Check: AIOS-13-012500
Apple iOS/iPadOS 13 STIG:
AIOS-13-012500
(in versions v2 r1 through v1 r1)
Title
Apple iOS/iPadOS must implement the management setting: enable USB Restricted Mode. (Cat II impact)
Discussion
The USB lightning port on an iOS device can be used to access data on the device. The required settings ensure the Apple device password is entered before a previously trusted USB accessory can connect to the device. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
This is a Supervised-only control. If the iPhone or iPad being reviewed is not Supervised by the MDM, this control is automatically a finding. If the iPhone or iPad being reviewed is Supervised by the MDM, review configuration settings to confirm "Allow USB Restricted Mode" is enabled. This check procedure is performed on both the device management tool and the iPhone and iPad device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS management tool, verify "Allow USB Restricted Mode" is checked. On the iPhone/iPad device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles" or "Profiles & Device Management" or "Device Management". 4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Allow USB Restricted Mode" is listed. If "Allow USB Restricted Mode" is not enabled in both the management tool and on the Apple device, this is a finding. Note: "Allow USB Restricted Mode" may be called “Allow USB accessories while device is locked” in some MDM consoles. The required logic is to disable USB accessory connections when the device is locked.
Fix Text
Install a configuration profile to disable the allow USB Restricted Mode in the management tool. This a Supervised-only control. Note: This control is called “Allow USB accessories while device is locked” in Apple Configurator and the control logic is opposite to what is listed here. Make sure the MDM policy rule is set correctly (to disable USB accessory connections when the device is locked).
Additional Identifiers
Rule ID: SV-219384r604137_rule
Vulnerability ID: V-219384
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000097 |
The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |