An error occurred:

Check: AIOS-17-012700

Apple iOS/iPadOS 17 STIG: AIOS-17-012700 (in version v1 r1)

Title

Apple iOS/iPadOS 17 must disable "Password AutoFill" in browsers and applications. (Cat II impact)

Discussion

The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone and iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. SFR ID: FMT_SMF_EXT.1.1 #47

Check Content

This a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding. If the iPhone or iPad being reviewed is supervised by the MDM, review configuration settings to confirm "Password AutoFill is not allowed" is disabled. This check procedure is performed on both the iOS/iPadOS device management tool and the iPhone and iPad. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS/iPadOS management tool, verify "Password AutoFill is not allowed" is unchecked. On the iPhone/iPad: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Password AutoFill is not allowed" is listed. If "Password AutoFill is not allowed" is not enabled in the iOS/iPadOS management tool and on the Apple device, this is a finding.

Fix Text

Install a configuration profile to disable allow Password AutoFill in the management tool. This a supervised-only control.

Additional Identifiers

Rule ID: SV-258362r927769_rule

Vulnerability ID: V-258362

Group Title: PP-MDF-993300

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000097

The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-20 (2)

Portable Storage Devices
CM-6

Configuration Settings