STIGQter: STIG Summary: Apple iOS 12 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 25 Jan 2019:

Apple iOS must implement the management setting: remove managed applications upon unenrollment from MDM (including sensitive and protected data).

DISA Rule

SV-96513r1_rule

Vulnerability Number

V-81799

Group Title

PP-MDF-302510

Rule Version

AIOS-12-008900

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-000370 - The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.
• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

Install a configuration profile to delete all managed apps upon device unenrollment.

Check Contents

Note: Not all Apple iOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable.

This check procedure is performed on the Apple iOS management tool or on the iOS device.

In the Apple iOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed.

On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "Profiles & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Apps".
6. Tap an app and verify "App and data will be removed when device is no longer managed" is listed.

Repeat steps 5 and 6 for each managed app in the list.

If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.

Vulnerability Number

V-81799

Documentable

False

Rule Version

AIOS-12-008900

Severity Override Guidance

Note: Not all Apple iOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable.

This check procedure is performed on the Apple iOS management tool or on the iOS device.

In the Apple iOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed.

On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "Profiles & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Apps".
6. Tap an app and verify "App and data will be removed when device is no longer managed" is listed.

Repeat steps 5 and 6 for each managed app in the list.

If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.

Check Content Reference

M

Target Key

3401

Comments