Check: AIOS-11-012400
Apple iOS 11 STIG:
AIOS-11-012400
(in versions v1 r4 through v1 r1)
Title
Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements. (Cat II impact)
Discussion
Configuration profiles define security policies on Apple iOS devices. If a user is able to remove a configuration profile, the user can then change the configuration that had been enforced by that policy. Relaxing security policies may introduce vulnerabilities that the profiles had mitigated. Configuring a profile to never be removed mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Review configuration settings to confirm configuration profiles are not removable. Note: This requirement is only applicable to sites that use an authorized alternative to MDM for distribution of configuration profiles (for example, use Apple configurator) or are enrolled in Apple's Device Enrollment Program (DEP). Unless the site is enrolled in DEP, this requirement is not applicable for devices enrolled in MDM. This check procedure is performed on both the Apple iOS management tool and the Apple iOS device. The procedures below assume the site is not enrolled in DEP and are not applicable to devices under MDM management. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the Apple iOS management tool, verify "Security" is set to "Never". Alternatively, verify the text "<key>PayloadRemovalDisallowed</key><true/>" appears in the configuration profile (.mobileconfig file). On the Apple iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles & Device Management". 4. Tap each Configuration Profile from the Apple iOS management tool that contains the restrictions for the device. 5. Verify the "Delete Profile" button is not present. If, on the Apple iOS management tool or on the iOS device, the "Delete Profile" button is available on the configuration profile, this is a finding.
Fix Text
Configure the Apple iOS configuration profile such that it can never be removed.
Additional Identifiers
Rule ID: SV-93139r1_rule
Vulnerability ID: V-78433
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |