Apple iOS/iPadOS 18 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Apple iOS/iPadOS 18 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Stream or Shared Photo Stream).
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 18 must be configured to not allow more than 10 consecutive failed authentication attempts.
The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of at...Rule Medium Severity -
Apple iOS/iPadOS 18 must not include applications with the following characteristics: access to Siri when the device is locked.
Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allow list. Failure to c...Rule Medium Severity -
The Apple iOS/iPadOS 18 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Allows synchronization of data or applications between devices associated with user; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers; - Backs up its own data to a remote system; and - Uses artificial intelligence (AI), which processes data in the cloud (off device). Exception: Apple Intelligence Private Cloud Compute (PCC).
Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allow list. Failure to c...Rule Medium Severity -
Apple iOS/iPadOS 18 must be configured to disable ad hoc wireless client-to-client connection capability.
Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and making the traffic invisible. This could allow...Rule Medium Severity -
Apple iOS/iPadOS 18 must require a valid password be successfully entered before the mobile device data is unencrypted.
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of ...Rule High Severity -
Apple iOS/iPadOS 18 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device.
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one...Rule Low Severity -
Apple iOS/iPadOS 18 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 18 Mail app.
The Apple iOS/iPadOS Mail app can be configured to support multiple email accounts concurrently. These email accounts are likely to involve content of varying degrees of sensitivity (e.g., both per...Rule Medium Severity -
Apple iOS/iPadOS 18 must implement the management setting: not have any Family Members in Family Sharing.
Apple's Family Sharing service allows Apple iOS/iPadOS users to create a Family Group whose members have several shared capabilities, including the ability to lock, wipe, play a sound on, or locate...Rule Low Severity -
Apple iOS/iPadOS 18 must implement the management setting: not share location data through iCloud.
Sharing of location data is an operational security (OPSEC) risk because it potentially allows an adversary to determine a DOD user's location, movements, and patterns in those movements over time....Rule Medium Severity -
Apple iOS/iPadOS 18 users must complete required training.
The security posture on iOS devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) is required for these controls. In addition, if...Rule Medium Severity -
Apple iOS/iPadOS 18 must not allow managed apps to write contacts to unmanaged contacts accounts.
Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DOD sensitive informat...Rule Low Severity -
Apple iOS/iPadOS 18 must disable "Password AutoFill" in browsers and applications.
The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowi...Rule Medium Severity -
Apple iOS/iPadOS 18 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DOD-approved USB storage drives with iOS/iPadOS devices.
Unauthorized use of USB storage drives could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and compromise of sensitive DOD information and systems. SF...Rule Medium Severity -
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
Many software systems automatically send diagnostic data to the manufacturer or a third-party. This data enables the developers to understand real-world field behavior and improve the product based...Rule Low Severity -
Apple iOS/iPadOS 18 must disable copy/paste of data from managed to unmanaged applications.
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 18 must have DOD root and intermediate PKI certificates installed.
DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, th...Rule Medium Severity -
Apple iOS/iPadOS 18 must disable ChatGPT and other external AI app connections in Apple Intelligence.
The ChatGPT feature of Apple Intelligence allows DOD information to be downloaded from the DOD iPhone/iPad and processed by the ChatGPT application in the cloud. The ChatGPT feature of Apple Intell...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.