Apple iOS/iPadOS 14 STIG: AIOS-14-007600

Check: AIOS-14-007600 (in version v1 r1)

Title

Apple iOS/iPadOS must implement the management setting: remove managed applications upon unenrollment from MDM (including sensitive and protected data). (Cat II impact)

Discussion

When a device is unenrolled from MDM, it is possible to relax the security policies that the MDM had implemented on the device. This may cause apps and data to be more vulnerable than prior to enrollment. Removing managed apps (and consequently the data maintained within) upon unenrollment mitigates this risk because on appropriately configured iPhone and iPads, DoD-sensitive information exists only within managed apps. Satisfies: PP-MDF-302510, PP-MDF-302505, PP-MDF-301500, MDF-PP-2500, MDF-PP-301510 SFR ID: FMT_SMF_EXT.2.1, FMT_SMF_EXT.1.1 #47h

Check Content

Note: Not all Apple iOS/iPadOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable. This check procedure is performed on the Apple iOS/iPadOS management tool or on the iOS device. In the Apple iOS/iPadOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed. On the iPhone and iPad: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles & Device Management" or "Profiles". 4. Tap the Configuration Profile from the iOS management tool containing the management policy. 5. Tap "Apps". 6. Tap an app and verify "App and data will be removed when device is no longer managed" is listed. Repeat steps 5 and 6 for each managed app in the list. If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.

Fix Text

Install a configuration profile to delete all managed apps upon device unenrollment.

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

CCI-000370

The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.

CCI-001199

The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings

CM-6 (1)

Automated Central Management / Application / Verification

SC-28

Protection Of Information At Rest