U Apple iOS-iPadOS 17 V2R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-993300
Group ID
V-258325
Rule Version
AIOS-17-006950
Rule Title
Apple iOS/iPadOS 17 must be configured to enforce a passcode reuse prohibition of at least two generations.
Rule ID
SV-258325r985855_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

iOS-iPadOS 17 includes a new feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous passcode has been compromised and the attacker has access to it and the Apple device, enterprise data and the enterprise network can be compromised. Currently there is no MDM control to force the old passcode to expire immediately after passcode change. The previous passcode will expire immediately after a passcode change if the MDM password history control is implemented.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm the Apple iOS or iPadOS device has a passcode reuse prohibition of at least two generations.

This procedure is performed in the Apple iOS/iPadOS management tool and on the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Management tool, verify the "Passcode History" value is set to two or greater.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the password policy.

5. Tap "Restrictions".

6. Tap "Passcode".

7. Verify "Number of unique recent passcodes required" is listed as "two" or greater.

If the Apple iOS or iPadOS device does not enforce a passcode reuse prohibition of at least two generations, this is a finding.

Check System
C-62066r927656_chk
Fix Reference
F-61990r927657_fix
Fix Text

Install a configuration profile to enforce a passcode reuse prohibition of at least two generations (passcode history).

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
PP-MDF-993300
Group ID
V-258338
Rule Version
AIOS-17-010400
Rule Title
Apple iOS/iPadOS 17 must require a valid password be successfully entered before the mobile device data is unencrypted.
Rule ID
SV-258338r959010_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk.

Note: MDF PP requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the  existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device.

SFR ID: FIA_UAU_EXT.1.1

Documentable
False
Check Content

Review configuration settings to confirm the device is set to require a passcode before use.

This procedure is performed on the iOS and iPadOS device.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the password policy.

5. Tap "Restrictions".

6. Tap "Passcode".

7. Verify "Passcode required" is set to "Yes".

If "Passcode required" is not set to "Yes", this is a finding.

Check System
C-62079r927695_chk
Fix Reference
F-62003r927696_fix
Fix Text

Install a configuration profile to require a password to unlock the device.

Identities
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
Group Title
PP-MDF-993300
Group ID
V-258347
Rule Version
AIOS-17-011200
Rule Title
iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
Rule ID
SV-258347r959010_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm the most recently released version of iOS is installed.

This validation procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad. Go to https://www.apple.com and determine the most current version of iOS released by Apple.

In the MDM management console, review the version of iOS installed on a sample of managed devices. This procedure will vary depending on the MDM product.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "About" and view the installed version of iOS.

4. Go back to the "General" screen. Tap "Software Update" and verify the following message is shown on the screen: "Your software is up to date."

If the installed version of iOS on any reviewed iOS/iPadOS devices is not the latest released by Apple, this is a finding.

Check System
C-62088r927722_chk
Fix Reference
F-62012r927723_fix
Fix Text

Install the latest release version of Apple iOS/iPadOS on all managed iOS devices.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
UNCLASSIFIED