An error occurred:

Check: AIOS-98-080028

Apple iOS 10 STIG: AIOS-98-080028 (in versions v1 r2 through v1 r1)

Title

Apple iOS must enforce an application installation policy by specifying an application whitelist. (Cat II impact)

Discussion

Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #10b

Check Content

Review configuration settings to confirm approved apps are included on the whitelist. This check procedure is performed on both the Apple iOS management tool and the Apple iOS device. In the MDM management console, verify the approved apps are included in the list of whitelisted applications. This procedure will vary depending on the MDM product. On the Apple iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles & Device Management". 4. Tap "Restrictions". 5. Verify "Whitelisted applications added" is present. If apps other than approved apps are listed in the iOS management tool app whitelist or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Whitelisted applications added", this is a finding.

Fix Text

Configure the Apple iOS configuration profile to allow only whitelisted apps.

Additional Identifiers

Rule ID:

Vulnerability ID: V-71887

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.
CCI-001806

The organization defines methods to be employed to enforce the software installation policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings
CM-11

User-Installed Software