UCF STIG Viewer Logo

Apple iOS 4 (Good Mobility Suite) Interim Security Configuration Guide (ISCG)


Overview

Date Finding Count (41)
2011-11-07 CAT I (High): 1 CAT II (Med): 24 CAT III (Low): 16
STIG Description
This ISCG contains technical security controls required for the use of Apple iOS 4 devices (iPhone, iPad, and iPod touch) in the DoD environment when managed by the Good Mobility Suite.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-29894 High A security risk analysis must be performed on a mobile Operating System (OS) application by the DAA or DAA authorized approval authority prior to the application being approved for use.
V-25003 Medium A compliance rule must be set up in the server defining required mobile OS software versions.
V-27635 Medium Remote full device wipe must be enabled.
V-28297 Medium The smartphone password/passcode complexity (alphanumeric) must be set.
V-25019 Medium The smartphone Bluetooth radio must be disabled if not authorized for use.
V-25015 Medium iPhone screen capture must not be allowed.
V-25016 Medium The device minimum password/passcode length must be set.
V-25017 Medium Apple iOS Auto-Lock must be set.
V-25010 Medium The smartphone inactivity timeout must be set.
V-25011 Medium Passcode maximum failed attempts must be set to required value.
V-25012 Medium Access to public application stores must be disabled.
V-25013 Medium Users must not be allowed to download applications on smartphones without SA control.
V-25007 Medium iPhones must be configured to require a password/passcode for device unlock.
V-25842 Medium The site must set up local operating procedures for initial provisioning and subsequent software and application updates using the procedures published in the STIG/ISCG Overview document.
V-26753 Medium A “Restriction” policy must be manually added to each iOS device managed by the site during the provisioning/setup process.
V-19899 Medium All wireless PDA client VPNs must have split tunneling disabled.
V-19898 Medium All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication.
V-19897 Medium All wireless PDA clients used for remote access to DoD networks must have a VPN supporting AES encryption.
V-25008 Medium The smartphone password complexity must be set to the required value.
V-25021 Medium When connecting an iOS device to a PC with iTunes, the user must not download an iOS software update, if prompted to do so by iTunes (User Based Enforcement (UBE)).
V-25022 Medium All smartphones must display the required banner during device unlock/logon.
V-24981 Medium Smartphone devices must have required operating system software version installed.
V-24983 Medium S/MIME must be installed on smartphones so users can sign/encrypt email.
V-25006 Medium iPhones must be configured to require a password to remove the iPhone configuration profile.
V-18627 Medium The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated.
V-24986 Low All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board.
V-25051 Low Location services must be turned off on the smartphone during device provisioning.
V-25033 Low iOS Safari must be enabled or disabled based on system requirements.
V-25018 Low The smartphone passcode history setting must be set.
V-25014 Low Smartphone cameras must be used only if documented approval is in the site physical security policy.
V-25092 Low The iOS device Wi-Fi setting "Ask to Join Networks" must be set to "On" at all times (User Based Enforcement (UBE)).
V-25093 Low The Safari web browser AutoFill feature must be disabled on an iOS device (this is a User Based Enforcement (UBE) feature).
V-25757 Low The SA must change the iOS device profile passwords every 365 days or sooner.
V-25756 Low Encrypted smartphone backups must be enabled.
V-25755 Low Access to online application purchases must be disabled.
V-26559 Low The Personal Hotspot feature of the smartphone OS must be disabled if it does not meet DoD WLAN or Bluetooth security requirements and is not approved by the IAO.
V-24984 Low If smartphone email auto signatures are used, the signature message must not disclose the email originated from a smartphone (e.g., “Sent From My Wireless Handheld”).
V-25009 Low Maximum passcode age must be set.
V-25020 Low The smartphone device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required.
V-24982 Low Smart Card Readers (SCRs) used with smartphones must have required software version installed.
V-24985 Low The Good Internet proxy must be enabled.