ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- PP-MDF-331090
- Group ID
- V-259760
- Rule Version
- AIOS-17-701000
- Rule Title
- Apple iOS/iPadOS 17 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device.
- Rule ID
- SV-259760r943605_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information.
SFR ID: FMT_SMF_EXT.1.1 #3
- Documentable
- False
- Check Content
-
Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DOD network (work) VPN profile.
This validation procedure is performed on the iOS device only.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists.
4. If not, the requirement has been met.
5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client.
6. Verify no DOD network VPN profiles are configured on the VPN client.
If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DOD network VPN profile configured on the client, this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
- Check System
- C-63496r943603_chk
- Fix Reference
- F-63403r943604_fix
- Fix Text
-
If a third-party unmanaged VPN app is installed on the iOS 17 device, do not configure the VPN app with a DOD network VPN profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-333160
- Group ID
- V-259773
- Rule Version
- AIOS-17-708400
- Rule Title
- Apple iOS/iPadOS 17 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.
- Rule ID
- SV-259773r943644_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure the DOD can audit and monitor the activities of mobile device users without legal restriction.
System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".
The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. Refer to User Agreement for details.
For devices with severe character limitations, the banner text is:
I've read & consent to terms in IS user agreem't.
The administrator must configure the banner text exactly as written without any changes.
SFR ID: FMT_SMF_EXT.1.1 #36
- Documentable
- False
- Check Content
-
The DOD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):
Method 1:
By placing the DOD warning banner text in the user agreement signed by each iPhone and iPad user.
Method 2:
By installing a Lock Screen Message payload with the required text (preferred method).
Determine which method is used at the iOS device site and follow the appropriate validation procedure below.
Validation Procedure for Method 1:
Review the signed user agreements for several iOS device users and verify the agreement includes the required DOD warning banner text.
Validation Procedure for Method 2:
In the Apple iOS/iPadOS management tool, verify a Lock Screen Message payload has been installed on each managed device. The LockScreenFootnote string should include required text.
If for Method 1, the required warning banner text is not on all signed user agreements reviewed, or for Method 2, the DOD warning banner text is not set as the lock screen footnote, this is a finding.
- Check System
- C-63509r943642_chk
- Fix Reference
- F-63416r943643_fix
- Fix Text
-
Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):
Method 1:
By placing the DOD warning banner text in the user agreement signed by each iOS device user.
Method 2:
By installing a Lock Screen Message payload with the required text (preferred method).
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-259780
- Rule Version
- AIOS-17-710900
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device.
- Rule ID
- SV-259780r943665_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.
SFR ID: FMT_SMF_EXT.1.1 #40
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Require passcode on outgoing AirPlay request" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Require passcode on outgoing AirPlay request" is checked.
Alternatively, verify the text "<key>forceAirPlayOutgoingRequestsPairingPassword</key><false/>" appears in the configuration profile (.mobileconfig file).
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "AirPlay outgoing requests pairing password enforced" is listed.
If "Require passcode on outgoing AirPlay request" is unchecked in the Apple iOS/iPadOS management tool, "<key>forceAirPlayOutgoingRequestsPairingPassword</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "AirPlay outgoing requests pairing password enforced", this is a finding.
- Check System
- C-63516r943663_chk
- Fix Reference
- F-63423r943664_fix
- Fix Text
-
Install a configuration profile to require the user to enter a password when connecting to an AirPlay-enabled device.
- Identities
-
CCI-000063
The organization defines allowed methods of remote access to the information system.
- 800-53 :: AC-17 a
- 800-53 Rev. 4 :: AC-17 a
- 800-53A :: AC-17.1 (i)
- Group Title
- PP-MDF-993300
- Group ID
- V-259781
- Rule Version
- AIOS-17-710950
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: require passcode for incoming Airplay connection requests.
- Rule ID
- SV-259781r943668_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
When an incoming AirPlay request is allowed without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.
SFR ID: FMT_SMF_EXT.1.1 #40
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Require passcode for incoming AirPlay connection requests" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Require passcode for incoming AirPlay connection requests" is checked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "AirPlay incoming requests pairing password enforced" is listed.
If "Require passcode for incoming AirPlay connection requests" is unchecked in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "AirPlay incoming requests pairing password enforced", this is a finding.
- Check System
- C-63517r943666_chk
- Fix Reference
- F-63424r943667_fix
- Fix Text
-
Install a configuration profile to require that incoming AirPlay connection requests enter a password when connecting to a DOD iOS/iPadOS device.
- Identities
-
CCI-000063
The organization defines allowed methods of remote access to the information system.
- 800-53 :: AC-17 a
- 800-53 Rev. 4 :: AC-17 a
- 800-53A :: AC-17.1 (i)
- Group Title
- PP-MDF-993300
- Group ID
- V-259786
- Rule Version
- AIOS-17-711800
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: force Apple Watch wrist detection.
- Rule ID
- SV-259786r943683_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Because Apple Watch is a personal device, it is key that any sensitive DOD data displayed on the Apple Watch cannot be viewed when the watch is not in the immediate possession of the user. This control ensures the Apple Watch screen locks when the user takes the watch off, thereby protecting sensitive DOD data from possible exposure.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Force Apple Watch wrist detection" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Wrist detection enforced on Apple Watch" is enforced.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Wrist detection enforced on Apple Watch" is listed.
If "Wrist detection enforced on Apple Watch" is not enforced in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "Wrist detection enforced on Apple Watch", this is a finding.
- Check System
- C-63522r943681_chk
- Fix Reference
- F-63429r943682_fix
- Fix Text
-
Install a configuration profile to force Apple Watch wrist detection.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-259789
- Rule Version
- AIOS-17-712300
- Rule Title
- Apple iOS/iPadOS 17 must not allow managed apps to write contacts to unmanaged contacts accounts.
- Rule ID
- SV-259789r943692_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow managed apps to write contacts to unmanaged contacts accounts" is disabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the Apple iOS/iPadOS device.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS/iPadOS management tool, verify "Allow managed apps to write contacts to unmanaged contacts accounts" is unchecked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Allow managed apps to write contacts to unmanaged contacts accounts" is not listed.
If "Allow managed apps to write contacts to unmanaged contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow managed apps to write contacts to unmanaged contacts accounts", this is a finding.
- Check System
- C-63525r943690_chk
- Fix Reference
- F-63432r943691_fix
- Fix Text
-
Install a configuration profile to prevent managed apps from writing contacts to unmanaged contacts accounts.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-993300
- Group ID
- V-259790
- Rule Version
- AIOS-17-712400
- Rule Title
- Apple iOS/iPadOS 17 must not allow unmanaged apps to read contacts from managed contacts accounts.
- Rule ID
- SV-259790r943695_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow unmanaged apps to read contacts from managed contacts accounts" is disabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS management tool, verify "Allow unmanaged apps to read contacts from managed contacts accounts" is unchecked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Allow unmanaged apps to read contacts from managed contacts accounts" is not listed.
If "Allow unmanaged apps to read contacts from managed contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow unmanaged apps to read contacts from managed contacts accounts", this is a finding.
- Check System
- C-63526r943693_chk
- Fix Reference
- F-63433r943694_fix
- Fix Text
-
Install a configuration profile to prevent unmanaged apps from reading contacts from managed contacts accounts.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-993300
- Group ID
- V-259791
- Rule Version
- AIOS-17-713400
- Rule Title
- The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
- Rule ID
- SV-259791r943698_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DOD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #47a
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow sending diagnostic and usage data to Apple" is disabled.
This check procedure is performed on both the iOS management tool and the iOS device.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS management tool, verify "Allow sending diagnostic and usage data to Apple" is unchecked.
Alternatively, verify the text "<key>allowDiagnosticSubmission</key><false/>" appears in the configuration profile (.mobileconfig file).
On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Restrictions".
6. Verify "Diagnostic submission not allowed".
Note: This setting also disables "Share With App Developers".
If "Allow sending diagnostic and usage data to Apple" is checked in the iOS management tool, "<key>allowDiagnosticSubmission</key><true/>" appears in the configuration profile, or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Diagnostic submission not allowed", this is a finding.
- Check System
- C-63527r943696_chk
- Fix Reference
- F-63434r943697_fix
- Fix Text
-
Install a configuration profile to disable sending diagnostic data to an organization other than DOD.
- Identities
-
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1