Apple iOS/iPadOS 15 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Apple iOS/iPadOS 15 must disable copy/paste of data from managed to unmanaged applications.
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploi...Rule Medium Severity -
PP-MDF-321090
Group -
Apple iOS/iPadOS 15 must provide the capability for the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
The System Administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up ...Rule Low Severity -
Apple iOS/iPadOS 15 must not allow backup to remote systems (iCloud).
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 15 must not allow backup to remote systems (iCloud document and data synchronization).
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 15 must not allow backup to remote systems (My Photo Stream).
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 15 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 15 must not allow backup to remote systems (managed applications data stored in iCloud).
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 15 must not allow backup to remote systems (enterprise books).
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploi...Rule Medium Severity -
Apple iOS/iPadOS 15 must be configured to enforce a minimum password length of six characters.
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is p...Rule Medium Severity -
Apple iOS/iPadOS 15 must be configured to lock the display after 15 minutes (or less) of inactivity.
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain ph...Rule Medium Severity -
Apple iOS/iPadOS 15 must not include applications with the following characteristics: access to Siri when the device is locked.
Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allow list. Failure to c...Rule Medium Severity -
Apple iOS/iPadOS 15 allow list must be configured to not include applications with the following characteristics: voice dialing application if available when MD is locked.
Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allow list. Failure to c...Rule Medium Severity -
Apple iOS/iPadOS 15 must not allow non-DoD applications to access DoD data.
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain ...Rule Medium Severity -
Apple iOS/iPadOS 15 must require a valid password be successfully entered before the mobile device data is unencrypted.
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of ...Rule High Severity -
Apple iOS/iPadOS 15 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device for the first time.
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one...Rule Low Severity -
Apple iOS/iPadOS 15 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 15 Mail app.
The Apple iOS/iPadOS Mail app can be configured to support multiple email accounts concurrently. These email accounts are likely to involve content of varying degrees of sensitivity (e.g., both per...Rule Medium Severity -
Apple iOS/iPadOS 15 must implement the management setting: Treat AirDrop as an unmanaged destination.
AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has...Rule Medium Severity -
Apple iOS/iPadOS 15 must implement the management setting: not have any Family Members in Family Sharing.
Apple's Family Sharing service allows Apple iOS/iPadOS users to create a Family Group whose members have several shared capabilities, including the ability to lock, wipe, play a sound on, or locate...Rule Low Severity -
A managed photo app must be used to take and store work-related photos.
The iOS Photos app is unmanaged and may sync photos with a device user's personal iCloud account. Therefore, work-related photos must not be taken via the iOS camera app or stored in the Photos app...Rule Medium Severity -
Apple iOS/iPadOS 15 must not allow managed apps to write contacts to unmanaged contacts accounts.
Managed apps have been approved for the handling of DoD sensitive information. Unmanaged apps are provided for productivity and morale purposes but are not approved to handle DoD sensitive informat...Rule Low Severity -
Apple iOS/iPadOS 15 must implement the management setting: disable paired Apple Watch.
Authorizing Official (AO) approval is required before an Apple Watch (DoD-owned or personally owned) can be paired with a DoD-owned iPhone to ensure the AO has evaluated the risk in having sensitiv...Rule Medium Severity -
Apple iOS/iPadOS 15 must disable password proximity requests.
This control allows one Apple device to be notified to share its password with a nearby device. This could lead to a compromise of the device password with an unauthorized person or device. DoD App...Rule Medium Severity -
The Apple iOS/iPadOS 15 must be supervised by the MDM.
When an iOS/iPadOS is not supervised, the DoD mobile service provider cannot control when new iOS/iPadOS updates are installed on site-managed devices. Most updates should be installed immediately ...Rule Medium Severity -
Apple iOS/iPadOS 15 must disable "Allow USB drive access in Files app" if the Authorizing Official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.
Unauthorized use of USB storage drives could lead to the introduction of malware or unauthorized software into the DoD IT infrastructure and compromise of sensitive DoD information and systems. SF...Rule Medium Severity -
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.