Information
When a device is unenrolled from MDM, it is possible to relax the security policies that the MDM had implemented on the device. This may cause apps and data to be more vulnerable than they were prior to enrollment. Removing managed apps (and consequently the data they maintain) upon unenrollment mitigates this risk because on appropriately configured Apple iOS devices, DoD-sensitive information exists only within managed apps.
Satisfies: PP-MDF-302510, PP-MDF-302505, PP-MDF-301500, MDF-PP-2500, MDF-PP-301510
SFR ID: FMT_SMF_EXT.2.1, FMT_SMF_EXT.1.1 #47h
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Install a configuration profile to delete all managed apps upon device unenrollment.