Apple iOS-iPadOS 16 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Apple iOS/iPadOS 16 allow list must be configured to not include applications with the following characteristics: allow voice dialing when MD is locked.
Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allow list. Failure to c...Rule Medium Severity -
PP-MDF-323070
Group -
PP-MDF-323290
Group -
PP-MDF-323080
Group -
Apple iOS/iPadOS 16 must be configured to not display notifications when the device is locked.
Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new ...Rule Medium Severity -
PP-MDF-323080
Group -
Apple iOS/iPadOS 16 must not display notifications (calendar information) when the device is locked.
Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new ...Rule Medium Severity -
PP-MDF-323160
Group -
Apple iOS/iPadOS 16 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
Before granting access to the system, the mobile operating system is required to display the DoD-approved system use notification message or banner that provides privacy and security notices consis...Rule Low Severity -
PP-MDF-323240
Group -
Apple iOS/iPadOS 16 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connect...Rule Medium Severity -
PP-MDF-323280
Group -
PP-MDF-323300
Group -
Apple iOS/iPadOS 16 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be protected by the MDM software, putting it at m...Rule Medium Severity -
PP-MDF-323310
Group -
Apple iOS/iPadOS 16 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be protected by the MDM software, putting it at m...Rule Medium Severity -
PP-MDF-323330
Group -
Apple iOS/iPadOS 16 must be configured to disable ad hoc wireless client-to-client connection capability.
Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and making the traffic invisible. This could allow...Rule Medium Severity -
PP-MDF-990000
Group -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop.
MailDrop allows users to send large attachments (up to 5 GB) via iCloud. Storing data with a non-DoD cloud provider may leave the data vulnerable to breach. Disabling non-DoD cloud services mitigat...Rule Medium Severity -
PP-MDF-990000
Group -
PP-MDF-990000
Group -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.
When syncing an iPhone and iPad to a computer running iTunes, iTunes will prompt the user to back up the iPhone and iPad. If the performed backup is not encrypted, this could lead to the unauthoriz...Rule Medium Severity -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.
Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between the devices to describe the activity, but app da...Rule Low Severity -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device for the first time.
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one...Rule Low Severity -
PP-MDF-990000
Group -
PP-MDF-990000
Group -
iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities. SFR ID: FMT_SMF_EXT.1.1 #47Rule High Severity -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: use SSL for Exchange ActiveSync.
Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. Secure Sockets Layer (SSL), also referred to as Transport Layer Securit...Rule Medium Severity -
PP-MDF-990000
Group -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: Treat AirDrop as an unmanaged destination.
AirDrop is a way to send contact information or photos to other users with AirDrop enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has gained ac...Rule Medium Severity -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must disable allow setting up new nearby devices.
This control allows Apple device users to request passwords from nearby devices. This could lead to a compromise of the device password with an unauthorized person or device. DoD Apple device passw...Rule Medium Severity -
PP-MDF-990000
Group -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: Not share location data through iCloud.
Sharing of location data is an operational security (OPSEC) risk because it potentially allows an adversary to determine a DoD user's location, movements, and patterns in those movements over time....Rule Medium Severity -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: Force Apple Watch wrist detection.
Because Apple Watch is a personal device, it is key that any sensitive DoD data displayed on the Apple Watch cannot be viewed when the watch is not in the immediate possession of the user. This con...Rule Low Severity -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 users must complete required training.
The security posture on iOS devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) is required for these controls. In addition, if...Rule Medium Severity -
PP-MDF-990000
Group -
A managed photo app must be used to take and store work-related photos.
The iOS Photos app is unmanaged and may sync photos with a device user's personal iCloud account. Therefore, work-related photos must not be taken via the iOS camera app or stored in the Photos app...Rule Medium Severity -
PP-MDF-990000
Group -
Apple iOS/iPadOS 16 must implement the management setting: Enable USB Restricted Mode.
The USB lightning port on an iOS device can be used to access data on the device. The required settings ensure the Apple device password is entered before a previously trusted USB accessory can con...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.