AIOS-13-013700 - The Apple iOS/iPadOS must be Supervised by the MDM.

Information

When an iOS/iPadOS is not supervised, the DoD mobile service provider cannot control when new iOS/iPadOS updates are installed on site managed devices. Most updates should be installed immediately to mitigate new security vulnerabilities, while some sites need to test each update prior to installation to insure critical missions are not adversely impacted by the update.

Also, several password and data protection controls can only be implemented when an Apple device is Supervised.

SFR ID: FMT_SMF_EXT.1.1 #47

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Use one of the following methods to Supervise iOS and iPadOS devices managed by the DoD mobile service provider.

Method 1:
-Register all current and new iOS and iPadOS devices in the DoD mobile service provider's Device Enrollment Program (DEP)/Apple Business Manager (ABM) account.
-Enable Supervision of managed iOS/iPadOS devices in the MDM.

Method 2:
-Configure each iOS/iPadOS device using the Apple Configurator tool for Supervision. This method is usually only appropriate when MDM management of the DoD Apple device is not appropriate or an older device cannot be registered in DEP/ABM.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS_iPadOS_13_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-20(2), 800-53|CM-6(1), 800-53|CM-6b., CAT|II, CCI|CCI-000097, CCI|CCI-000366, CCI|CCI-000370, Rule-ID|SV-219394r604137_rule, STIG-ID|AIOS-13-013700, STIG-Legacy|SV-106621, STIG-Legacy|V-97517, Vuln-ID|V-219394

Plugin: MDM

Control ID: beb670e96dbdaece3633b15c68bd1c873d3b9458dd23533c9c6a835962a2ceed