Apple iOS/iPadOS 17 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information.
SFR ID: FMT_SMF_EXT.1.1 #3
Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DOD network (work) VPN profile.
This validation procedure is performed on the iOS device only.
On the iPhone and iPad: 1. Open the Settings app. 2. Tap "General". 3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists. 4. If not, the requirement has been met. 5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client. 6. Verify no DOD network VPN profiles are configured on the VPN client.
If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DOD network VPN profile configured on the client, this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
Fix Text (F-61975r927612_fix)
If a third-party unmanaged VPN app is installed on the iOS 17 device, do not configure the VPN app with a DOD network VPN profile.