ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- PP-MDF-333160
- Group ID
- V-257116
- Rule Version
- AIOS-16-708400
- Rule Title
- The Apple iOS/iPadOS 16 device User Agreement must include the DOD advisory warning message.
- Rule ID
- SV-257116r904248_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure DOD can audit and monitor the activities of mobile device users without legal restriction.
System use notification messages can be displayed when individuals first access or unlock the mobile device or in the User Agreement. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".
The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
For devices with severe character limitations, the banner text is:
I've read & consent to terms in IS user agreem't.
The administrator must configure the banner text exactly as written without any changes.
SFR ID: FMT_SMF_EXT.1.1 #36
- Documentable
- False
- Check Content
-
The DOD warning banner can be displayed in the User Agreement (required text is found in the Vulnerability Discussion).
Review the signed user agreements for several iOS device users and verify the agreement includes the required DOD warning banner text.
If the required warning banner text is not on all signed user agreements reviewed, this is a finding.
- Check System
- C-60801r904246_chk
- Fix Reference
- F-60742r904247_fix
- Fix Text
-
Configure the DOD warning banner by placing the DOD warning banner text in the user agreement signed by each iOS device user. Refer to the Vulnerability Discussion for required text.
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-257122
- Rule Version
- AIOS-16-710900
- Rule Title
- Apple iOS/iPadOS 16 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device for the first time.
- Rule ID
- SV-257122r904266_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.
SFR ID: FMT_SMF_EXT.1.1 #40
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Require passcode on first AirPlay pairing" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Require passcode on first AirPlay pairing" is checked.
Alternatively, verify the text "<key>forceAirPlayOutgoingRequestsPairingPassword</key><false/>" appears in the configuration profile (.mobileconfig file).
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "AirPlay outgoing requests pairing password enforced" is listed.
If "Require passcode on first AirPlay pairing" is unchecked in the Apple iOS/iPadOS management tool, "<key>forceAirPlayOutgoingRequestsPairingPassword</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "AirPlay outgoing requests pairing password enforced", this is a finding.
- Check System
- C-60807r904264_chk
- Fix Reference
- F-60748r904265_fix
- Fix Text
-
Install a configuration profile to require the user to enter a password when connecting to an AirPlay-enabled device for the first time.
- Identities
-
CCI-000063
The organization defines allowed methods of remote access to the information system.
- 800-53 :: AC-17 a
- 800-53 Rev. 4 :: AC-17 a
- 800-53A :: AC-17.1 (i)
- Group Title
- PP-MDF-993300
- Group ID
- V-257127
- Rule Version
- AIOS-16-711800
- Rule Title
- Apple iOS/iPadOS 16 must implement the management setting: force Apple Watch wrist detection.
- Rule ID
- SV-257127r904281_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Because Apple Watch is a personal device, it is key that any sensitive DOD data displayed on the Apple Watch cannot be viewed when the watch is not in the immediate possession of the user. This control ensures the Apple Watch screen locks when the user takes the watch off, thereby protecting sensitive DOD data from possible exposure.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Force Apple Watch wrist detection" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Wrist detection enforced on Apple Watch" is enforced.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Wrist detection enforced on Apple Watch" is listed.
If "Wrist detection enforced on Apple Watch" is not enforced in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "Wrist detection enforced on Apple Watch", this is a finding.
- Check System
- C-60812r904279_chk
- Fix Reference
- F-60753r904280_fix
- Fix Text
-
Install a configuration profile to force Apple Watch wrist detection.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-257130
- Rule Version
- AIOS-16-712300
- Rule Title
- Apple iOS/iPadOS 16 must not allow managed apps to write contacts to unmanaged contacts accounts.
- Rule ID
- SV-257130r904290_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking.
If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow managed apps to write contacts to unmanaged contacts accounts" is disabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the Apple iOS/iPadOS device.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS/iPadOS management tool, verify "Allow managed apps to write contacts to unmanaged contacts accounts" is unchecked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Allow managed apps to write contacts to unmanaged contacts accounts" is not listed.
If "Allow managed apps to write contacts to unmanaged contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow managed apps to write contacts to unmanaged contacts accounts", this is a finding.
- Check System
- C-60815r904288_chk
- Fix Reference
- F-60756r904289_fix
- Fix Text
-
Install a configuration profile to prevent managed apps from writing contacts to unmanaged contacts accounts.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000370Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.
- 800-53 :: CM-6 (1)
- 800-53 Rev. 4 :: CM-6 (1)
- 800-53 Rev. 5 :: CM-6 (1)
- 800-53A :: CM-6 (1).1
- Group Title
- PP-MDF-993300
- Group ID
- V-257131
- Rule Version
- AIOS-16-712400
- Rule Title
- Apple iOS/iPadOS 16 must not allow unmanaged apps to read contacts from managed contacts accounts.
- Rule ID
- SV-257131r904293_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking.
If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow unmanaged apps to read contacts from managed contacts accounts" is disabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS management tool, verify "Allow unmanaged apps to read contacts from managed contacts accounts" is unchecked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Allow unmanaged apps to read contacts from managed contacts accounts" is not listed.
If "Allow unmanaged apps to read contacts from managed contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow unmanaged apps to read contacts from managed contacts accounts", this is a finding.
- Check System
- C-60816r904291_chk
- Fix Reference
- F-60757r904292_fix
- Fix Text
-
Install a configuration profile to prevent unmanaged apps from reading contacts from managed contacts accounts.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000370Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.
- 800-53 :: CM-6 (1)
- 800-53 Rev. 4 :: CM-6 (1)
- 800-53 Rev. 5 :: CM-6 (1)
- 800-53A :: CM-6 (1).1
- Group Title
- PP-MDF-993300
- Group ID
- V-257132
- Rule Version
- AIOS-16-713400
- Rule Title
- The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
- Rule ID
- SV-257132r904296_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DOD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #47a
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow sending diagnostic and usage data to Apple" is disabled.
This check procedure is performed on both the iOS management tool and the iOS device.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS management tool, verify "Allow sending diagnostic and usage data to Apple" is unchecked.
Alternatively, verify the text "<key>allowDiagnosticSubmission</key><false/>" appears in the configuration profile (.mobileconfig file).
On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Restrictions".
6. Verify "Diagnostic submission not allowed".
Note: This setting also disables "Share With App Developers".
If "Allow sending diagnostic and usage data to Apple" is checked in the iOS management tool, "<key>allowDiagnosticSubmission</key><true/>" appears in the configuration profile, or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Diagnostic submission not allowed", this is a finding.
- Check System
- C-60817r904294_chk
- Fix Reference
- F-60758r904295_fix
- Fix Text
-
Install a configuration profile to disable sending diagnostic data to an organization other than DOD.
- Identities
-
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1