UCF STIG Viewer Logo

The iOS device iMessage service must be set to Off at all times (User Based Enforcement (UBE)).


Finding ID Version Rule ID IA Controls Severity
V-35006 WIR-MOS-iOS-70-06 SV-46252r1_rule ECWN-1 Low
iOS iMessage service provides the potential for the exposure of private and possibly sensitive DoD information. When a DoD iOS device is transferred to a new user or disposed of, the device may still receive iMessages sent to the previous DoD user. iMessage phone numbers on a specific iOS device can persist after a SIM has been removed from the phone. For example, SIM A is placed in phone, activated on iMessage, and then swapped out for SIM B. That phone will receive iMessages bound for the phone numbers on both SIM A and B until the iMessage service on the phone has been turned off and then back on again. This vulnerability exists for GSM devices but not for CDMA devices. When the original device user receives messages via their iMessage account, the message will be displayed on their old iOS device. The wipe procedure for the iOS device must include specific procedures (outlined in the STIG Overview) to mitigate this risk.
Apple iOS6 Security Technical Implementation Guide 2014-10-07


Check Text ( C-43430r1_chk )
On a sample of site-managed iOS devices (pick 3-4 random devices), have the user turn on and log into the device.

-Go to Settings > Messages > iMessage.
-Check the setting of "iMessage".

Verify "iMessage" is set to off (not selected).

Mark as a finding if "iMessage" is not set to off.
Fix Text (F-39560r1_fix)
Set "iMessage" to "Off".