STIGQter: STIG Summary: Apple iOS/iPadOS 14 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.

DISA Rule

SV-228780r619923_rule

Vulnerability Number

V-228780

Group Title

PP-MDF-991000

Rule Version

AIOS-14-011900

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the Apple iOS configuration profile such that it can never be removed.

The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider.

When using Apple Configurator, under "General Security", configure "Security" to "Never" and "Automatically Remove Profile" to "Never".

Check Contents

Review configuration settings to confirm configuration profiles are not removable.

This check procedure is performed on both the Apple iOS management tool and the Apple iOS device. The procedures below assume the site is not enrolled in DEP and are not applicable to devices under MDM management.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS management tool, verify "Security" is set to "Never" and "Automatically Remove Profile" is set to "Never".

On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "Profiles & Device Management" or "Profiles".
4. Tap each Configuration Profile from the Apple iOS management tool that contains the restrictions for the device.
5. Verify the "Delete Profile" button is not present.

If, on the Apple iOS management tool or on the iOS device, the "Delete Profile" button is available on the configuration profile, this is a finding.

Vulnerability Number

V-228780

Documentable

False

Rule Version

AIOS-14-011900

Severity Override Guidance

Review configuration settings to confirm configuration profiles are not removable.

This check procedure is performed on both the Apple iOS management tool and the Apple iOS device. The procedures below assume the site is not enrolled in DEP and are not applicable to devices under MDM management.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS management tool, verify "Security" is set to "Never" and "Automatically Remove Profile" is set to "Never".

On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "Profiles & Device Management" or "Profiles".
4. Tap each Configuration Profile from the Apple iOS management tool that contains the restrictions for the device.
5. Verify the "Delete Profile" button is not present.

If, on the Apple iOS management tool or on the iOS device, the "Delete Profile" button is available on the configuration profile, this is a finding.

Check Content Reference

M

Target Key

4231

Comments