ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- PP-MDF-993300
- Group ID
- V-259768
- Rule Version
- AIOS-17-706950
- Rule Title
- Apple iOS/iPadOS 17 must be configured to enforce a passcode reuse prohibition of at least two generations.
- Rule ID
- SV-259768r943629_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
iOS/iPadOS 17 includes a new feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous passcode has been compromised and the attacker has access to it and the Apple device, enterprise data and the enterprise network can be compromised. Currently there is no MDM control to force the old passcode to expire immediately after passcode change. The previous passcode will expire immediately after a passcode change if the MDM password history control is implemented.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm the Apple iOS or iPadOS device has a passcode reuse prohibition of at least two generations.
This procedure is performed in the Apple iOS/iPadOS management tool and on the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Management tool, verify the "Passcode History" value is set to two or greater.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the password policy.
5. Tap "Restrictions".
6. Tap "Passcode".
7. Verify "Number of unique recent passcodes required" is listed as "two" or greater.
If the Apple iOS or iPadOS device does not enforce a passcode reuse prohibition of at least two generations, this is a finding.
- Check System
- C-63504r943627_chk
- Fix Reference
- F-63411r943628_fix
- Fix Text
-
Install a configuration profile to enforce a passcode reuse prohibition of at least two generations (passcode history).
- Identities
-
CCI-000200
The information system prohibits password reuse for the organization-defined number of generations.
- 800-53 :: IA-5 (1) (e)
- 800-53 Rev. 4 :: IA-5 (1) (e)
- 800-53A :: IA-5 (1).1 (v)
- Group Title
- PP-MDF-993300
- Group ID
- V-259778
- Rule Version
- AIOS-17-710400
- Rule Title
- Apple iOS/iPadOS 17 must require a valid password be successfully entered before the mobile device data is unencrypted.
- Rule ID
- SV-259778r943659_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk.
Note: MDF PP requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device.
SFR ID: FIA_UAU_EXT.1.1
- Documentable
- False
- Check Content
-
Review configuration settings to confirm the device is set to require a passcode before use.
This procedure is performed on the iOS and iPadOS device.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the password policy.
5. Tap "Restrictions".
6. Tap "Passcode".
7. Verify "Passcode required" is set to "Yes".
If "Passcode required" is not set to "Yes", this is a finding.
- Check System
- C-63514r943657_chk
- Fix Reference
- F-63421r943658_fix
- Fix Text
-
Install a configuration profile to require a password to unlock the device.
- Identities
-
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1
- Group Title
- PP-MDF-993300
- Group ID
- V-259782
- Rule Version
- AIOS-17-711200
- Rule Title
- iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
- Rule ID
- SV-259782r943671_rule
- Rule Severity
- ● High
- Rule Weight
- 10.0
- Vuln Discussion
-
Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm the most recently released version of iOS is installed.
This validation procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad. Go to https://www.apple.com and determine the most current version of iOS released by Apple.
In the MDM management console, review the version of iOS installed on a sample of managed devices. This procedure will vary depending on the MDM product.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "About" and view the installed version of iOS.
4. Go back to the "General" screen. Tap "Software Update" and verify the following message is shown on the screen: "Your software is up to date."
If the installed version of iOS on any reviewed iOS/iPadOS devices is not the latest released by Apple, this is a finding.
- Check System
- C-63518r943669_chk
- Fix Reference
- F-63425r943670_fix
- Fix Text
-
Install the latest release version of Apple iOS/iPadOS on all managed iOS devices.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)