Check: AIOS-12-012200
Apple iOS 12 STIG:
AIOS-12-012200
(in versions v2 r1 through v1 r1)
Title
Apple iOS users must complete required training. (Cat II impact)
Discussion
The security posture on iOS devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the AO has approved users' full access to the Apple App Store, than users must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the iOS mobile device may become compromised and DoD sensitive data may become compromised. SFR ID: NA
Check Content
Review a sample of site User Agreements of iOS device users or similar training records and training course content. Verify iOS device users have completed required training. If any iOS device user is found to not have completed required training, this is a finding.
Fix Text
Have all iOS device users complete training on the following topics. Users should acknowledge they have received training via a signed User Agreement or similar written record. Training Topics: -Operational security concerns introduced by unmanaged applications including applications utilizing global positioning system (GPS) tracking -Need to ensure no DoD data is saved in an unmanaged app or transmitted from a personal app (for example, from personal email) -If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys, and to report any loss of control so that the credentials can be revoked. Upon device retirement, turn in, or reassignment, ensure a factory data reset is performed prior to device hand off. Follow Mobility service provider decommissioning procedures as applicable. -How to configure the following User Based Enforcement (UBE) controls (users must configure the control) and other controls on the iOS device: **Remove Family Sharing **Disable Shared Location **Disable Wi-Fi Assist **Use AirPrint only with AO-approved printers and print servers (see the Multifunction Device STIG for requirements) **Turn off “Apps” under “AUTOMATIC DOWNLOADS” in the “iTunes & App Store” section of the Settings app on the Apple iOS device **Secure use of Calendar Alarm **Do not configure a DoD network (work) VPN profile on any third-party unmanaged VPN app **iOS device radios should be disabled using controls under "Settings" instead of "Control Center" -AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.)
Additional Identifiers
Rule ID: SV-96551r1_rule
Vulnerability ID: V-81837
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |