Title

Apple visionOS 2 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store]. (Cat II impact)

Discussion

Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DOD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF.1.1 #8

Check Content

Review configuration settings to confirm "Allow Trusting New Enterprise App Authors" is disabled. This procedure is performed in the Apple visionOS management tool and on the Vision Pro. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the Management tool, verify "Allow Trusting New Enterprise App Authors" is disabled. On the Vision Pro: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the configuration profile from the Apple visionOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Trusting enterprise apps not allowed" is listed. If "Allow Trusting New Enterprise App Authors" is not disabled in the visionOS management tool or on the Vision Pro, this is a finding.

Fix Text

Install a configuration profile to disable "Allow Trusting New Enterprise App Authors".

Additional Identifiers

Rule ID: SV-276385r1146651_rule

Vulnerability ID: V-276385

Group Title: PP-MDF-333050

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.