An error occurred:

Check: AIOS-02-000013

Apple iOS 7 STIG: AIOS-02-000013 (in version v1 r2)

Title

Apple iOS must not allow the device to be unlocked using a fingerprint. (Cat II impact)

Discussion

TouchID is a fingerprint reader that has been installed on the iPhone 5s. This fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of TouchID, DoD users are forced to use passcodes that meet DoD passcode requirements.

Check Content

This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Allow Touch ID to unlock device" is unchecked. For example, in Apple Configurator: 1. Ask the MDM administrator to open the relevant configuration profile. 2. Display the "Restrictions" payload. 5. Verify "Allow Touch ID to unlock device" is unchecked. Alternatively, verify the text "<key>allowFingerprintForUnlock</key><false/>" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Touch ID & Passcode" 4. Tap "Touch ID" 4. Verify "iPhone Unlock" is off and grayed out. If "Allow Touch ID to unlock device" is checked in the iOS Over-the-Air management tool, "<key>allowFingerprintForUnlock</key><true/>" appears in the configuration profile, or if "iPhone Unlock" is toggled to the right and appears green on the iOS device, this is a finding.

Fix Text

Configure Apple iOS not to allow Touch ID for device unlock. In the iOS Over-the-Air management tool, uncheck "Allow Touch ID to unlock device". For example, in Apple Configurator, edit the configuration and uncheck "Allow Touch ID to unlock device".

Additional Identifiers

Rule ID:

Vulnerability ID: V-43222

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings