Apple iOS must lock the device after 15 minutes of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-43205	AIOS-01-000002	SV-55953r1_rule		Medium

Description
The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user re-establishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to shut down because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device after the organizationally-defined time period. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. A device lock mitigates the risk that an adversary can access data on an unattended mobile device but only after the minimum, organizationally-defined period of inactivity.

Description

The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user re-establishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to shut down because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device after the organizationally-defined time period. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. A device lock mitigates the risk that an adversary can access data on an unattended mobile device but only after the minimum, organizationally-defined period of inactivity.

STIG	Date
Apple iOS 7 STIG	2014-01-30

Details

Check Text ( C-49232r1_chk )
This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify the sum of the values assigned to "Maximum Auto-Lock time" and "Grace period for device lock" value is between 1 and 15 minutes. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "POLICIES & CONFIGS". 2. Click or tap on the word "Policies". 3. Click or tap the policy name. 4. Expand "Details" under "Policy Details". 5. Verify the sum of the values assigned to "Maximum Inactivity Timeout" and "Grace Period for Device Lock" is between 1 and 15 minutes. Alternatively, locate the text "maxGracePeriod" and "maxInactivity" and ensure the sum of their integer value is between 1 and 15 in the configuration profile (.mobileconfig file). For example: "maxGracePeriod 5 maxInactivity 5". Here, 5 + 5 = 10, which meets the requirement. On the iOS device: 1. Open Settings app. 2. Tap "General". 3. Record the value displayed for "Auto-Lock". 4. Tap "Passcode Lock" or "Passcode & Fingerprint". 4. Enter current device passcode. 5. Record the value displayed for "Require Passcode". 6. Verify the sum of the two recorded values is between 1 and 15 minutes. Note: On some iOS devices, it is not possible to have a sum of exactly 15. In these cases, the sum must be less than 15. A sum of 16 does not meet the requirement. If the sum of the "Auto-Lock" and "Require Passcode" parameters is not between 1 and 15 minutes in the iOS Over-the-Air management tool, if the sum of the values assigned to "maxGracePeriod" and "maxInactivity" is not between 1 and 15 minutes in the Configuration Profile, or if the sum of the values assigned to "Auto-Lock" and "Require Passcode" is not between 1 and 15 minutes on the iOS device, this is a finding.

Check Text ( C-49232r1_chk )

This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device.
Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS Over-the-Air management tool, verify the sum of the values assigned to "Maximum Auto-Lock time" and "Grace period for device lock" value is between 1 and 15 minutes.
For example, in Mobile Iron Admin Portal:
1. Ask the MDM administrator to display the "POLICIES & CONFIGS".
2. Click or tap on the word "Policies".
3. Click or tap the policy name.
4. Expand "Details" under "Policy Details".
5. Verify the sum of the values assigned to "Maximum Inactivity Timeout" and "Grace Period for Device Lock" is between 1 and 15 minutes.

Alternatively, locate the text "maxGracePeriod" and "maxInactivity" and ensure the sum of their integer value is between 1 and 15 in the configuration profile (.mobileconfig file). For example:
"maxGracePeriod
5
maxInactivity
5".
Here, 5 + 5 = 10, which meets the requirement.

On the iOS device:
1. Open Settings app.
2. Tap "General".
3. Record the value displayed for "Auto-Lock".
4. Tap "Passcode Lock" or "Passcode & Fingerprint".
4. Enter current device passcode.
5. Record the value displayed for "Require Passcode".
6. Verify the sum of the two recorded values is between 1 and 15 minutes.

Note: On some iOS devices, it is not possible to have a sum of exactly 15. In these cases, the sum must be less than 15. A sum of 16 does not meet the requirement.

If the sum of the "Auto-Lock" and "Require Passcode" parameters is not between 1 and 15 minutes in the iOS Over-the-Air management tool, if the sum of the values assigned to "maxGracePeriod" and "maxInactivity" is not between 1 and 15 minutes in the Configuration Profile, or if the sum of the values assigned to "Auto-Lock" and "Require Passcode" is not between 1 and 15 minutes on the iOS device, this is a finding.

Fix Text (F-48792r1_fix)
Configure Apple iOS system to lock the device after a minimum, organizationally-defined period of inactivity. In the iOS Over-the-Air management tool, configure the "Maximum Auto-Lock time" and "Grace Period for device lock" so the sum of their values is between 1 and 15 minutes. For example, in Mobile Iron Admin Portal, edit the policy and select "5 minutes" for "Maximum Inactivity Timeout" and "5 minutes" for "Grace Period for Device Lock".

Fix Text (F-48792r1_fix)

Configure Apple iOS system to lock the device after a minimum, organizationally-defined period of inactivity.

In the iOS Over-the-Air management tool, configure
the "Maximum Auto-Lock time" and "Grace Period for device lock" so the sum of their values is between 1 and 15 minutes.

For example, in Mobile Iron Admin Portal, edit the policy and select "5 minutes" for "Maximum Inactivity Timeout" and "5 minutes" for "Grace Period for Device Lock".