CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

2 rules found Severity: High

2 rules found Severity: Medium

2 rules found Severity: Low

2 rules found Severity: Medium

5 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

CCI-000370

Apple iOS/iPadOS 15 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.

The Arista Multilayer Switch must employ AAA service to centrally manage authentication settings.

The CA API Gateway must employ RADIUS + LDAPS or LDAPS to centrally manage authentication settings.

Accounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.

The FortiGate device must use LDAP for authentication.

Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).

Google Android 12 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.

The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.

The DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.

Administrative accounts for device management must be configured on the authentication server and not the MQ Appliance network device itself (except for the emergency administration account).

Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.

Microsoft Android 11 must allow the Administrator (EMM) to perform the following management function: Wipe Enterprise data.

Microsoft Android 11 must be configured to enable audit logging.

Microsoft Android 11 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.

Motorola Solutions Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.

Motorola Solutions Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.

Motorola Solutions Android 11 must be configured to enable audit logging.

Motorola Solutions Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.

Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.

Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally manage authentication settings.

Samsung Android must be configured to disable trust agents. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.

Samsung Android must be configured to disable Face Recognition. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.

Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.

Accounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort.

The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.

Apple iOS/iPadOS 16 must not allow backup to remote systems (managed applications data stored in iCloud).

Apple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.

iPhone and iPad must have the latest available iOS/iPadOS operating system installed.

Apple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.

Apple iOS/iPadOS 16 users must complete required training.

Apple iOS/iPadOS 16 must not allow managed apps to write contacts to unmanaged contacts accounts.

Apple iOS/iPadOS 16 must not allow unmanaged apps to read contacts from managed contacts accounts.

Apple iOS/iPadOS 16 must disable copy/paste of data from managed to unmanaged applications.

The network device must be configured to use an authentication server to authenticate users prior to granting administrative access.

Zebra Android 11 must be configured to disable trust agents.

Zebra Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.

Zebra Android 11 must be configured to enable audit logging.

Zebra Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.

The BIG-IP appliance must be configured to employ automated mechanisms to centrally manage authentication settings.

Apple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].

Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud document and data synchronization).

Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Keychain).

Apple iOS/iPadOS 16 must not allow backup to remote systems (My Photo Stream).

Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).

Apple iOS/iPadOS 16 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.

Apple iOS/iPadOS 16 must implement the management setting: limit Ad Tracking.

Apple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.

Apple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.

Apple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop.

Apple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing.

Apple iOS/iPadOS 16 must implement the management setting: Enable USB Restricted Mode.

Apple iOS/iPadOS 16 must implement the management setting: Disable AirDrop.

Apple iOS/iPadOS 16 must implement the management setting: Disable paired Apple Watch.

Apple iOS/iPadOS 16 must disable Password AutoFill in browsers and applications.

Apple iOS/iPadOS 16 must disable allow setting up new nearby devices.

Apple iOS/iPadOS 16 must disable password proximity requests.

Apple iOS/iPadOS 16 must disable password sharing.

Apple iOS/iPadOS 16 must disable Find My Friends in the Find My app.

The Apple iOS/iPadOS 16 must be supervised by the MDM.

Apple iOS/iPadOS 16 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.

Apple iOS/iPadOS 16 must disable "Allow network drive access in Files access".

Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of dictation.

Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of translation.

The Cisco ASA must be configured to use at least two authentication servers to authenticate users prior to granting administrative access.

The Cisco switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

The Cisco router must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users.

The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).

The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).

The HPE Nimble must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The network device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

ONTAP must be configured to use an authentication server to provide multifactor authentication.

The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.

The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

Apple iOS/iPadOS 18 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].