Title

Apple visionOS 2 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM. (Cat II impact)

Discussion

When a mobile device is no longer managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be protected by the MDM software, putting it at much greater risk of unauthorized access and disclosure. At least one of the two options must be selected. SFR ID: FMT_SMF_EXT.2.1

Check Content

Note: Not all Apple visionOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable. This check procedure is performed on the Apple visionOS management tool or on the visionOS device. In the Apple visionOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed. On the Vision Pro: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the configuration profile from the visionOS management tool containing the management policy. 5. Tap "Apps". 6. Tap an app and verify "App and data will be removed when device is no longer managed" is listed. Repeat steps 5 and 6 for each managed app in the list. If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.

Fix Text

Install a configuration profile to delete all managed apps upon device unenrollment.

Additional Identifiers

Rule ID: SV-276390r1146666_rule

Vulnerability ID: V-276390

Group Title: PP-MDF-333310

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.