AIOS-01-100100 - Apple iOS must be configured to wipe all sensitive DoD data and PII data during a remote wipe command from the MDM server.

Information

DoD sensitive data (CUI/FOUO) or PII data downloaded from DoD web sites via Safari will be saved by default in a non-managed app on a DoD iOS device. If the device is wiped via an MDM Enterprise remote wipe command, data saved in non-managed apps will not be deleted and may be accessible to unauthorized people that have access to the MDM-wiped device. If the device is wiped via a Full Device MDM remote wipe command, all data on the device, including managed and unmanaged, will be deleted, but a Full Device wipe may not be appropriate for devices that have been authorized for personal use and have personal data stored on them or are BYOD devices. The risk in not using a Full Device wipe can be mitigated if a Managed Domain Configuration profile is installed on all managed iOS devices that contains a list of all DoD web domains that may have sensitive DoD data (CUI/FOUO) and PII data (primarily DoD web domains that require DoD PKI authentication credentials to access the web site).

Solution

One of the following two procedures will be implemented to configure Apple iOS to wipe all sensitive DoD data and PII data during a remote wipe command from the MDM server:

1. Policy method: Implement an MDM site policy that only full device remote wipe commands will be used on managed mobile devices. Enterprise wipe commands will not be used. This policy will be documented in the site MDM management policy and in system administrator training and all MDM system administrators will be trained on this requirement.

2. Technical method: MDM site will install a Managed Domain Configuration profile on all managed iOS devices. See the profile provided in the iOS 10 package. The profile will contain a list of all DoD web domains that may have sensitive DoD data (CUI/FOUO) and PII data (primarily DoD web domains that require DoD PKI authentication credentials to access the web site).

Note: *.mil can be used instead of listing all DoD web domains.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

See Also

http://iasecontent.disa.mil/stigs/zip/U_Apple_iOS_10_V1R3_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-86955r1_rule, STIG-ID|AIOS-01-100100, Vuln-ID|V-72331

Plugin: MDM

Control ID: 4b7e7558496e7838fbe2bb892c49ec9640eee7c76498a8beb50478516341fb31