The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD native security controls are disabled.

Description

<VulnDiscussion>Examples of indicators that the device native security controls have been disabled include jailbroken or rooted devices. DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and the work profile can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure. Detection via collection and analysis of BYOAD-generated logs for noncompliance indicators is acceptable. This detection capability must be implemented prior to BYOAD access to DOD information and IT resources and continuously monitored on the DOD-managed segment of the BYOAD enrolled in the program. If non-DOD information (i.e., personal user data, device information) outside the DOD-managed segment of the BYOAD is required to be accessed, collected, monitored, tracked (i.e., location), or maintained, the circumstances under which this may be done must be outlined in the user agreement. Reference: DOD policy "Use of Non-Government Mobile Devices". 3.a.(3)iii. SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>