Title

Apple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch. (Cat II impact)

Discussion

Auto Unlock allows an Apple Watch to automatically unlock an iPhone or Mac when in close proximity (not available for iPad). This feature allows the iPhone/Mac to be unlocked without the user entering the device passcode, which may lead to unauthorized users access to the iPhone/Mac and sensitive DOD data. This control is not applicable if the authorizing official (AO) has approved the use of Apple Watches. SFR ID: FMT_MOF_EXT.1.2 #47

Check Content

Determine if the site AO has approved the use of Apple Watch with DOD-owned iPhones. Look for a document showing approval. If not approved, review configuration settings to confirm "Allow Auto Unlock" is disabled. If approved, this requirement is not applicable. This check procedure is performed on the device management tool. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS management tool, verify "Allow auto unlock" is not checked. If Allow auto unlock is enabled, this is a finding. This requirement will become "Supervised only" in a future iOS/iPadOS release.

Fix Text

If the AO has not approved the use of Apple Watch with DOD-owned iPhones, configure the Apple iOS configuration profile to disable "Allow auto unlock". The procedure for implementing this control will vary depending on the MDM/EMM used by the mobile service provider. In the MDM console, set "Allow auto unlock" to "False". This requirement will become "Supervised only" in a future iOS/iPadOS release.

Additional Identifiers

Rule ID: SV-258376r927811_rule

Vulnerability ID: V-258376

Group Title: PP-MDF-993300

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.