AIOS-13-008900 - Apple iOS/iPadOS must implement the management setting: remove managed applications upon unenrollment from MDM (including sensitive and protected data).

Information

When a device is unenrolled from MDM, it is possible to relax the security policies that the MDM had implemented on the device. This may cause apps and data to be more vulnerable than prior to enrollment. Removing managed apps (and consequently the data maintained within) upon unenrollment mitigates this risk because on appropriately configured iPhone and iPads, DoD-sensitive information exists only within managed apps.

Satisfies: PP-MDF-302510, PP-MDF-302505, PP-MDF-301500, MDF-PP-2500, MDF-PP-301510

SFR ID: FMT_SMF_EXT.2.1, FMT_SMF_EXT.1.1 #47h

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Install a configuration profile to delete all managed apps upon device unenrollment.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS_iPadOS_13_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6(1), 800-53|CM-6b., 800-53|SC-28, CAT|II, CCI|CCI-000366, CCI|CCI-000370, CCI|CCI-001199, Rule-ID|SV-219366r604137_rule, STIG-ID|AIOS-13-008900, STIG-Legacy|SV-106565, STIG-Legacy|V-97461, Vuln-ID|V-219366

Plugin: MDM

Control ID: 015a42c327b8b72e27a597a8ffb82e4c93b65bd367a42fe0651dbf48d37de5d3