Check: AIOS-01-100100
Apple iOS 10 STIG:
AIOS-01-100100
(in versions v1 r3 through v1 r1)
Title
Apple iOS must be configured to wipe all sensitive DoD data (Controlled Unclassified Information (CUI)/For Official Use Only (FOUO)) and Personally Identifiable Information (PII) data during a remote wipe command from the MDM server. (Cat II impact)
Discussion
DoD sensitive data (CUI/FOUO) or PII data downloaded from DoD web sites via Safari will be saved by default in a non-managed app on a DoD iOS device. If the device is wiped via an MDM Enterprise remote wipe command, data saved in non-managed apps will not be deleted and may be accessible to unauthorized people that have access to the MDM-wiped device. If the device is wiped via a Full Device MDM remote wipe command, all data on the device, including managed and unmanaged, will be deleted, but a Full Device wipe may not be appropriate for devices that have been authorized for personal use and have personal data stored on them or are BYOD devices. The risk in not using a Full Device wipe can be mitigated if a Managed Domain Configuration profile is installed on all managed iOS devices that contains a list of all DoD web domains that may have sensitive DoD data (CUI/FOUO) and PII data (primarily DoD web domains that require DoD PKI authentication credentials to access the web site). SFR ID: FMT_SMF_EXT.1.1 #9, 19, 28, 45g
Check Content
Review configuration settings to confirm Apple iOS is configured to wipe all sensitive DoD data and PII data during a remote wipe command from the MDM server. There are two possible implementations (policy or technical) for meeting this requirement. Interview the site MDM system administrator to determine which approach is being used at the site and follow the appropriate procedure for verifying compliance: Method #1: Policy: Verify the MDM system administrators are trained to always use a Full Device wipe when using a remote wipe command on managed iOS devices. Check system administrator training material and training records to verify compliance. Verify the site MDM administration policy includes an instruction that only a Full Device wipe command will be used when using a remote wipe command on managed iOS devices. If MDM system administrators are not trained to always use a Full Device wipe when using a remote wipe command on managed iOS devices or the site MDM administration policy does not include an instruction that only a Full Device wipe commands will be used when using a remote wipe command on managed iOS devices, this is a finding. Method #2: Technical This verification procedure is performed on both the Apple iOS management tool and the Apple iOS device. On the MDM management tool (MDM), do the following: 1. Verify a Managed Domain Configuration profile is set up on the iOS management tool. 2. Open the profile and verify it contains the current list of DoD web domains that may have sensitive DoD data (CUI/FOUO) and PII data by verifying the list was obtained from the DoD Network Information Center (NIC). On several site managed iOS devices, do the following: 1. Have the user unlock the iOS device 2. Go to Settings >> General >> Device Management 3. Verify a Managed Domain Configuration profile is installed on the device If the Apple iOS management tool does not have a Managed Domain Configuration profile installed or the profile does not contain a DoD NIC provided list of DoD web domains or any site managed iOS device reviewed does not have a Managed Domain Configuration profile installed, this is a finding.
Fix Text
One of the following two procedures will be implemented to configure Apple iOS to wipe all sensitive DoD data and PII data during a remote wipe command from the MDM server: 1. Policy method: Implement an MDM site policy that only full device remote wipe commands will be used on managed mobile devices. Enterprise wipe commands will not be used. This policy will be documented in the site MDM management policy and in system administrator training and all MDM system administrators will be trained on this requirement. 2. Technical method: MDM site will install a Managed Domain Configuration profile on all managed iOS devices. See the profile provided in the iOS 10 package. The profile will contain a list of all DoD web domains that may have sensitive DoD data (CUI/FOUO) and PII data (primarily DoD web domains that require DoD PKI authentication credentials to access the web site). Note: *.mil can be used instead of listing all DoD web domains.
Additional Identifiers
Rule ID: SV-86955r1_rule
Vulnerability ID: V-72331
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |