Apple iOS must implement the management setting: remove managed applications upon unenrollment from MDM (including sensitive and protected data).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-81799	AIOS-12-008900	SV-96513r1_rule		Medium

Description
When a device is unenrolled from MDM, it is possible to relax the security policies that the MDM had implemented on the device. This may cause apps and data to be more vulnerable than they were prior to enrollment. Removing managed apps (and consequently the data they maintain) upon unenrollment mitigates this risk because on appropriately configured Apple iOS devices, DoD-sensitive information exists only within managed apps. Satisfies: PP-MDF-302510, PP-MDF-302505, PP-MDF-301500, MDF-PP-2500, MDF-PP-301510 SFR ID: FMT_SMF_EXT.2.1, FMT_SMF_EXT.1.1 #47h

Description

When a device is unenrolled from MDM, it is possible to relax the security policies that the MDM had implemented on the device. This may cause apps and data to be more vulnerable than they were prior to enrollment. Removing managed apps (and consequently the data they maintain) upon unenrollment mitigates this risk because on appropriately configured Apple iOS devices, DoD-sensitive information exists only within managed apps. Satisfies: PP-MDF-302510, PP-MDF-302505, PP-MDF-301500, MDF-PP-2500, MDF-PP-301510 SFR ID: FMT_SMF_EXT.2.1, FMT_SMF_EXT.1.1 #47h

STIG	Date
Apple iOS 12 Security Technical Implementation Guide	2018-11-28

Details

Check Text ( C-81585r1_chk )
Note: Not all Apple iOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable. This check procedure is performed on the Apple iOS management tool or on the iOS device. In the Apple iOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed. On the Apple iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles & Device Management". 4. Tap the Configuration Profile from the iOS management tool containing the management policy. 5. Tap "Apps". 6. Tap an app and verify "App and data will be removed when device is no longer managed" is listed. Repeat steps 5 and 6 for each managed app in the list. If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.

Check Text ( C-81585r1_chk )

Note: Not all Apple iOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable.

This check procedure is performed on the Apple iOS management tool or on the iOS device.

In the Apple iOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed.

On the Apple iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "Profiles & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Apps".
6. Tap an app and verify "App and data will be removed when device is no longer managed" is listed.

Repeat steps 5 and 6 for each managed app in the list.

If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.

Fix Text (F-88649r1_fix)
Install a configuration profile to delete all managed apps upon device unenrollment.