Check: AIOS-16-001000
Apple iOS/iPadOS 16 STIG:
AIOS-16-001000
(in version v1 r1)
Title
Apple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods]. (Cat III impact)
Discussion
The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. SFR ID: FMT_SMF_EXT.1.1 #3
Check Content
Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DoD network (work) VPN profile. This validation procedure is performed on the iOS device only. On the iPhone and iPad: 1. Open the Settings app. 2. Tap "General". 3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists. 4. If not, the requirement has been met. 5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client. 6. Verify no DoD network VPN profiles are configured on the VPN client. If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DoD network VPN profile configured on the client, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
Fix Text
If a third-party unmanaged VPN app is installed on the iOS 16 device, do not configure the VPN app with a DoD network VPN profile.
Additional Identifiers
Rule ID: SV-254578r862237_rule
Vulnerability ID: V-254578
Group Title: PP-MDF-321090
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000066 |
The organization enforces requirements for remote connections to the information system. |
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |