STIGQter: STIG Summary: Apple iOS/iPadOS 14 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

Apple iOS/iPadOS must implement the management setting: Encrypt iTunes backups/Encrypt local backup.

DISA Rule

SV-228753r619923_rule

Vulnerability Number

V-228753

Group Title

PP-MDF-991000

Rule Version

AIOS-14-009100

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-000381 - The organization configures the information system to provide only essential capabilities.
• CCI-000370 - The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.

Weight

10

Fix Recommendation

Install a configuration profile to force encrypted backups to iTunes.

Check Contents

Review configuration settings to confirm "Force encrypted backups" is enabled in iTunes (Windows) or Finder (Mac).

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Encrypt local backup" is checked.

Alternatively, verify the text "<key>forceEncryptedBackup</key><true/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "Profiles & Device Management" or "Profiles".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Encrypt local backup" is listed.

If "Encrypt local backup" is unchecked in the Apple iOS/iPadOS management tool, or "<key>forceEncryptedBackup</key><false/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Encrypt local backup", this is a finding.

Vulnerability Number

V-228753

Documentable

False

Rule Version

AIOS-14-009100

Severity Override Guidance

Review configuration settings to confirm "Force encrypted backups" is enabled in iTunes (Windows) or Finder (Mac).

This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the Apple iOS/iPadOS management tool, verify "Encrypt local backup" is checked.

Alternatively, verify the text "<key>forceEncryptedBackup</key><true/>" appears in the configuration profile (.mobileconfig file).

On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "Profiles & Device Management" or "Profiles".
4. Tap the Configuration Profile from the Apple iOS/iPadOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Encrypt local backup" is listed.

If "Encrypt local backup" is unchecked in the Apple iOS/iPadOS management tool, or "<key>forceEncryptedBackup</key><false/>" appears in the configuration profile, or the restrictions policy on the iPhone and iPad does not list "Encrypt local backup", this is a finding.

Check Content Reference

M

Target Key

4231

Comments