UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Apple iOS/iPadOS 16 must be configured to wipe enterprise data and apps upon unenrollment from MDM.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257119 AIOS-16-709900 SV-257119r904257_rule Medium
Description
When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be protected by the MDM software, putting it at much greater risk of unauthorized access and disclosure. Satisfies: PP-MDF-333300, PP-MDF-333310 SFR ID: FMT_SMF_EXT.2.1
STIG Date
Apple iOS/iPadOS 16 BYOAD Security Technical Implementation Guide 2023-08-14

Details

Check Text ( C-60804r904255_chk )
Note: Not all Apple iOS/iPadOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable.

This check procedure is performed on the Apple iOS/iPadOS management tool or on the iOS device.

In the Apple iOS/iPadOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed.

On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the management policy.
5. Tap "Apps".
6. Tap an app and verify "App and data will be removed when device is no longer managed" is listed.

Repeat steps 5 and 6 for each managed app in the list.

If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.
Fix Text (F-60745r904256_fix)
Install a configuration profile to delete all managed apps upon device unenrollment. This setting is normally configured on each managed app in the MDM.