U Apple iOS-iPadOS 16 V2R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-321090
Group ID
V-254578
Rule Version
AIOS-16-001000
Rule Title
Apple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
Rule ID
SV-254578r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information.

SFR ID: FMT_SMF_EXT.1.1 #3

Documentable
False
Check Content

Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DoD network (work) VPN profile.

This validation procedure is performed on the iOS device only.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists.

4. If not, the requirement has been met.

5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client.

6. Verify no DoD network VPN profiles are configured on the VPN client.

If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DoD network VPN profile configured on the client, this is a finding.

Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.

Check System
C-58189r861988_chk
Fix Reference
F-58135r861989_fix
Fix Text

If a third-party unmanaged VPN app is installed on the iOS 16 device, do not configure the VPN app with a DoD network VPN profile.

Identities
CCI-000066

The organization enforces requirements for remote connections to the information system.

  • 800-53 :: AC-17 e
  • 800-53A :: AC-17.1 (v)
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
Group Title
PP-MDF-323160
Group ID
V-254599
Rule Version
AIOS-16-008400
Rule Title
Apple iOS/iPadOS 16 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
Rule ID
SV-254599r958390_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Before granting access to the system, the mobile operating system is required to display the DoD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction.

System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".

The approved DoD text must be used exactly as required in the Knowledge Service referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

For devices with severe character limitations, the banner text is:

I've read & consent to terms in IS user agreem't.

The administrator must configure the banner text exactly as written without any changes.

SFR ID: FMT_SMF_EXT.1.1 #36

Documentable
False
Check Content

The DoD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DoD warning banner text in the user agreement signed by each iPhone and iPad user (preferred method).

2. By creating a background picture with the relevant information and configuring that picture as the background for the lock screen via the Apple iOS/iPadOS management tool (only available for supervised devices).

Determine which method is used at the iOS device site and follow the appropriate validation procedure below.

Validation Procedure for Method #1:

Review the signed user agreements for several iOS device users and verify the agreement includes the required DoD warning banner text.

Validation Procedure for Method #2:

- In the Apple iOS/iPadOS management tool, verify a picture of the DoD warning banner text has been configured as the background for the lock screen.

- On the iOS device, verify a picture of the DoD warning banner text is shown as the background for the locked screen.

If, for Method #1, the required warning banner text is not on all signed user agreements reviewed, or for Method #2, the DoD warning banner text is not set as the locked screen background, this is a finding.

Check System
C-58210r862051_chk
Fix Reference
F-58156r862190_fix
Fix Text

Configure the DoD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DoD warning banner text in the user agreement signed by each iOS device user (preferred method).

2. By creating a background picture with the relevant information and configuring that picture as the background for the lock screen via the Apple iOS/iPadOS management tool.

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
Group Title
PP-MDF-990000
Group ID
V-254607
Rule Version
AIOS-16-010500
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: limit Ad Tracking.
Rule ID
SV-254607r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Ad Tracking refers to the advertisers' ability to categorize the device and spam the user with ads that are most relevant to the user's preferences. By not "Force limiting ad tracking", advertising companies are able to gather information about the user and device's browsing habits. If "Limit Ad Tracking" is not limited, a database of browsing habits of DoD devices can be gathered and stored under no supervision of the DoD. By limiting ad tracking, this setting does not completely mitigate the risk, but it limits the amount of information gathering.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Force limited ad tracking" is checked.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Force limited ad tracking" is checked.

Alternatively, verify the text "<key>forceLimitAdTracking</key><true/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Tap "Restrictions".

6. Verify "Limit ad tracking enforced" or "Requests to track from apps not allowed" is present.

If "limited ad tracking enforced" is missing in the Apple iOS/iPadOS management tool, "<key>forceLimitAdTracking</key><false/>" does not appear in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Limit ad tracking enforced", this is a finding.

Check System
C-58218r862075_chk
Fix Reference
F-58164r862076_fix
Fix Text

Install a configuration profile to limit advertisers' ability to track the user's web browsing preferences.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
Group Title
PP-MDF-990000
Group ID
V-254608
Rule Version
AIOS-16-010600
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.
Rule ID
SV-254608r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone or iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining additional information about the device's user or compromising other systems is significantly mitigated.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Enable autofill" is unchecked.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Enable autofill" is unchecked.

Alternatively, verify the text "<key>safariAllowAutoFill</key><false>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Tap "Restrictions".

6. Verify "Auto-fill in Safari not allowed" is present.

If "Enable autofill" is checked in the Apple iOS/iPadOS management tool, "<key>safariAllowAutoFill</key><true>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Auto-fill in Safari not allowed", this is a finding.

Check System
C-58219r862078_chk
Fix Reference
F-58165r862079_fix
Fix Text

Install a configuration profile to disable the AutoFill capability in the Safari app.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-990000
Group ID
V-254610
Rule Version
AIOS-16-010800
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.
Rule ID
SV-254610r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between the devices to describe the activity, but app data synchronization associated with the activity is handled though iCloud, which should be disabled on a compliant iPhone and iPad. If a user associates both DoD and personal devices to the same Apple ID, the user may improperly reveal information about the nature of the user's activities on an unprotected device. Disabling Handoff mitigates this risk.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Allow Handoff" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow Handoff" is unchecked.

Alternatively, verify the text "<key>allowActivityContinuation</key> <false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Handoff not allowed" is listed.

If "Allow Handoff" is checked in the Apple iOS/iPadOS management tool, "<key>allowActivityContinuation</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Handoff not allowed", this is a finding.

Check System
C-58221r862084_chk
Fix Reference
F-58167r862085_fix
Fix Text

Install a configuration profile to disable continuation of activities among devices and workstations.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-990000
Group ID
V-254611
Rule Version
AIOS-16-010900
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device for the first time.
Rule ID
SV-254611r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DoD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.

SFR ID: FMT_SMF_EXT.1.1 #40

Documentable
False
Check Content

Review configuration settings to confirm "Require passcode on first AirPlay pairing" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Require passcode on first AirPlay pairing" is checked.

Alternatively, verify the text "<key>forceAirPlayOutgoingRequestsPairingPassword</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirPlay outgoing requests pairing password enforced" is listed.

If "Require passcode on first AirPlay pairing" is unchecked in the Apple iOS/iPadOS management tool, "<key>forceAirPlayOutgoingRequestsPairingPassword</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "AirPlay outgoing requests pairing password enforced", this is a finding.

Check System
C-58222r862087_chk
Fix Reference
F-58168r862088_fix
Fix Text

Install a configuration profile to require the user to enter a password when connecting to an AirPlay-enabled device for the first time.

Identities
CCI-000063

The organization defines allowed methods of remote access to the information system.

  • 800-53 :: AC-17 a
  • 800-53 Rev. 4 :: AC-17 a
  • 800-53A :: AC-17.1 (i)
Group Title
PP-MDF-990000
Group ID
V-254618
Rule Version
AIOS-16-011600
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing.
Rule ID
SV-254618r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Apple's Family Sharing service allows Apple iOS/iPadOS users to create a Family Group whose members have several shared capabilities, including the ability to lock, wipe, play a sound on, or locate the iPhone and iPads of other members. Each member of the group must be invited to the group and accept that invitation. A DoD user's iPhone and iPad may be inadvertently or maliciously wiped by another member of the Family Group. This poses a risk that the user could be without a mobile device for a period of time or lose sensitive information that has not been backed up to other storage media. Configuring iPhone and iPads so their associated Apple IDs are not members of Family Groups mitigates this risk.

Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm Family Sharing is disabled. Note that this is a User-Based Enforcement (UBE) control, which cannot be managed by an MDM server.

This check procedure is performed on the iPhone and iPad.

On the iPhone and iPad:

1. Open the Settings app.

2. At the top of the screen, if "Sign in to your iPhone" is listed, this requirement has been met.

3. If the user profile is signed into iCloud, tap the user name.

4. Tap "Family Sharing".

5. Verify no accounts are listed other than the "Organizer".

Note: The iPhone and iPad must be connected to the internet to conduct this validation procedure. Otherwise, the device will display the notice "Family information is not available", in which case configuration compliance cannot be determined.

If accounts (names or email addresses) are listed under "FAMILY MEMBERS" on the iPhone and iPad, this is a finding.

Note: If the site has implemented Automatic Device Enrollment, this setting can be managed via the MDM (supervised mode).

Check System
C-58229r862108_chk
Fix Reference
F-58175r862109_fix
Fix Text

The user must either remove all members from the Family Group on the iPhone and iPad or associate the device with an Apple ID that is not a member of a Family Group.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
CCI-002008

For PKI-based authentication, employs an organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.

  • 800-53 Rev. 4 :: IA-5 (14)
  • 800-53 Rev. 5 :: IA-5 (14)
Group Title
PP-MDF-990000
Group ID
V-254620
Rule Version
AIOS-16-011800
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: Force Apple Watch wrist detection.
Rule ID
SV-254620r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Because Apple Watch is a personal device, it is key that any sensitive DoD data displayed on the Apple Watch cannot be viewed when the watch is not in the immediate possession of the user. This control ensures the Apple Watch screen locks when the user takes the watch off, thereby protecting sensitive DoD data from possible exposure.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Force Apple Watch wrist detection" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Wrist detection enforced on Apple Watch" is enforced.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Wrist detection enforced on Apple Watch" is listed.

If "Wrist detection enforced on Apple Watch" is not enforced in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "Wrist detection enforced on Apple Watch", this is a finding.

Check System
C-58231r862114_chk
Fix Reference
F-58177r862115_fix
Fix Text

Install a configuration profile to force Apple Watch wrist detection.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-990000
Group ID
V-254624
Rule Version
AIOS-16-012300
Rule Title
Apple iOS/iPadOS 16 must not allow managed apps to write contacts to unmanaged contacts accounts.
Rule ID
SV-254624r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Managed apps have been approved for the handling of DoD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DoD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DoD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DoD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.

SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

Documentable
False
Check Content

Review configuration settings to confirm "Allow managed apps to write contacts to unmanaged contacts accounts" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the Apple iOS/iPadOS device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow managed apps to write contacts to unmanaged contacts accounts" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow managed apps to write contacts to unmanaged contacts accounts" is not listed.

If "Allow managed apps to write contacts to unmanaged contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow managed apps to write contacts to unmanaged contacts accounts", this is a finding.

Check System
C-58235r862126_chk
Fix Reference
F-58181r862127_fix
Fix Text

Install a configuration profile to prevent managed apps from writing contacts to unmanaged contacts accounts.

Identities
CCI-000051

The organization approves the information system use notification message before its use.

  • 800-53 :: AC-8 a
  • 800-53A :: AC-8.1 (i)
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
Group Title
PP-MDF-990000
Group ID
V-254625
Rule Version
AIOS-16-012400
Rule Title
Apple iOS/iPadOS 16 must not allow unmanaged apps to read contacts from managed contacts accounts.
Rule ID
SV-254625r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Managed apps have been approved for the handling of DoD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DoD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DoD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DoD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.

SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

Documentable
False
Check Content

Review configuration settings to confirm "Allow unmanaged apps to read contacts from managed contacts accounts" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow unmanaged apps to read contacts from managed contacts accounts" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow unmanaged apps to read contacts from managed contacts accounts" is not listed.

If "Allow unmanaged apps to read contacts from managed contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow unmanaged apps to read contacts from managed contacts accounts", this is a finding.

Check System
C-58236r862129_chk
Fix Reference
F-58182r862130_fix
Fix Text

Install a configuration profile to prevent unmanaged apps from reading contacts from managed contacts accounts.

Identities
CCI-000051

The organization approves the information system use notification message before its use.

  • 800-53 :: AC-8 a
  • 800-53A :: AC-8.1 (i)
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
Group Title
PP-MDF-990000
Group ID
V-254626
Rule Version
AIOS-16-012500
Rule Title
Apple iOS/iPadOS 16 must implement the management setting: Disable AirDrop.
Rule ID
SV-254626r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has gained access to the information broadcast by this feature, the attacker may distribute this sensitive information very quickly and without DoD's control or awareness. By disabling this feature, the risk of mass data exfiltration will be mitigated.

Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Determine if the site authorizing official (AO) has approved the use of AirDrop for unmanaged data transfer. Look for a document showing approval. If AirDrop is not approved, review configuration settings to confirm it is disabled. If approved, this requirement is not applicable.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the AO has not approved the use of AirDrop for unmanaged data transfer).

If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures:

This check procedure is performed on both the device management tool and the iPhone and iPad device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow AirDrop" is unchecked.

On the iPhone/iPad device:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirDrop not allowed" is listed.

If the AO has not approved AirDrop and "AirDrop not allowed" is not listed in the management tool and on the Apple device, this is a finding.

Check System
C-58237r862132_chk
Fix Reference
F-58183r862133_fix
Fix Text

If the AO has not approved the use of AirDrop for unmanaged data transfer, install a configuration profile to disable the AllowAirDrop control in the management tool. This a supervised-only control.

Identities
CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

  • 800-53 :: AC-20 (2)
  • 800-53 Rev. 4 :: AC-20 (2)
  • 800-53 Rev. 5 :: AC-20 (2)
  • 800-53A :: AC-20 (2).1
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
Group Title
PP-MDF-990000
Group ID
V-254632
Rule Version
AIOS-16-013100
Rule Title
Apple iOS/iPadOS 16 must disable Find My Friends in the Find My app.
Rule ID
SV-254632r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

This control does not share a DoD user's location but encourages location sharing between DoD mobile device users, which can lead to operational security (OPSEC) risks. Sharing the location of a DoD mobile device is a violation of AIOS-16-011700.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Find My Friends" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Find My Friends" and "Allow modifying Find My Friends" are unchecked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Find My Friends" is not listed.

If "Find My Friends" and "Allow modifying Find My Friends" are not disabled in the management tool and on the Apple device, this is a finding.

Check System
C-58243r862150_chk
Fix Reference
F-58189r862151_fix
Fix Text

Install a configuration profile to disable "Find My Friends" in the Find My app and "Allow modifying Find My Friends" in the management tool. This a supervised-only control.

Identities
CCI-000097

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.

  • 800-53 :: AC-20 (2)
  • 800-53 Rev. 4 :: AC-20 (2)
  • 800-53 Rev. 5 :: AC-20 (2)
  • 800-53A :: AC-20 (2).1
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
Group Title
PP-MDF-990000
Group ID
V-254635
Rule Version
AIOS-16-013400
Rule Title
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
Rule ID
SV-254635r959010_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.

SFR ID: FMT_SMF_EXT.1.1 #47a

Documentable
False
Check Content

Review configuration settings to confirm "Allow sending diagnostic and usage data to Apple" is disabled.

This check procedure is performed on both the iOS management tool and the iOS device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow sending diagnostic and usage data to Apple" is unchecked.

Alternatively, verify the text "<key>allowDiagnosticSubmission</key><false/>" appears in the configuration profile (.mobileconfig file).

On the Apple iOS device:

1. Open the Settings app.

2. Tap "General".

3. Tap "Profiles & Device Management" or "Profiles".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Tap "Restrictions".

6. Verify "Diagnostic submission not allowed".

Note: This setting also disables "Share With App Developers".

If "Allow sending diagnostic and usage data to Apple" is checked in the iOS management tool, "<key>allowDiagnosticSubmission</key><true/>" appears in the configuration profile, or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Diagnostic submission not allowed", this is a finding.

Check System
C-58246r862159_chk
Fix Reference
F-58192r862160_fix
Fix Text

Install a configuration profile to disable sending diagnostic data to an organization other than DoD.

Identities
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
UNCLASSIFIED