Navigate

Check: AIOS-16-013200

Apple iOS/iPadOS 16 STIG: AIOS-16-013200 (in version v1 r1)

Title

The Apple iOS/iPadOS 16 must be supervised by the MDM. (Cat II impact)

Discussion

When an iOS/iPadOS is not supervised, the DoD mobile service provider cannot control when new iOS/iPadOS updates are installed on site-managed devices. Most updates should be installed immediately to mitigate new security vulnerabilities, while some sites need to test each update prior to installation to ensure critical missions are not adversely impacted by the update. Several password and data protection controls can be implemented only when an Apple device is supervised. SFR ID: FMT_SMF_EXT.1.1 #47

Check Content

Review configuration settings to confirm site-managed iOS/iPadOS devices are supervised. This check procedure is performed on both the Apple iOS/iPadOS management tool and the iPhone and iPad. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS management tool, verify all managed Apple devices are supervised (verification procedure will vary by MDM product). Note: If the Apple device is not managed by an MDM and supervision is set up via Apple Configurator, this procedure is not applicable. On the iPhone and iPad: 1. Open the Settings app. 2. Verify a message similar to the following appears on the screen: "This iPad is supervised by (name of site DoD mobile service provider)." If site-managed iOS/iPadOS devices are not supervised, this is a finding.

Fix Text

Use one of the following methods to supervise iOS and iPadOS devices managed by the DoD mobile service provider. Method 1: - Register all current and new iOS and iPadOS devices in the DoD mobile service provider's Automated Device Management/Apple Business Manager (ABM) account. - Enable supervision of managed iOS/iPadOS devices in the MDM. Method 2: - Configure each iOS/iPadOS device using the Apple Configurator tool for Supervision. - This method is usually only appropriate when MDM management of the DoD Apple device is not appropriate or an older device cannot be registered in ABM.

Additional Identifiers

Rule ID: SV-254633r862222_rule

Vulnerability ID: V-254633

Group Title: PP-MDF-990000

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000097	The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.
CCI-000366	The organization implements the security configuration settings.
CCI-000370	The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-20 (2)	Portable Storage Devices
CM-6	Configuration Settings
CM-6 (1)	Automated Central Management / Application / Verification