Check: AIOS-11-080200
Apple iOS 9 STIG:
AIOS-11-080200
(in version v1 r1)
Title
Apple iOS must enable VPN protection. (Cat III impact)
Discussion
A key characteristic of a mobile device is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility. In these circumstances, the threat of eavesdropping is substantial. Virtual private networks (VPNs) provide confidentiality and integrity protection for data transmitted over untrusted media (e.g., air) and networks (e.g., the Internet). They also provide authentication services to ensure that only authorized users are able to use them. Consequently, enabling VPN protection counters threats to communications to and from mobile devices. Note, if the site uses Apple's optional Device Enrollment Program (DEP), the Always-on VPN control is available as a supervised MDM control. SFR ID: FMT_SMF_EXT.1.1 #45
Check Content
Review configuration settings to confirm at least one of the following are enabled: Apple iOS "Per App VPN" for managed apps, Apple iOS "Always-on VPN", an approved VPN profile is installed on the device, or key apps that connect to back-office servers (ActiveSync, MDM agent, etc.) have VPN functions included in the app. This check procedure is performed on both the Apple iOS management tool and the Apple iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the Apple iOS management tool, verify either the Apple iOS "Per App VPN" for managed apps is enabled or the Apple iOS "Always-on VPN" is enabled (requires supervision) or a DoD-approved VPN profile is configured. On the Apple iOS device, verify at least one of the following is enabled: *For the Per App VPN, follow these steps: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles" or "Profiles & Device Management" or "Device Management". 4. Tap the Configuration Profile from the Apple iOS management tool containing the restrictions policy. 5. Tap "Apps". 6. Tap managed app. 7. If the app supports Per App VPN, the profile will be listed. If listed, verify it is enabled. Note: Steps 6 and 7 must be performed for each managed app. *For the Always On VPN, follow these steps: 1. Open the Settings app. 2. Tap "VPN". 3. If an Always-ON VPN profile exists, it will be listed. *For the DoD-approved VPN profile, follow these steps: 1. Open the Settings app. 2. Tap "VPN". 3. Verify the VPN profile is available. 4. Determine if a personal VPN profile is installed. *If one of the previous methods is not enabled, verify key apps that connect to back-office servers (ActiveSync, MDM agent, etc.) include VPN capabilities in the app. If at least one of the following are not enabled: Apple iOS "Per App VPN" for managed apps, Apple iOS "Always-on VPN", an approved VPN profile is not installed on the device, or key apps that connect to back-office servers (ActiveSync, MDM agent, etc.) include VPN capabilities in the app, this is a finding. Also, if a personal VPN profile is installed, this is a finding.
Fix Text
Install a Configuration Profile to enable the Apple iOS "Per App VPN" for managed apps, the Apple iOS "Always-on VPN", a DoD-approved VPN profile, or key apps.
Additional Identifiers
Rule ID:
Vulnerability ID: V-61955
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |