Title

Apple visionOS 2 must implement the management setting: treat AirDrop as an unmanaged destination. (Cat II impact)

Discussion

AirDrop is a way to send contact information or photos to other users with AirDrop enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has gained access to the information broadcast by this feature, the attacker may distribute this sensitive information very quickly and without DOD's control or awareness. By disabling this feature, the risk of mass data exfiltration will be mitigated. Note: If the site uses Apple's optional Automatic Device Enrollment, this control is available as a supervised MDM control. SFR ID: FMT_SMF.1.1 #47

Check Content

Review configuration settings to confirm "Treat AirDrop as an unmanaged destination" is enabled. This check procedure is performed on both the Apple visionOS management tool and the Vision Pro. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the Apple visionOS management tool, verify "Treat AirDrop as unmanaged destination" is checked. On the Vision Pro: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the c0onfiguration management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Sharing managed documents using AirDrop not allowed" is listed. If "Treat AirDrop as unmanaged destination" is disabled in the Apple visionOS management tool or the restrictions policy on the Vision Pro does not list "Sharing managed documents using AirDrop not allowed", this is a finding.

Fix Text

Install a configuration profile to treat AirDrop as an unmanaged destination.

Additional Identifiers

Rule ID: SV-276399r1146693_rule

Vulnerability ID: V-276399

Group Title: PP-MDF-993300

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.