U Apple iOS-iPadOS 17 MDFPP 3-3 BYOAD V1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-331090
Group ID
V-259760
Rule Version
AIOS-17-701000
Rule Title
Apple iOS/iPadOS 17 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device.
Rule ID
SV-259760r943605_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information.

SFR ID: FMT_SMF_EXT.1.1 #3

Documentable
False
Check Content

Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DOD network (work) VPN profile.

This validation procedure is performed on the iOS device only.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists.

4. If not, the requirement has been met.

5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client.

6. Verify no DOD network VPN profiles are configured on the VPN client.

If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DOD network VPN profile configured on the client, this is a finding.

Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.

Check System
C-63496r943603_chk
Fix Reference
F-63403r943604_fix
Fix Text

If a third-party unmanaged VPN app is installed on the iOS 17 device, do not configure the VPN app with a DOD network VPN profile.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
PP-MDF-333160
Group ID
V-259773
Rule Version
AIOS-17-708400
Rule Title
Apple iOS/iPadOS 17 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.
Rule ID
SV-259773r943644_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure the DOD can audit and monitor the activities of mobile device users without legal restriction.

System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".

The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. Refer to User Agreement for details.

For devices with severe character limitations, the banner text is:

I've read & consent to terms in IS user agreem't.

The administrator must configure the banner text exactly as written without any changes.

SFR ID: FMT_SMF_EXT.1.1 #36

Documentable
False
Check Content

The DOD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):

Method 1:

By placing the DOD warning banner text in the user agreement signed by each iPhone and iPad user.

Method 2:

By installing a Lock Screen Message payload with the required text (preferred method).

Determine which method is used at the iOS device site and follow the appropriate validation procedure below.

Validation Procedure for Method 1:

Review the signed user agreements for several iOS device users and verify the agreement includes the required DOD warning banner text.

Validation Procedure for Method 2:

In the Apple iOS/iPadOS management tool, verify a Lock Screen Message payload has been installed on each managed device. The LockScreenFootnote string should include required text.

If for Method 1, the required warning banner text is not on all signed user agreements reviewed, or for Method 2, the DOD warning banner text is not set as the lock screen footnote, this is a finding.

Check System
C-63509r943642_chk
Fix Reference
F-63416r943643_fix
Fix Text

Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):

Method 1:

By placing the DOD warning banner text in the user agreement signed by each iOS device user.

Method 2:

By installing a Lock Screen Message payload with the required text (preferred method).

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-259780
Rule Version
AIOS-17-710900
Rule Title
Apple iOS/iPadOS 17 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device.
Rule ID
SV-259780r943665_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.

SFR ID: FMT_SMF_EXT.1.1 #40

Documentable
False
Check Content

Review configuration settings to confirm "Require passcode on outgoing AirPlay request" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Require passcode on outgoing AirPlay request" is checked.

Alternatively, verify the text "<key>forceAirPlayOutgoingRequestsPairingPassword</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirPlay outgoing requests pairing password enforced" is listed.

If "Require passcode on outgoing AirPlay request" is unchecked in the Apple iOS/iPadOS management tool, "<key>forceAirPlayOutgoingRequestsPairingPassword</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "AirPlay outgoing requests pairing password enforced", this is a finding.

Check System
C-63516r943663_chk
Fix Reference
F-63423r943664_fix
Fix Text

Install a configuration profile to require the user to enter a password when connecting to an AirPlay-enabled device.

Identities
CCI-000063

The organization defines allowed methods of remote access to the information system.

  • 800-53 :: AC-17 a
  • 800-53 Rev. 4 :: AC-17 a
  • 800-53A :: AC-17.1 (i)
Group Title
PP-MDF-993300
Group ID
V-259781
Rule Version
AIOS-17-710950
Rule Title
Apple iOS/iPadOS 17 must implement the management setting: require passcode for incoming Airplay connection requests.
Rule ID
SV-259781r943668_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

When an incoming AirPlay request is allowed without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.

SFR ID: FMT_SMF_EXT.1.1 #40

Documentable
False
Check Content

Review configuration settings to confirm "Require passcode for incoming AirPlay connection requests" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Require passcode for incoming AirPlay connection requests" is checked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirPlay incoming requests pairing password enforced" is listed.

If "Require passcode for incoming AirPlay connection requests" is unchecked in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "AirPlay incoming requests pairing password enforced", this is a finding.

Check System
C-63517r943666_chk
Fix Reference
F-63424r943667_fix
Fix Text

Install a configuration profile to require that incoming AirPlay connection requests enter a password when connecting to a DOD iOS/iPadOS device.

Identities
CCI-000063

The organization defines allowed methods of remote access to the information system.

  • 800-53 :: AC-17 a
  • 800-53 Rev. 4 :: AC-17 a
  • 800-53A :: AC-17.1 (i)
Group Title
PP-MDF-993300
Group ID
V-259786
Rule Version
AIOS-17-711800
Rule Title
Apple iOS/iPadOS 17 must implement the management setting: force Apple Watch wrist detection.
Rule ID
SV-259786r943683_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Because Apple Watch is a personal device, it is key that any sensitive DOD data displayed on the Apple Watch cannot be viewed when the watch is not in the immediate possession of the user. This control ensures the Apple Watch screen locks when the user takes the watch off, thereby protecting sensitive DOD data from possible exposure.

SFR ID: FMT_SMF_EXT.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Force Apple Watch wrist detection" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Wrist detection enforced on Apple Watch" is enforced.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Wrist detection enforced on Apple Watch" is listed.

If "Wrist detection enforced on Apple Watch" is not enforced in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "Wrist detection enforced on Apple Watch", this is a finding.

Check System
C-63522r943681_chk
Fix Reference
F-63429r943682_fix
Fix Text

Install a configuration profile to force Apple Watch wrist detection.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-259789
Rule Version
AIOS-17-712300
Rule Title
Apple iOS/iPadOS 17 must not allow managed apps to write contacts to unmanaged contacts accounts.
Rule ID
SV-259789r943692_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.

SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

Documentable
False
Check Content

Review configuration settings to confirm "Allow managed apps to write contacts to unmanaged contacts accounts" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the Apple iOS/iPadOS device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow managed apps to write contacts to unmanaged contacts accounts" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow managed apps to write contacts to unmanaged contacts accounts" is not listed.

If "Allow managed apps to write contacts to unmanaged contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow managed apps to write contacts to unmanaged contacts accounts", this is a finding.

Check System
C-63525r943690_chk
Fix Reference
F-63432r943691_fix
Fix Text

Install a configuration profile to prevent managed apps from writing contacts to unmanaged contacts accounts.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
PP-MDF-993300
Group ID
V-259790
Rule Version
AIOS-17-712400
Rule Title
Apple iOS/iPadOS 17 must not allow unmanaged apps to read contacts from managed contacts accounts.
Rule ID
SV-259790r943695_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.

SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

Documentable
False
Check Content

Review configuration settings to confirm "Allow unmanaged apps to read contacts from managed contacts accounts" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow unmanaged apps to read contacts from managed contacts accounts" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow unmanaged apps to read contacts from managed contacts accounts" is not listed.

If "Allow unmanaged apps to read contacts from managed contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow unmanaged apps to read contacts from managed contacts accounts", this is a finding.

Check System
C-63526r943693_chk
Fix Reference
F-63433r943694_fix
Fix Text

Install a configuration profile to prevent unmanaged apps from reading contacts from managed contacts accounts.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
PP-MDF-993300
Group ID
V-259791
Rule Version
AIOS-17-713400
Rule Title
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
Rule ID
SV-259791r943698_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DOD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.

SFR ID: FMT_SMF_EXT.1.1 #47a

Documentable
False
Check Content

Review configuration settings to confirm "Allow sending diagnostic and usage data to Apple" is disabled.

This check procedure is performed on both the iOS management tool and the iOS device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow sending diagnostic and usage data to Apple" is unchecked.

Alternatively, verify the text "<key>allowDiagnosticSubmission</key><false/>" appears in the configuration profile (.mobileconfig file).

On the Apple iOS device:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Tap "Restrictions".

6. Verify "Diagnostic submission not allowed".

Note: This setting also disables "Share With App Developers".

If "Allow sending diagnostic and usage data to Apple" is checked in the iOS management tool, "<key>allowDiagnosticSubmission</key><true/>" appears in the configuration profile, or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Diagnostic submission not allowed", this is a finding.

Check System
C-63527r943696_chk
Fix Reference
F-63434r943697_fix
Fix Text

Install a configuration profile to disable sending diagnostic data to an organization other than DOD.

Identities
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
UNCLASSIFIED