Check: AIOS-14-000500
Apple iOS/iPadOS 14 STIG:
AIOS-14-000500
(in versions v1 r3 through v1 r1)
Title
The mobile operating system must provide the capability for the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods]. (Cat III impact)
Discussion
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD-sensitive Information. SFR ID: FMT_SMF_EXT.1.1 #3
Check Content
Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If yes, verify the VPN app is not configured with a DoD network (work) VPN profile. This validation procedure is performed on the iOS device only. On the iPhone and iPad: 1. Open the Settings app. 2. Tap "General". 3. In the "VPN" line, look to see if any "Personal VPN" exists. 4. If not, the requirement has been met. 5. If so, open each VPN app. Review the list of VPN profiles configured on the VPN client. 6. Verify there are no DoD network VPN profiles configured on the VPN client. If any third-party unmanaged VPN apps are installed (personal VPN) and have a DoD network VPN profile configured on the client, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
Fix Text
If a third-party unmanaged VPN app is installed on the iOS 14 device, do not configure the VPN app with a DoD network VPN profile.
Additional Identifiers
Rule ID: SV-228733r561031_rule
Vulnerability ID: V-228733
Group Title: PP-MDF-302060
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000066 |
The organization enforces requirements for remote connections to the information system. |
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |