U Apple iOS-iPadOS 18 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-993300
Group ID
V-267992
Rule Version
AIOS-18-006950
Rule Title
Apple iOS/iPadOS 18 must be configured to enforce a passcode reuse prohibition of at least two generations.
Rule ID
SV-267992r1031172_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

iOS-iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous passcode has been compromised and the attacker has access to it and the Apple device, enterprise data and the enterprise network can be compromised. Currently there is no MDM control to force the old passcode to expire immediately after passcode change. The previous passcode will expire immediately after a passcode change if the MDM password history control is implemented.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm the Apple iOS or iPadOS device has a passcode reuse prohibition of at least two generations.

This procedure is performed in the Apple iOS/iPadOS management tool and on the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Management tool, verify the "Passcode History" value is set to two or greater.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the password policy.

5. Tap "Restrictions".

6. Tap "Passcode".

7. Verify "Number of unique recent passcodes required" is listed as "two" or greater.

If the Apple iOS or iPadOS device does not enforce a passcode reuse prohibition of at least two generations, this is a finding.

Check System
C-71916r1030727_chk
Fix Reference
F-71819r1030728_fix
Fix Text

Install a configuration profile to enforce a passcode reuse prohibition of at least two generations (passcode history).

Identities
CCI-004061

For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

  • 800-53 Rev. 5 :: IA-5 (1) (b)
Group Title
PP-MDF-993300
Group ID
V-268024
Rule Version
AIOS-18-010400
Rule Title
Apple iOS/iPadOS 18 must require a valid password be successfully entered before the mobile device data is unencrypted.
Rule ID
SV-268024r1031204_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk.

Note: MDF PP requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the  existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device.

SFRID: FIA_UAU_EXT.1.1

Documentable
False
Check Content

Review configuration settings to confirm the device is set to require a passcode before use.

This procedure is performed on the iOS and iPadOS device.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the password policy.

5. Tap "Restrictions".

6. Tap "Passcode".

7. Verify "Passcode required" is set to "Yes".

If "Passcode required" is not set to "Yes", this is a finding.

Check System
C-71948r1030823_chk
Fix Reference
F-71851r1030824_fix
Fix Text

Install a configuration profile to require a password to unlock the device.

Identities
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
Group Title
PP-MDF-993300
Group ID
V-268034
Rule Version
AIOS-18-011200
Rule Title
iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
Rule ID
SV-268034r1031214_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm the most recently released version of iOS is installed.

This validation procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad. Go to https://www.apple.com and determine the most current version of iOS released by Apple.

In the MDM management console, review the version of iOS installed on a sample of managed devices. This procedure will vary depending on the MDM product.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "About" and view the installed version of iOS.

4. Go back to the "General" screen. Tap "Software Update" and verify the following message is shown on the screen: "Your software is up to date."

If the installed version of iOS on any reviewed iOS/iPadOS devices is not the latest released by Apple, this is a finding.

Check System
C-71958r1030853_chk
Fix Reference
F-71861r1030854_fix
Fix Text

Install the latest release version of Apple iOS/iPadOS on all managed iOS devices.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
UNCLASSIFIED