STIGQter STIGQter: STIG Summary: Apple iOS/iPadOS 14 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

Apple iOS/iPadOS users must complete required training.

DISA Rule

SV-228765r619923_rule

Vulnerability Number

V-228765

Group Title

PP-MDF-991000

Rule Version

AIOS-14-010300

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Have all iPhone and iPad users complete training on the following topics. Users must acknowledge receipt of training via a signed User Agreement or similar written record.

Training Topics:
-Operational security concerns introduced by unmanaged applications including applications utilizing global positioning system (GPS) tracking
-Must ensure no DoD data is saved in an unmanaged app or transmitted from a personal app (for example, from personal email)
-If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys, and to report any loss of control so the credentials can be revoked. Upon device retirement, turn in, or reassignment, ensure a factory data reset is performed prior to device hand off. Follow mobility service provider decommissioning procedures as applicable.
-How to configure the following User Based Enforcement (UBE) controls (users must configure the control) and other controls on the iPhone and iPad:
**Remove Family Sharing
**Disable Shared Location
**Disable Wi-Fi Assist
**Use AirPrint only with AO-approved printers and print servers (see the Multifunction Device STIG for requirements)
**Turn off “Apps” under “AUTOMATIC DOWNLOADS” in the “iTunes & App Store” section of the Settings app on the iPhone and iPad
**Secure use of Calendar Alarm
**Do not configure a DoD network (work) VPN profile on any third-party unmanaged VPN app
**iPhone and iPad radios should be disabled using controls under "Settings" instead of "Control Center"
-AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.)

Check Contents

Review a sample of site User Agreements of iOS device users or similar training records and training course content. Verify iPhone and iPad users have completed required training.

If any iPhone and iPad user is found to not have completed required training, this is a finding.

Vulnerability Number

V-228765

Documentable

False

Rule Version

AIOS-14-010300

Severity Override Guidance

Review a sample of site User Agreements of iOS device users or similar training records and training course content. Verify iPhone and iPad users have completed required training.

If any iPhone and iPad user is found to not have completed required training, this is a finding.

Check Content Reference

M

Target Key

4231

Comments