Check: AIOS-17-012600
Apple iOS/iPadOS 17 STIG:
AIOS-17-012600
(in version v1 r1)
Title
Apple iOS/iPadOS 17 must implement the management setting: disable paired Apple Watch. (Cat II impact)
Discussion
Authorizing official (AO) approval is required before an Apple Watch (DOD owned or personally owned) can be paired with a DOD-owned iPhone to ensure the AO has evaluated the risk in having sensitive DOD data transferred to and stored on an Apple Watch in their operational environment. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Determine if the site AO has approved the use of Apple Watch with DOD-owned iPhones. Look for a document showing approval. If not approved, review configuration settings to confirm "Allow Paired Watch" is disabled. If approved, this requirement is not applicable. This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the AO has not approved the use of Apple Watch for unmanaged data transfer). If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures: This check procedure is performed on both the device management tool and the iPhone. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS management tool, verify "Allow Paired Watch" is unchecked. On the iPhone: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Paired Apple Watch not allowed" is listed. If the AO has not approved pairing an Apple Watch with a DOD-owned iPhone and "Paired Apple Watch not allowed" is not listed both in the management tool and on the Apple device, this is a finding.
Fix Text
If the AO has not approved the use of Apple Watch with DOD-owned iPhones, install a configuration profile to disable the Apple Watch control in the management tool. This a supervised-only control.
Additional Identifiers
Rule ID: SV-258360r927763_rule
Vulnerability ID: V-258360
Group Title: PP-MDF-993300
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000097 |
The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
CCI-000366 |
The organization implements the security configuration settings. |