Title

Apple iOS must not allow diagnostic data to be sent to an organization other than DoD. (Cat III impact)

Discussion

The sending of diagnostic data back to the manufacturer is prohibited in the DoD. Sending this data to an organization other than DoD is termed a “phone-home” vulnerability. This setting may enable the device manufacturer to gather sensitive location data or other information about the user’s practices. This data will be sent to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. By disabling this feature, the phone-home risk will be mitigated. SFR ID: FMT_SMF.1.1 #42

Check Content

Review configuration settings to confirm “Allow sending diagnostic and usage data to Apple” is disabled. This check procedure is performed on both the iOS management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS management tool, verify "Allow sending diagnostic and usage data to Apple" is unchecked. Alternatively, verify the text "<key>allowDiagnosticSubmission</key><false/>" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Open the Settings application. 2. Tap "Privacy". 3. Tap "Diagnostics & Usage". 4. Verify that "Don't Send" is checked. Note: This setting also disables "Share With App Developers". If "Allow sending diagnostic and usage data to Apple" is checked in the iOS management tool, "<key>allowDiagnosticSubmission</key><true/>" appears in the configuration profile, or "Automatically Send" is checked on the iOS device, this is a finding.

Fix Text

Install a Configuration Profile to disable sending diagnostic data to an organization other than DoD.

Additional Identifiers

Rule ID:

Vulnerability ID: V-54257

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.