ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- PP-MDF-331090
- Group ID
- V-258310
- Rule Version
- AIOS-17-001000
- Rule Title
- Apple iOS/iPadOS 17 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
- Rule ID
- SV-258310r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information.
SFR ID: FMT_SMF_EXT.1.1 #3
- Documentable
- False
- Check Content
-
Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DOD network (work) VPN profile.
This validation procedure is performed on the iOS device only.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists.
4. If not, the requirement has been met.
5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client.
6. Verify no DOD network VPN profiles are configured on the VPN client.
If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DOD network VPN profile configured on the client, this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
- Check System
- C-62051r927611_chk
- Fix Reference
- F-61975r927612_fix
- Fix Text
-
If a third-party unmanaged VPN app is installed on the iOS 17 device, do not configure the VPN app with a DOD network VPN profile.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-333160
- Group ID
- V-258331
- Rule Version
- AIOS-17-008400
- Rule Title
- Apple iOS/iPadOS 17 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.
- Rule ID
- SV-258331r958390_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DOD can audit and monitor the activities of mobile device users without legal restriction.
System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".
The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
For devices with severe character limitations, the banner text is:
I've read & consent to terms in IS user agreem't.
The administrator must configure the banner text exactly as written without any changes.
SFR ID: FMT_SMF_EXT.1.1 #36
- Documentable
- False
- Check Content
-
The DOD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):
1. By placing the DOD warning banner text in the user agreement signed by each iPhone and iPad user.
2. By installing a Lock Screen Message payload with the required text (preferred method).
Determine which method is used at the iOS device site and follow the appropriate validation procedure below.
Validation Procedure for Method #1:
Review the signed user agreements for several iOS device users and verify the agreement includes the required DOD warning banner text.
Validation Procedure for Method #2:
In the Apple iOS/iPadOS management tool, verify a Lock Screen Message payload has been installed on each managed device. The LockScreenFootnote string should include required text.
If, for Method #1, the required warning banner text is not on all signed user agreements reviewed, or for Method #2, the DOD warning banner text is not set as the lock screen footnote, this is a finding.
- Check System
- C-62072r927674_chk
- Fix Reference
- F-61996r935551_fix
- Fix Text
-
Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):
1. By placing the DOD warning banner text in the user agreement signed by each iOS device user.
2. By installing a Lock Screen Message payload with the required text (preferred method).
- Identities
-
CCI-000048
Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
- 800-53 :: AC-8 a
- 800-53 Rev. 4 :: AC-8 a
- 800-53 Rev. 5 :: AC-8 a
- 800-53A :: AC-8.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-258339
- Rule Version
- AIOS-17-010500
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: limit Ad Tracking.
- Rule ID
- SV-258339r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Ad Tracking refers to the advertisers' ability to categorize the device and spam the user with ads that are most relevant to the user's preferences. By not "Force limiting ad tracking", advertising companies are able to gather information about the user and device's browsing habits. If "Limit Ad Tracking" is not limited, a database of browsing habits of DOD devices can be gathered and stored under no supervision of the DOD. Limiting ad tracking does not completely mitigate the risk but does limit the amount of information gathering.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Force limited ad tracking" is checked.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Force limited ad tracking" is checked.
Alternatively, verify the text "<key>forceLimitAdTracking</key><true/>" appears in the configuration profile (.mobileconfig file).
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Restrictions".
6. Verify "Limit ad tracking enforced" or "Requests to track from apps not allowed" is present.
If "limited ad tracking enforced" is missing in the Apple iOS/iPadOS management tool, "<key>forceLimitAdTracking</key><false/>" does not appear in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Limit ad tracking enforced", this is a finding.
- Check System
- C-62080r927698_chk
- Fix Reference
- F-62004r927699_fix
- Fix Text
-
Install a configuration profile to limit advertisers' ability to track the user's web browsing preferences.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-001199Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1
- Group Title
- PP-MDF-993300
- Group ID
- V-258340
- Rule Version
- AIOS-17-010600
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: not allow automatic completion of Safari browser passcodes.
- Rule ID
- SV-258340r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone or iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining additional information about the device's user or compromising other systems is significantly mitigated.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Enable autofill" is unchecked.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Enable autofill" is unchecked.
Alternatively, verify the text "<key>safariAllowAutoFill</key><false>" appears in the configuration profile (.mobileconfig file).
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Restrictions".
6. Verify "Auto-fill in Safari not allowed" is present.
If "Enable autofill" is checked in the Apple iOS/iPadOS management tool, "<key>safariAllowAutoFill</key><true>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Auto-fill in Safari not allowed", this is a finding.
- Check System
- C-62081r927701_chk
- Fix Reference
- F-62005r927702_fix
- Fix Text
-
Install a configuration profile to disable the AutoFill capability in the Safari app.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-258342
- Rule Version
- AIOS-17-010800
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: not allow use of Handoff.
- Rule ID
- SV-258342r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between the devices to describe the activity, but app data synchronization associated with the activity is handled though iCloud, which should be disabled on a compliant iPhone and iPad. If a user associates both DOD and personal devices to the same Apple ID, the user may improperly reveal information about the nature of the user's activities on an unprotected device. Disabling Handoff mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow Handoff" is disabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Allow Handoff" is unchecked.
Alternatively, verify the text "<key>allowActivityContinuation</key> <false/>" appears in the configuration profile (.mobileconfig file).
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Handoff not allowed" is listed.
If "Allow Handoff" is checked in the Apple iOS/iPadOS management tool, "<key>allowActivityContinuation</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Handoff not allowed", this is a finding.
This requirement will become "Supervised only" in a future iOS/iPadOS release.
- Check System
- C-62083r927707_chk
- Fix Reference
- F-62007r927708_fix
- Fix Text
-
Install a configuration profile to disable continuation of activities among devices and workstations.
This requirement will become "Supervised only" in a future iOS/iPadOS release.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-258343
- Rule Version
- AIOS-17-010850
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: not allow use of iPhone widgets on Mac.
- Rule ID
- SV-258343r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
iPhone widgets on Mac use Handoff. Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between the devices to describe the activity, but app data synchronization associated with the activity is handled though iCloud, which should be disabled on a compliant iPhone and iPad. If a user associates both DOD and personal devices to the same Apple ID, the user may improperly reveal information about the nature of the user's activities on an unprotected device. Disabling Handoff mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow iPhone Widget on Mac" is disabled.
This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.
This check procedure is performed only on the Apple iOS/iPadOS management tool.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "iPhone Widget on Mac" is unchecked.
If "Allow iPhone Widget on Mac" is checked in the Apple iOS/iPadOS management tool, this is a finding.
- Check System
- C-62084r927710_chk
- Fix Reference
- F-62008r927711_fix
- Fix Text
-
Install a configuration profile to disable the installation of iPhone widgets on Mac. This a supervised-only control.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-000381Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-258344
- Rule Version
- AIOS-17-010900
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device.
- Rule ID
- SV-258344r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.
SFR ID: FMT_SMF_EXT.1.1 #40
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Require passcode on outgoing AirPlay request" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Require passcode on outgoing AirPlay request" is checked.
Alternatively, verify the text "<key>forceAirPlayOutgoingRequestsPairingPassword</key><false/>" appears in the configuration profile (.mobileconfig file).
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "AirPlay outgoing requests pairing password enforced" is listed.
If "Require passcode on outgoing AirPlay request" is unchecked in the Apple iOS/iPadOS management tool, "<key>forceAirPlayOutgoingRequestsPairingPassword</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "AirPlay outgoing requests pairing password enforced", this is a finding.
- Check System
- C-62085r927713_chk
- Fix Reference
- F-62009r927714_fix
- Fix Text
-
Install a configuration profile to require the user to enter a password when connecting to an AirPlay-enabled device.
- Identities
-
CCI-000063
The organization defines allowed methods of remote access to the information system.
- 800-53 :: AC-17 a
- 800-53 Rev. 4 :: AC-17 a
- 800-53A :: AC-17.1 (i)
- Group Title
- PP-MDF-993300
- Group ID
- V-258345
- Rule Version
- AIOS-17-010950
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: require passcode for incoming Airplay connection requests.
- Rule ID
- SV-258345r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
When an incoming AirPlay request is allowed without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.
SFR ID: FMT_SMF_EXT.1.1 #40
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Require passcode for incoming AirPlay connection requests" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Require passcode for incoming AirPlay connection requests" is checked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "AirPlay incoming requests pairing password enforced" is listed.
If "Require passcode for incoming AirPlay connection requests" is unchecked in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "AirPlay incoming requests pairing password enforced", this is a finding.
- Check System
- C-62086r927716_chk
- Fix Reference
- F-62010r927717_fix
- Fix Text
-
Install a configuration profile to require that incoming AirPlay connection requests enter a password when connecting to a DOD iOS/iPadOS device.
- Identities
-
CCI-000063
The organization defines allowed methods of remote access to the information system.
- 800-53 :: AC-17 a
- 800-53 Rev. 4 :: AC-17 a
- 800-53A :: AC-17.1 (i)
- Group Title
- PP-MDF-993300
- Group ID
- V-258351
- Rule Version
- AIOS-17-011600
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: not have any Family Members in Family Sharing.
- Rule ID
- SV-258351r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Apple's Family Sharing service allows Apple iOS/iPadOS users to create a Family Group whose members have several shared capabilities, including the ability to lock, wipe, play a sound on, or locate the iPhone and iPads of other members. Each member of the group must be invited to the group and accept that invitation. A DOD user's iPhone and iPad may be inadvertently or maliciously wiped by another member of the Family Group. This poses a risk that the user could be without a mobile device for a period of time or lose sensitive information that has not been backed up to other storage media. Configuring iPhone and iPads so their associated Apple IDs are not members of Family Groups mitigates this risk.
Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm Family Sharing is disabled. Note that this is a User-Based Enforcement (UBE) control, which cannot be managed by an MDM server.
This check procedure is performed on the iPhone and iPad.
On the iPhone and iPad:
1. Open the Settings app.
2. At the top of the screen, if "Sign in to your iPhone" is listed, this requirement has been met.
3. If the user profile is signed into iCloud, tap the user name.
4. Tap "Family Sharing".
5. Verify no accounts are listed other than the "Organizer".
Note: The iPhone and iPad must be connected to the internet to conduct this validation procedure. Otherwise, the device will display the notice "Family information is not available", in which case configuration compliance cannot be determined.
If accounts (names or email addresses) are listed under "FAMILY MEMBERS" on the iPhone and iPad, this is a finding.
- Check System
- C-62092r927734_chk
- Fix Reference
- F-62016r927735_fix
- Fix Text
-
The user must either remove all members from the Family Group on the iPhone and iPad or associate the device with an Apple ID that is not a member of a Family Group.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
CCI-002008For PKI-based authentication, employs an organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
- 800-53 Rev. 4 :: IA-5 (14)
- 800-53 Rev. 5 :: IA-5 (14)
- Group Title
- PP-MDF-993300
- Group ID
- V-258353
- Rule Version
- AIOS-17-011800
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: force Apple Watch wrist detection.
- Rule ID
- SV-258353r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Because Apple Watch is a personal device, it is key that any sensitive DOD data displayed on the Apple Watch cannot be viewed when the watch is not in the immediate possession of the user. This control ensures the Apple Watch screen locks when the user takes the watch off, thereby protecting sensitive DOD data from possible exposure.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Force Apple Watch wrist detection" is enabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the Apple iOS/iPadOS management tool, verify "Wrist detection enforced on Apple Watch" is enforced.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Wrist detection enforced on Apple Watch" is listed.
If "Wrist detection enforced on Apple Watch" is not enforced in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "Wrist detection enforced on Apple Watch", this is a finding.
- Check System
- C-62094r927740_chk
- Fix Reference
- F-62018r927741_fix
- Fix Text
-
Install a configuration profile to force Apple Watch wrist detection.
- Identities
-
CCI-000381
Configure the system to provide only organization-defined mission essential capabilities.
- 800-53 :: CM-7
- 800-53 Rev. 4 :: CM-7 a
- 800-53 Rev. 5 :: CM-7 a
- 800-53A :: CM-7.1 (ii)
- Group Title
- PP-MDF-993300
- Group ID
- V-258357
- Rule Version
- AIOS-17-012300
- Rule Title
- Apple iOS/iPadOS 17 must not allow managed apps to write contacts to unmanaged contacts accounts.
- Rule ID
- SV-258357r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow managed apps to write contacts to unmanaged contacts accounts" is disabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the Apple iOS/iPadOS device.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS/iPadOS management tool, verify "Allow managed apps to write contacts to unmanaged contacts accounts" is unchecked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Allow managed apps to write contacts to unmanaged contacts accounts" is not listed.
If "Allow managed apps to write contacts to unmanaged contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow managed apps to write contacts to unmanaged contacts accounts", this is a finding.
- Check System
- C-62098r927752_chk
- Fix Reference
- F-62022r927753_fix
- Fix Text
-
Install a configuration profile to prevent managed apps from writing contacts to unmanaged contacts accounts.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-993300
- Group ID
- V-258358
- Rule Version
- AIOS-17-012400
- Rule Title
- Apple iOS/iPadOS 17 must not allow unmanaged apps to read contacts from managed contacts accounts.
- Rule ID
- SV-258358r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow unmanaged apps to read contacts from managed contacts accounts" is disabled.
This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS management tool, verify "Allow unmanaged apps to read contacts from managed contacts accounts" is unchecked.
On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Allow unmanaged apps to read contacts from managed contacts accounts" is not listed.
If "Allow unmanaged apps to read contacts from managed contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow unmanaged apps to read contacts from managed contacts accounts", this is a finding.
- Check System
- C-62099r927755_chk
- Fix Reference
- F-62023r927756_fix
- Fix Text
-
Install a configuration profile to prevent unmanaged apps from reading contacts from managed contacts accounts.
- Identities
-
CCI-000366
Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-993300
- Group ID
- V-258359
- Rule Version
- AIOS-17-012500
- Rule Title
- Apple iOS/iPadOS 17 must implement the management setting: disable AirDrop.
- Rule ID
- SV-258359r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has gained access to the information broadcast by this feature, the attacker may distribute this sensitive information very quickly and without DOD's control or awareness. By disabling this feature, the risk of mass data exfiltration will be mitigated.
Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
Determine if the site authorizing official (AO) has approved the use of AirDrop for unmanaged data transfer. Look for a document showing approval. If AirDrop is not approved, review configuration settings to confirm it is disabled. If approved, this requirement is not applicable.
This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the authorizing official [AO] has not approved the use of AirDrop for unmanaged data transfer).
If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures:
This check procedure is performed on both the device management tool and the iPhone and iPad device.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS/iPadOS management tool, verify "Allow AirDrop" is unchecked.
On the iPhone/iPad device:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "AirDrop not allowed" or "Sharing managed documents using Airdrop not allowed" is listed.
If the AO has not approved AirDrop and "AirDrop not allowed" is not listed in the management tool and on the Apple device, this is a finding.
- Check System
- C-62100r927758_chk
- Fix Reference
- F-62024r927759_fix
- Fix Text
-
If the AO has not approved the use of AirDrop for unmanaged data transfer, install a configuration profile to disable the "Allow AirDrop" control in the management tool. This a supervised-only control.
- Identities
-
CCI-000097
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.
- 800-53 :: AC-20 (2)
- 800-53 Rev. 4 :: AC-20 (2)
- 800-53 Rev. 5 :: AC-20 (2)
- 800-53A :: AC-20 (2).1
CCI-000366Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-993300
- Group ID
- V-258366
- Rule Version
- AIOS-17-013100
- Rule Title
- Apple iOS/iPadOS 17 must disable "Find My Friends" in the "Find My" app.
- Rule ID
- SV-258366r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
This control does not share a DOD user's location but encourages location sharing between DOD mobile device users, which can lead to operational security (OPSEC) risks. Sharing the location of a DOD mobile device is a violation of AIOS-17-011700.
SFR ID: FMT_SMF_EXT.1.1 #47
- Documentable
- False
- Check Content
-
This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.
If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Find My Friends" is disabled.
This check procedure is performed on both the device management tool and the iPhone and iPad.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS/iPadOS management tool, verify "Allow Find My Friends" and "Allow modifying Find My Friends" are unchecked.
On the iPhone/iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Allow Find My Friends" is not listed and "Changing Find My Friends settings not allowed" is listed.
If "Allow Find My Friends" and "Allow modifying Find My Friends" are not disabled in the management tool and on the Apple device "Allow Find My Friends" is listed and "Changing Find My Friends settings not allowed" is not listed, this is a finding.
- Check System
- C-62107r927779_chk
- Fix Reference
- F-62031r927780_fix
- Fix Text
-
Install a configuration profile to disable "Find My Friends" in the Find My app and "Allow modifying Find My Friends" in the management tool. This a supervised-only control.
- Identities
-
CCI-000097
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.
- 800-53 :: AC-20 (2)
- 800-53 Rev. 4 :: AC-20 (2)
- 800-53 Rev. 5 :: AC-20 (2)
- 800-53A :: AC-20 (2).1
CCI-000366Implement the security configuration settings.
- 800-53 :: CM-6 b
- 800-53 Rev. 4 :: CM-6 b
- 800-53 Rev. 5 :: CM-6 b
- 800-53A :: CM-6.1 (iv)
- Group Title
- PP-MDF-993300
- Group ID
- V-258369
- Rule Version
- AIOS-17-013400
- Rule Title
- The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
- Rule ID
- SV-258369r959010_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DOD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #47a
- Documentable
- False
- Check Content
-
Review configuration settings to confirm "Allow sending diagnostic and usage data to Apple" is disabled.
This check procedure is performed on both the iOS management tool and the iOS device.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the iOS management tool, verify "Allow sending diagnostic and usage data to Apple" is unchecked.
Alternatively, verify the text "<key>allowDiagnosticSubmission</key><false/>" appears in the configuration profile (.mobileconfig file).
On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Restrictions".
6. Verify "Diagnostic submission not allowed".
Note: This setting also disables "Share With App Developers".
If "Allow sending diagnostic and usage data to Apple" is checked in the iOS management tool, "<key>allowDiagnosticSubmission</key><true/>" appears in the configuration profile, or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Diagnostic submission not allowed", this is a finding.
- Check System
- C-62110r927788_chk
- Fix Reference
- F-62034r927789_fix
- Fix Text
-
Install a configuration profile to disable sending diagnostic data to an organization other than DOD.
- Identities
-
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
- 800-53 :: SC-28
- 800-53 Rev. 4 :: SC-28
- 800-53 Rev. 5 :: SC-28
- 800-53A :: SC-28.1