UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide


Overview

Date Finding Count (19)
2023-08-14 CAT I (High): 3 CAT II (Med): 13 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-257094 High The BYOAD and DOD enterprise must be configured to limit access to only enterprise corporate-owned IT resources approved by the authorizing official (AO).
V-257136 High The mobile device used for BYOAD must be NIAP validated.
V-257100 High The EMM system supporting the iOS/iPadOS 16 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an approved Exception to Policy (E2P).
V-257085 Medium The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.
V-257087 Medium The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD native security controls are disabled.
V-257092 Medium The iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects the BYOAD device has known malicious, blocked, or prohibited applications or is configured to access nonapproved managed third-party applications stores.
V-257093 Medium The iOS/iPadOS 16 BYOAD must be configured so that managed data and apps are removed if the device is no longer receiving security or software updates.
V-257090 Medium The EMM detection/monitoring system must use continuous monitoring of enrolled iOS/iPadOS 16 BYOAD.
V-257091 Medium The iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects native security controls are disabled.
V-257097 Medium The iOS/iPadOS 16 BYOAD must be deployed in Device Enrollment mode or User Enrollment mode.
V-257102 Medium The DOD Mobile Service Provider must not allow BYOADs in facilities where personally owned mobile devices are prohibited.
V-257103 Medium The iOS/iPadOS 16 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.
V-257098 Medium The iOS/iPadOS 16 BYOAD device must be configured to disable copy and paste from managed (work profile) apps/contacts to unmanaged (personal profile) apps/contacts and vice versa.
V-257089 Medium The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD is configured to access nonapproved third-party applications stores (DOD-managed segment only).
V-257088 Medium The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if known malicious, blocked, or prohibited applications are installed on the BYOAD (DOD-managed segment only).
V-257086 Medium The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources.
V-257095 Low The iOS/iPadOS 16 BYOAD must be configured to protect users' privacy, personal information, and applications.
V-257096 Low The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to only wipe managed data and apps and not unmanaged data and apps when the user's access is revoked or terminated, the user no longer has the need to access DOD data or IT, or the user reports a registered device as lost, stolen, or showing indicators of compromise.
V-257101 Low The User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.