An error occurred:

Check: AIOS-15-013500

Apple iOS/iPadOS 15 STIG: AIOS-15-013500 (in versions v1 r4 through v1 r1)

Title

Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements. (Cat II impact)

Discussion

Configuration profiles define security policies on Apple iOS devices. If a user is able to remove a configuration profile, the user can then change the configuration that had been enforced by that policy. Relaxing security policies may introduce vulnerabilities that the profiles had mitigated. Configuring a profile to never be removed mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #47

Check Content

Review configuration settings to confirm configuration profiles are not removable. This check procedure is performed on both the Apple iOS management tool and the Apple iOS device. The procedures below assume the site is not enrolled in the Device Enrollment Program (DEP) and are not applicable to devices under MDM management. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the Apple iOS management tool, verify "Security" is set to "Never" and "Automatically Remove Profile" is set to "Never". On the Apple iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles & Device Management" or "Profiles". 4. Tap each Configuration Profile from the Apple iOS management tool that contains the restrictions for the device. 5. Verify the "Delete Profile" button is not present. If on the Apple iOS management tool or the iOS device the "Delete Profile" button is available on the configuration profile, this is a finding.

Fix Text

Configure the Apple iOS configuration profile such that it can never be removed. The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider. When using Apple Configurator, under "General Security", configure "Security" to "Never" and "Automatically Remove Profile" to "Never".

Additional Identifiers

Rule ID: SV-250977r802022_rule

Vulnerability ID: V-250977

Group Title: PP-MDF-990000

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings