud Photo Library are disabled.

If "Allow iCloud documents & data" is checked in the Apple iOS/iPadOS management tool, "<key>allowCloudDocumentSync</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Documents in the Cloud not allowed", this is a finding.

Check System

C-62927r935529_chk

Fix Reference

F-62836r935530_fix

Fix Text

Install a configuration profile to disable iCloud documents and data.

This requirement will become "Supervised only" in a future iOS/iPadOS release.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-333250

Group ID

V-259188

Rule Version

AIOS-17-003300

Rule Title

Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud Keychain).

Rule ID

SV-259188r958524_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm iCloud keychain is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow iCloud keychain" is unchecked.

Alternatively, verify the text "<key>allowCloudKeychainSync</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Verify "iCloud Keychain not allowed" is listed.

If "Allow iCloud keychain" is checked in the Apple iOS/iPadOS management tool, "<key>allowCloudKeychainSync</key><true/>" appears in the configuration profile, or "iCloud Keychain not allowed" is not listed on the iPhone and iPad, this is a finding.

Check System

C-62928r935532_chk

Fix Reference

F-62837r935533_fix

Fix Text

Install a configuration profile to disable iCloud keychain.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-333250

Group ID

V-259189

Rule Version

AIOS-17-003450

Rule Title

Apple iOS/iPadOS 17 must not allow backup to remote systems (Cloud Photo Library).

Rule ID

SV-259189r958524_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm "Allow Cloud Photo Library" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow Cloud Photo Library" is unchecked.

Alternatively, verify the text "<key>allowCloudPhotoLibrary</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Cloud Photos not allowed" is listed.

If "Allow Cloud Photo Library" is checked in the Apple iOS/iPadOS management tool, "<key>allowCloudPhotoLibrary</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Cloud Photos not allowed", this is a finding.

This requirement will become "Supervised only" in a future iOS/iPadOS release.

Check System

C-62929r935535_chk

Fix Reference

F-62838r935536_fix

Fix Text

Install a configuration profile to disable Cloud Photo Library.

This requirement will become "Supervised only" in a future iOS/iPadOS release.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-333250

Group ID

V-259190

Rule Version

AIOS-17-003500

Rule Title

Apple iOS/iPadOS 17 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Stream or Shared Photo Stream).

Rule ID

SV-259190r958524_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm "Allow Shared Stream" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow Shared Stream" is unchecked.

Alternatively, verify the text "<key>allowSharedStream</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Shared Streams not allowed" is listed.

If "AllowShared Photo Stream" is checked in the Apple iOS/iPadOS management tool, "<key>allowSharedStream</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Shared Streams not allowed", this is a finding.

This requirement will become "Supervised only" in a future iOS/iPadOS release.

Check System

C-62930r935538_chk

Fix Reference

F-62839r935539_fix

Fix Text

Install a configuration profile to disable "Allow Shared PhotoStream".

This requirement will become "Supervised only" in a future iOS/iPadOS release.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-333250

Group ID

V-259191

Rule Version

AIOS-17-003600

Rule Title

Apple iOS/iPadOS 17 must not allow backup to remote systems (managed applications data stored in iCloud).

Rule ID

SV-259191r958524_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

SFR ID: FMT_MOF_EXT.1.2 #40

Documentable

False

Check Content

Review configuration settings to confirm "Allow managed apps to store data in iCloud" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow managed apps to store data in iCloud" is unchecked.

Alternatively, verify the text "<key>allowManagedAppsCloudSync</key> <false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Managed apps cloud sync not allowed" is listed.

If "Allow managed apps to store data in iCloud" is checked in the Apple iOS/iPadOS management tool, "<key>allowManagedAppsCloudSync</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Managed apps cloud sync not allowed", this is a finding.

Check System

C-62931r935541_chk

Fix Reference

F-62840r935542_fix

Fix Text

Install a configuration profile to prevent DOD applications from storing data in iCloud.

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

Group Title

PP-MDF-333240

Group ID

V-259193

Rule Version

AIOS-17-013300

Rule Title

Apple iOS/iPadOS 17 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DOD-approved USB storage drives with iOS/iPadOS devices.

Rule ID

SV-259193r958524_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Unauthorized use of USB storage drives could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and compromise of sensitive DOD information and systems.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable

False

Check Content

This requirement is not applicable if the AO has approved the use of USB drives to load files to Apple devices. The approval must be in writing and include which USB storage devices are approved for use.

If the AO has not approved the use of USB drives to load files to Apple devices, use the following procedures to verify compliance.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow USB drive access in Files app" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow USB drive access in Files app" is unchecked.

On the iPhone and iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "USB drives not accessible in Files app" is listed.

If "Allow USB drive access in Files app" is not disabled in the management tool and "USB drives not accessible in Files app" is not listed in the Restrictions profile on the Apple device, this is a finding.

Check System

C-62933r935547_chk

Fix Reference

F-62842r935548_fix

Fix Text

If the AO has not approved the use of USB drives to load files to Apple devices, install a configuration profile to disable "Allow USB drive access in Files app".

Identities

CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

800-53 :: AC-20 (2)
800-53 Rev. 4 :: AC-20 (2)
800-53 Rev. 5 :: AC-20 (2)
800-53A :: AC-20 (2).1

CCI-000366

Implement the security configuration settings.

800-53 :: CM-6 b
800-53 Rev. 4 :: CM-6 b
800-53 Rev. 5 :: CM-6 b
800-53A :: CM-6.1 (iv)

UNCLASSIFIED