UCF STIG Viewer Logo

Apple iOS/iPadOS 17 must require a valid password be successfully entered before the mobile device data is unencrypted.


Finding ID Version Rule ID IA Controls Severity
V-258338 AIOS-17-010400 SV-258338r927697_rule High
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the  existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. SFR ID: FIA_UAU_EXT.1.1
Apple iOS/iPadOS 17 Security Technical Implementation Guide 2023-10-10


Check Text ( C-62079r927695_chk )
Review configuration settings to confirm the device is set to require a passcode before use.

This procedure is performed on the iOS and iPadOS device.

On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the password policy.
5. Tap "Restrictions".
6. Tap "Passcode".
7. Verify "Passcode required" is set to "Yes".

If "Passcode required" is not set to "Yes", this is a finding.
Fix Text (F-62003r927696_fix)
Install a configuration profile to require a password to unlock the device.