The iOS device iMessage service must be set to Off at all times (User Based Enforcement (UBE)).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35006	WIR-MOS-iOS-70-06	SV-46252r1_rule	ECWN-1	Low

Description
iOS iMessage service provides the potential for the exposure of private and possibly sensitive DoD information. When a DoD iOS device is transferred to a new user or disposed of, the device may still receive iMessages sent to the previous DoD user. iMessage phone numbers on a specific iOS device can persist after a SIM has been removed from the phone. For example, SIM A is placed in phone, activated on iMessage, and then swapped out for SIM B. That phone will receive iMessages bound for the phone numbers on both SIM A and B until the iMessage service on the phone has been turned off and then back on again. This vulnerability exists for GSM devices but not for CDMA devices. When the original device user receives messages via their iMessage account, the message will be displayed on their old iOS device. The wipe procedure for the iOS device must include specific procedures (outlined in the STIG Overview) to mitigate this risk.

Description

iOS iMessage service provides the potential for the exposure of private and possibly sensitive DoD information. When a DoD iOS device is transferred to a new user or disposed of, the device may still receive iMessages sent to the previous DoD user. iMessage phone numbers on a specific iOS device can persist after a SIM has been removed from the phone. For example, SIM A is placed in phone, activated on iMessage, and then swapped out for SIM B. That phone will receive iMessages bound for the phone numbers on both SIM A and B until the iMessage service on the phone has been turned off and then back on again. This vulnerability exists for GSM devices but not for CDMA devices. When the original device user receives messages via their iMessage account, the message will be displayed on their old iOS device. The wipe procedure for the iOS device must include specific procedures (outlined in the STIG Overview) to mitigate this risk.

STIG	Date
Apple iOS 6 Interim Security Configuration Guide (ISCG)	2013-01-17

Details

Check Text ( C-43430r1_chk )
On a sample of site-managed iOS devices (pick 3-4 random devices), have the user turn on and log into the device. -Go to Settings > Messages > iMessage. -Check the setting of "iMessage". Verify "iMessage" is set to off (not selected). Mark as a finding if "iMessage" is not set to off.

Fix Text (F-39560r1_fix)
Set "iMessage" to "Off".