Check: AIOS-10-080102
Apple iOS 8 ISCG:
AIOS-10-080102
(in version v1 r1)
Title
Apple iOS must remove managed applications upon unenrollment from MDM. (Cat II impact)
Discussion
When a device is unenrolled from MDM, it is possible to relax the security policies that the MDM had implemented on the device. This may cause apps and data to be more vulnerable than they were prior to enrollment. Removing managed apps (and consequently the data they maintain) upon unenrollment mitigates this risk because on appropriately configured iOS devices, DoD-sensitive information exists only within managed apps. SFR ID: FMT_SMF_EXT.1
Check Content
Note: Not all iOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of Configuration Profiles, this check procedure is not applicable. This check procedure is performed on the iOS management tool. In the iOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed. If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.
Fix Text
Configure the MDM to delete all managed apps upon device unenrollment.
Additional Identifiers
Rule ID:
Vulnerability ID: V-54305
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-001028 |
The organization sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies. |