When using the DoD Internet proxy for iOS device Internet connections, enclave Internet security controls will filter and monitor iOS device Internet connections and reduce the risk that malware could be downloaded on the mobile device.
There are two acceptable implementations for this requirement:
1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway. Note: This method is only acceptable if the VPN client is configured so that all data downloaded to the mobile device is saved in a FIPS 140-2 validated encrypted container; otherwise, the data at rest requirements in check V-32707/WIR-MOS-iOS-65-09 are not met.
2. The device browser is installed inside an iOS security container and the security container provides the capability to route all browser traffic to the MDM or authorized proxy server where it will be routed to the DoD Internet gateway.
Using a browser without a mobile VPN and installed outside the iOS device security container is not an approved implementation.
Verify one of the approved browser implementations is used. Talk to the IAO and review 3-4 sample devices.
Mark as a finding if a required browser implementation is not used.
Fix Text (F-27626r3_fix)
Use a compliant browser implementation on the iOS device.