U Apple iOS-iPadOS 18 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
PP-MDF-331090
Group ID
V-267937
Rule Version
AIOS-18-001000
Rule Title
Apple iOS/iPadOS 18 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].
Rule ID
SV-267937r1031117_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information.

SFRID: FMT_SMF.1.1 #3

Documentable
False
Check Content

Review the list of unmanaged apps installed on the iPhone and iPad and determine if any unmanaged third-party VPN clients are installed. If so, verify the VPN app is not configured with a DOD network (work) VPN profile.

This validation procedure is performed on the iOS device only.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists.

4. If not, the requirement has been met.

5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client.

6. Verify no DOD network VPN profiles are configured on the VPN client.

If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DOD network VPN profile configured on the client, this is a finding.

Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.

Check System
C-71861r1030562_chk
Fix Reference
F-71764r1030563_fix
Fix Text

If a third-party unmanaged VPN app is installed on the iOS 18 device, do not configure the VPN app with a DOD network VPN profile.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

  • 800-53 :: CM-6 (1)
  • 800-53 Rev. 4 :: CM-6 (1)
  • 800-53 Rev. 5 :: CM-6 (1)
  • 800-53A :: CM-6 (1).1
Group Title
PP-MDF-333160
Group ID
V-268007
Rule Version
AIOS-18-008400
Rule Title
Apple iOS/iPadOS 18 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.
Rule ID
SV-268007r1031187_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DOD can audit and monitor the activities of mobile device users without legal restriction.

System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".

The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

For devices with severe character limitations, the banner text is:

I've read & consent to terms in IS user agreem't.

The administrator must configure the banner text exactly as written without any changes.

SFRID: FMT_SMF.1.1 #36

Documentable
False
Check Content

The DOD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DOD warning banner text in the user agreement signed by each iPhone and iPad user.

2. By installing a Lock Screen Message payload with the required text (preferred method).

Determine which method is used at the iOS device site and follow the appropriate validation procedure below.

Validation Procedure for Method #1:

Review the signed user agreements for several iOS device users and verify the agreement includes the required DOD warning banner text.

Validation Procedure for Method #2:

In the Apple iOS/iPadOS management tool, verify a Lock Screen Message payload has been installed on each managed device. The LockScreenFootnote string should include required text.

If, for Method #1, the required warning banner text is not on all signed user agreements reviewed, or for Method #2, the DOD warning banner text is not set as the lock screen footnote, this is a finding.

Check System
C-71931r1030772_chk
Fix Reference
F-71834r1030773_fix
Fix Text

Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):

1. By placing the DOD warning banner text in the user agreement signed by each iOS device user.

2. By installing a Lock Screen Message payload with the required text (preferred method).

Identities
CCI-000048

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

  • 800-53 :: AC-8 a
  • 800-53 Rev. 4 :: AC-8 a
  • 800-53 Rev. 5 :: AC-8 a
  • 800-53A :: AC-8.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-268026
Rule Version
AIOS-18-010500
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: limit Ad Tracking.
Rule ID
SV-268026r1031206_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Ad Tracking refers to the advertisers' ability to categorize the device and spam the user with ads that are most relevant to the user's preferences. By not "Force limiting ad tracking", advertising companies are able to gather information about the user and device's browsing habits. If "Limit Ad Tracking" is not limited, a database of browsing habits of DOD devices can be gathered and stored under no supervision of the DOD. Limiting ad tracking does not completely mitigate the risk but does limit the amount of information gathering.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Force limited ad tracking" is checked.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Force limited ad tracking" is checked.

Alternatively, verify the text "<key>forceLimitAdTracking</key><true/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Tap "Restrictions".

6. Verify "Limit ad tracking enforced" or "Requests to track from apps not allowed" is present.

If "limited ad tracking enforced" is missing in the Apple iOS/iPadOS management tool, "<key>forceLimitAdTracking</key><false/>" does not appear in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Limit ad tracking enforced", this is a finding.

Check System
C-71950r1030829_chk
Fix Reference
F-71853r1030830_fix
Fix Text

Install a configuration profile to limit advertisers' ability to track the user's web browsing preferences.

Identities
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
Group Title
PP-MDF-993300
Group ID
V-268027
Rule Version
AIOS-18-010600
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: not allow automatic completion of Safari browser passcodes.
Rule ID
SV-268027r1031207_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone or iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining additional information about the device's user or compromising other systems is significantly mitigated.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Enable autofill" is unchecked.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Enable autofill" is unchecked.

Alternatively, verify the text "<key>safariAllowAutoFill</key><false>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Tap "Restrictions".

6. Verify "Auto-fill in Safari not allowed" is present.

If "Enable autofill" is checked in the Apple iOS/iPadOS management tool, "<key>safariAllowAutoFill</key><true>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Auto-fill in Safari not allowed", this is a finding.

Check System
C-71951r1030832_chk
Fix Reference
F-71854r1030833_fix
Fix Text

Install a configuration profile to disable the AutoFill capability in the Safari app.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-268029
Rule Version
AIOS-18-010800
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: not allow use of Handoff.
Rule ID
SV-268029r1031209_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between the devices to describe the activity, but app data synchronization associated with the activity is handled though iCloud, which should be disabled on a compliant iPhone and iPad. If a user associates both DOD and personal devices to the same Apple ID, the user may improperly reveal information about the nature of the user's activities on an unprotected device. Disabling Handoff mitigates this risk.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

This is a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Allow Handoff" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Allow Handoff" is unchecked.

Alternatively, verify the text "<key>allowActivityContinuation</key> <false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Handoff not allowed" is listed.

If "Allow Handoff" is checked in the Apple iOS/iPadOS management tool, "<key>allowActivityContinuation</key> <true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Handoff not allowed", this is a finding.

Check System
C-71953r1030838_chk
Fix Reference
F-71856r1030839_fix
Fix Text

Install a configuration profile to disable continuation of activities among devices and workstations. This a supervised-only control.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-268030
Rule Version
AIOS-18-010850
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: not allow use of iPhone widgets on Mac.
Rule ID
SV-268030r1031210_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

iPhone widgets on Mac use Handoff. Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between the devices to describe the activity, but app data synchronization associated with the activity is handled though iCloud, which should be disabled on a compliant iPhone and iPad. If a user associates both DOD and personal devices to the same Apple ID, the user may improperly reveal information about the nature of the user's activities on an unprotected device. Disabling Handoff mitigates this risk.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Allow iPhone Widget on Mac" is disabled.

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

This check procedure is performed only on the Apple iOS/iPadOS management tool.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "iPhone Widget on Mac" is unchecked.

If "Allow iPhone Widget on Mac" is checked in the Apple iOS/iPadOS management tool, this is a finding.

Check System
C-71954r1030841_chk
Fix Reference
F-71857r1030842_fix
Fix Text

Install a configuration profile to disable the installation of iPhone widgets on Mac. This a supervised-only control.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-268031
Rule Version
AIOS-18-010900
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device.
Rule ID
SV-268031r1031211_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.

SFRID: FMT_SMF.1.1 #40

Documentable
False
Check Content

Review configuration settings to confirm "Require passcode on outgoing AirPlay request" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Require passcode on outgoing AirPlay request" is checked.

Alternatively, verify the text "<key>forceAirPlayOutgoingRequestsPairingPassword</key><false/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirPlay outgoing requests pairing password enforced" is listed.

If "Require passcode on outgoing AirPlay request" is unchecked in the Apple iOS/iPadOS management tool, "<key>forceAirPlayOutgoingRequestsPairingPassword</key><true/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "AirPlay outgoing requests pairing password enforced", this is a finding.

Check System
C-71955r1030844_chk
Fix Reference
F-71858r1030845_fix
Fix Text

Install a configuration profile to require the user to enter a password when connecting to an AirPlay-enabled device.

Identities
CCI-000067

Employ automated mechanisms to monitor remote access methods.

  • 800-53 :: AC-17 (1)
  • 800-53 Rev. 4 :: AC-17 (1)
  • 800-53 Rev. 5 :: AC-17 (1)
  • 800-53A :: AC-17 (1).1
Group Title
PP-MDF-993300
Group ID
V-268032
Rule Version
AIOS-18-010950
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: require passcode for incoming Airplay connection requests.
Rule ID
SV-268032r1031212_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

When an incoming AirPlay request is allowed without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DOD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.

SFRID: FMT_SMF.1.1 #40

Documentable
False
Check Content

Review configuration settings to confirm "Require passcode for incoming AirPlay connection requests" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Require passcode for incoming AirPlay connection requests" is checked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "AirPlay incoming requests pairing password enforced" is listed.

If "Require passcode for incoming AirPlay connection requests" is unchecked in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "AirPlay incoming requests pairing password enforced", this is a finding.

Check System
C-71956r1030847_chk
Fix Reference
F-71859r1030848_fix
Fix Text

Install a configuration profile to require that incoming AirPlay connection requests enter a password when connecting to a DOD iOS/iPadOS device.

Identities
CCI-000067

Employ automated mechanisms to monitor remote access methods.

  • 800-53 :: AC-17 (1)
  • 800-53 Rev. 4 :: AC-17 (1)
  • 800-53 Rev. 5 :: AC-17 (1)
  • 800-53A :: AC-17 (1).1
Group Title
PP-MDF-993300
Group ID
V-268038
Rule Version
AIOS-18-011600
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: not have any Family Members in Family Sharing.
Rule ID
SV-268038r1031218_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Apple's Family Sharing service allows Apple iOS/iPadOS users to create a Family Group whose members have several shared capabilities, including the ability to lock, wipe, play a sound on, or locate the iPhone and iPads of other members. Each member of the group must be invited to the group and accept that invitation. A DOD user's iPhone and iPad may be inadvertently or maliciously wiped by another member of the Family Group. This poses a risk that the user could be without a mobile device for a period of time or lose sensitive information that has not been backed up to other storage media. Configuring iPhone and iPads so their associated Apple IDs are not members of Family Groups mitigates this risk.

Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm Family Sharing is disabled. Note that this is a User-Based Enforcement (UBE) control, which cannot be managed by an MDM server.

This check procedure is performed on the iPhone and iPad.

On the iPhone and iPad:

1. Open the Settings app.

2. At the top of the screen, if "Sign in to your iPhone" is listed, this requirement has been met.

3. If the user profile is signed into iCloud, tap the username.

4. Tap "Family Sharing".

5. Verify no accounts are listed other than the "Organizer".

Note: The iPhone and iPad must be connected to the internet to conduct this validation procedure. Otherwise, the device will display the notice "Family information is not available", in which case configuration compliance cannot be determined.

If accounts (names or email addresses) are listed under "FAMILY MEMBERS" on the iPhone and iPad, this is a finding.

Check System
C-71962r1030865_chk
Fix Reference
F-71865r1030866_fix
Fix Text

The user must either remove all members from the Family Group on the iPhone and iPad or associate the device with an Apple ID that is not a member of a Family Group.

Identities
CCI-002007

Prohibit the use of cached authenticators after an organization-defined time period.

  • 800-53 Rev. 4 :: IA-5 (13)
  • 800-53 Rev. 5 :: IA-5 (13)
Group Title
PP-MDF-993300
Group ID
V-268040
Rule Version
AIOS-18-011800
Rule Title
Apple iOS/iPadOS 18 must implement the management setting: force Apple Watch wrist detection.
Rule ID
SV-268040r1031220_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Because Apple Watch is a personal device, it is key that any sensitive DOD data displayed on the Apple Watch cannot be viewed when the watch is not in the immediate possession of the user. This control ensures the Apple Watch screen locks when the user takes the watch off, thereby protecting sensitive DOD data from possible exposure.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

Review configuration settings to confirm "Force Apple Watch wrist detection" is enabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Wrist detection enforced on Apple Watch" is enforced.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Wrist detection enforced on Apple Watch" is listed.

If "Wrist detection enforced on Apple Watch" is not enforced in the Apple iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad does not list "Wrist detection enforced on Apple Watch", this is a finding.

Check System
C-71964r1030871_chk
Fix Reference
F-71867r1030872_fix
Fix Text

Install a configuration profile to force Apple Watch wrist detection.

Identities
CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

  • 800-53 :: CM-7
  • 800-53 Rev. 4 :: CM-7 a
  • 800-53 Rev. 5 :: CM-7 a
  • 800-53A :: CM-7.1 (ii)
Group Title
PP-MDF-993300
Group ID
V-268045
Rule Version
AIOS-18-012300
Rule Title
Apple iOS/iPadOS 18 must not allow managed apps to write contacts to unmanaged contacts accounts.
Rule ID
SV-268045r1031225_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.

SFRID: FMT_SMF.1.1 #42, FDP_ACF_EXT.1.2

Documentable
False
Check Content

Review configuration settings to confirm "Allow managed apps to write contacts to unmanaged contacts accounts" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the Apple iOS/iPadOS device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow managed apps to write contacts to unmanaged contacts accounts" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow managed apps to write contacts to unmanaged contacts accounts" is not listed.

If "Allow managed apps to write contacts to unmanaged contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow managed apps to write contacts to unmanaged contacts accounts", this is a finding.

Check System
C-71969r1030886_chk
Fix Reference
F-71872r1030887_fix
Fix Text

Install a configuration profile to prevent managed apps from writing contacts to unmanaged contacts accounts.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
PP-MDF-993300
Group ID
V-268046
Rule Version
AIOS-18-012400
Rule Title
Apple iOS/iPadOS 18 must not allow unmanaged apps to read contacts from managed contacts accounts.
Rule ID
SV-268046r1031226_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive information. Examples of unmanaged apps include those for news services, travel guides, maps, and social networking. If a document were to be viewed in a managed app and the user had the ability to open this same document in an unmanaged app, this could lead to the compromise of sensitive DOD data. In some cases, the unmanaged apps are connected to cloud backup or social networks that would permit dissemination of DOD sensitive information to unauthorized individuals. Not allowing data to be opened within unmanaged apps mitigates the risk of compromising sensitive data.

SFRID: FMT_SMF.1.1 #42, FDP_ACF_EXT.1.2

Documentable
False
Check Content

Review configuration settings to confirm "Allow unmanaged apps to read contacts from managed contacts accounts" is disabled.

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow unmanaged apps to read contacts from managed contacts accounts" is unchecked.

On the iPhone and iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS/iPadOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow unmanaged apps to read contacts from managed contacts accounts" is not listed.

If "Allow unmanaged apps to read contacts from managed contacts accounts" is checked in the iOS/iPadOS management tool or the restrictions policy on the iPhone and iPad lists "Allow unmanaged apps to read contacts from managed contacts accounts", this is a finding.

Check System
C-71970r1030889_chk
Fix Reference
F-71873r1030890_fix
Fix Text

Install a configuration profile to prevent unmanaged apps from reading contacts from managed contacts accounts.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
PP-MDF-993300
Group ID
V-268054
Rule Version
AIOS-18-013100
Rule Title
Apple iOS/iPadOS 18 must disable "Find My Friends" in the "Find My" app.
Rule ID
SV-268054r1031234_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

This control does not share a DOD user's location but encourages location sharing between DOD mobile device users, which can lead to operational security (OPSEC) risks. Sharing the location of a DOD mobile device is a violation of AIOS-17-011700.

SFRID: FMT_SMF.1.1 #47

Documentable
False
Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding.

If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Find My Friends" is disabled.

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS/iPadOS management tool, verify "Allow Find My Friends" and "Allow modifying Find My Friends" are unchecked.

On the iPhone/iPad:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.

5. Tap "Restrictions".

6. Verify "Allow Find My Friends" is not listed and "Changing Find My Friends settings not allowed" is listed.

If "Allow Find My Friends" and "Allow modifying Find My Friends" are not disabled in the management tool and on the Apple device "Allow Find My Friends" is listed and "Changing Find My Friends settings not allowed" is not listed, this is a finding.

Check System
C-71978r1030913_chk
Fix Reference
F-71881r1030914_fix
Fix Text

Install a configuration profile to disable "Find My Friends" in the Find My app and "Allow modifying Find My Friends" in the management tool. This a supervised-only control.

Identities
CCI-000366

Implement the security configuration settings.

  • 800-53 :: CM-6 b
  • 800-53 Rev. 4 :: CM-6 b
  • 800-53 Rev. 5 :: CM-6 b
  • 800-53A :: CM-6.1 (iv)
Group Title
PP-MDF-993300
Group ID
V-268057
Rule Version
AIOS-18-013400
Rule Title
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
Rule ID
SV-268057r1031237_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

Many software systems automatically send diagnostic data to the manufacturer or a third-party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DOD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.

SFRID: FMT_SMF.1.1 #47a

Documentable
False
Check Content

Review configuration settings to confirm "Allow sending diagnostic and usage data to Apple" is disabled.

This check procedure is performed on both the iOS management tool and the iOS device.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow sending diagnostic and usage data to Apple" is unchecked.

Alternatively, verify the text "<key>allowDiagnosticSubmission</key><false/>" appears in the configuration profile (.mobileconfig file).

On the Apple iOS device:

1. Open the Settings app.

2. Tap "General".

3. Tap "VPN & Device Management".

4. Tap the Configuration Profile from the iOS management tool containing the management policy.

5. Tap "Restrictions".

6. Verify "Diagnostic submission not allowed".

Note: This setting also disables "Share With App Developers".

If "Allow sending diagnostic and usage data to Apple" is checked in the iOS management tool, "<key>allowDiagnosticSubmission</key><true/>" appears in the configuration profile, or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Diagnostic submission not allowed", this is a finding.

Check System
C-71981r1030922_chk
Fix Reference
F-71884r1030923_fix
Fix Text

Install a configuration profile to disable sending diagnostic data to an organization other than DOD.

Identities
CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

  • 800-53 :: SC-28
  • 800-53 Rev. 4 :: SC-28
  • 800-53 Rev. 5 :: SC-28
  • 800-53A :: SC-28.1
UNCLASSIFIED