STIGQter STIGQter: STIG Summary: Apple iOS 12 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 25 Jan 2019:

Apple iOS must implement the management setting: enable USB Restricted Mode.

DISA Rule

SV-96555r1_rule

Vulnerability Number

V-81841

Group Title

PP-MDF-991000

Rule Version

AIOS-12-012500

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the iOS device is not Supervised, the user must disable "USB Accessories" on their iOS device. If the iOS device is Supervised, check (enable) "Allow USB Accessories while device is locked" on the Apple iOS management tool. Note: The label for this configuration setting varies between MDM products. Ensure the setting is configured to disable USB accessory connection unless the device passcode is entered.

Check Contents

Review configuration settings to confirm USB Restricted Mode is enabled. Note that this is a User based Enforcement (UBE) control, unless Supervised mode has been implemented on the iOS device.

This check procedure is performed on the Apple iOS device (non-Supervised) or on an Apple iOS management tool (Supervised).

If the device is not Supervised, on the Apple iOS device:
1. Open the Settings app.
2. Tap "Touch ID & Passcode" or "Face ID & Passcode".
3. Scroll down to the "USB Accessories" setting.
4. Verify the "USB Accessories" setting is off.

If the device is Supervised, in the Apple iOS management tool, verify "Allow USB Accessories while device is locked" is checked (enabled). Note: The label for this configuration setting varies between MDM products. Ensure the setting is configured to disable USB accessory connection unless the device passcode is entered.

If the "USB Accessories" setting on the iOS device is not off or "Allow USB Accessories while device is locked" is not checked on the iOS management tool, this is a finding.

Vulnerability Number

V-81841

Documentable

False

Rule Version

AIOS-12-012500

Severity Override Guidance

Review configuration settings to confirm USB Restricted Mode is enabled. Note that this is a User based Enforcement (UBE) control, unless Supervised mode has been implemented on the iOS device.

This check procedure is performed on the Apple iOS device (non-Supervised) or on an Apple iOS management tool (Supervised).

If the device is not Supervised, on the Apple iOS device:
1. Open the Settings app.
2. Tap "Touch ID & Passcode" or "Face ID & Passcode".
3. Scroll down to the "USB Accessories" setting.
4. Verify the "USB Accessories" setting is off.

If the device is Supervised, in the Apple iOS management tool, verify "Allow USB Accessories while device is locked" is checked (enabled). Note: The label for this configuration setting varies between MDM products. Ensure the setting is configured to disable USB accessory connection unless the device passcode is entered.

If the "USB Accessories" setting on the iOS device is not off or "Allow USB Accessories while device is locked" is not checked on the iOS management tool, this is a finding.

Check Content Reference

M

Target Key

3401

Comments