usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'dev_ios_26_stig' into ios_26

Browse Source
This commit is contained in:
Bob Gendler
2025-12-15 13:56:43 -05:00
parent 91cf655d0b 51c217d7fd
commit dfb1590234
93 changed files with 1295 additions and 746 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
baselines/ios_stig.yaml Normal file
View File

@@ -0,0 +1,105 @@
title: "iOS/iPadOS 26.0: Security Configuration - Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1"
description: |
This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1 security baseline.
authors: |
*macOS Security Compliance Project*
|===
|Dan Brodjieski|National Aeronautics and Space Administration
|Allen Golbig|Jamf
|Bob Gendler|National Institute of Standards and Technology
|===
parent_values: "ios_stig"
profile:
- section: "icloud"
rules:
- icloud_backup_disabled
- icloud_drive_disable
- icloud_keychain_disable
- icloud_managed_apps_store_data_disabled
- icloud_photos_disable
- icloud_shared_photo_stream_disable
- section: "ios"
rules:
- os_airdrop_disable
- os_airdrop_unmanaged_destination_enable
- os_airplay_incoming_password_require
- os_airplay_outgoing_password_require
- os_airprint_credential_storage_disable
- os_airprint_disable
- os_airprint_force_trusted_TLS
- os_allow_contacts_read_managed_sources_unmanaged_destinations_disable
- os_allow_contacts_write_managed_sources_unmanaged_destinations_disable
- os_allow_documents_managed_sources_unmanaged_destinations_disable
- os_apple_watch_pairing_disable
- os_apple_watch_wrist_detection_enable
- os_auto_unlock_disable
- os_automatic_app_download_disable
- os_bluetooth_modification_disable
- os_call_recording_disable
- os_camera_disable
- os_diagnostics_reports_disable
- os_disallow_enterprise_app_trust
- os_enterprise_books_disable
- os_erase_contents_and_settings_disable
- os_esim_delete
- os_esim_transfers_disable
- os_exchange_notes_disable
- os_exchange_notes_user_override_disable
- os_exchange_reminders_disable
- os_exchange_reminders_user_override_disable
- os_external_intelligence_integration_disable
- os_external_intelligence_integration_sign_in_disable
- os_facetime_disable
- os_files_network_drive_access_disable
- os_files_usb_drive_access_disable
- os_find_my_friends_disable
- os_force_encrypted_backups_enable
- os_genmoji_disable
- os_handoff_disable
- os_hide_apps_disable
- os_ibeacon_airprint_disable
- os_image_playground_disable
- os_image_wand_disable
- os_install_configuration_profile_disable
- os_install_vpn_configuration_disable
- os_iphone_mirroring_disable
- os_iphone_widgets_on_mac_disable
- os_limit_ad_tracking_enable
- os_mail_maildrop_disable
- os_mail_move_messages_disable
- os_marketplace_prevent
- os_movie_content_allowed
- os_new_device_proximity_disable
- os_on_device_dictation_enforce
- os_on_device_translation_enforce
- os_pairing_non_configurator_hosts_disable
- os_password_autofill_disable
- os_password_proximity_disable
- os_password_sharing_disable
- os_require_managed_pasteboard_enforce
- os_safari_password_autofill_disable
- os_screenshots_disable
- os_show_calendar_lock_screen_disable
- os_show_notification_center_lock_screen_disable
- os_siri_assistant_disable
- os_siri_user_generated_content_disable
- os_siri_when_locked_disabled
- os_ssl_for_exchange_activesync_enable
- os_supervised_mdm_require
- os_system_settings_find_my_friends_modification_disable
- os_tv_content_allowed
- os_usb_accessories_when_locked_disable
- os_web_distribution_app_installation_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_lockout_enforce
- pwpolicy_force_pin_enable
- pwpolicy_history_enforce
- pwpolicy_max_grace_period_enforce
- pwpolicy_max_inactivity_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_simple_sequence_disable
- section: "Supplemental"
rules:
- supplemental_stig

1
includes/mscp-data.yaml
View File

@@ -92,7 +92,6 @@ authors:
- Bob Gendler|National Institute of Standards and Technology
ios_stig:
names:
- Marco Piñeyro|Department of State
- Dan Brodjieski|National Aeronautics and Space Administration
- Allen Golbig|Jamf
- Bob Gendler|National Institute of Standards and Technology

13
rules/icloud/icloud_backup_disabled.yaml
View File

@@ -1,8 +1,8 @@
id: icloud_backup_disabled
title: "Ensure iCloud Backup is set to Disabled"
title: Ensure iCloud Backup is set to Disabled
discussion: |
iCloud backup _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -18,9 +18,9 @@ references:
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_MOF_EXT.1.2 #40"
- 'FMT_MOF_EXT.1.2 #40'
disa_stig:
- N/A
- AIOS-26-003000
indigo:
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX K
@@ -30,7 +30,7 @@ references:
controls v8:
- 2.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -44,7 +44,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

15
rules/icloud/icloud_drive_disable.yaml
View File

@@ -1,8 +1,8 @@
id: icloud_drive_disable
title: "Ensure Allow iCloud Documents and Data is set to Disabled"
title: Ensure Allow iCloud Documents and Data is set to Disabled
discussion: |
Institutionally owned devices _MUST_ not sync data through iCloud.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -19,11 +19,11 @@ references:
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_MOF_EXT.1.2 #40"
- 'FMT_MOF_EXT.1.2 #40'
disa_stig:
- N/A
- AIOS-26-003200
indigo:
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX K
cis:
benchmark:
@@ -31,7 +31,7 @@ references:
controls v8:
- 2.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -44,7 +44,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:

61
rules/icloud/icloud_keychain_disable.yaml
View File

@@ -1,52 +1,53 @@
id: icloud_keychain_disable
title: "Disable iCloud Keychain Sync"
title: Disable iCloud Keychain Sync
discussion: |
The iOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95425-5
- CCE-95425-5
cci:
- CCI-000097
- CCI-000366
- CCI-000370
- CCI-000097
- CCI-000366
- CCI-000370
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_MOF_EXT.1.2 #40"
- 'FMT_MOF_EXT.1.2 #40'
disa_stig:
- N/A
- AIOS-26-003300
indigo:
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX K
cis:
benchmark:
- 3.2.1.6 (level 1 - Institutionally-Owned Devices)
- 3.2.1.6 (level 1 - Institutionally-Owned Devices)
controls v8:
- 4.1
- 4.8
- 15.3
- 4.1
- 4.8
- 15.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

65
rules/icloud/icloud_managed_apps_store_data_disabled.yaml
View File

@@ -1,53 +1,54 @@
id: icloud_managed_apps_store_data_disabled
title: "Ensure Managed Apps Storing Data in iCloud is Set to Disabled"
title: Ensure Managed Apps Storing Data in iCloud is Set to Disabled
discussion: |
Managed Apps _MUST_ not store data in iCloud.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95426-3
- CCE-95426-3
cci:
- CCI-000097
- CCI-000366
- CCI-000370
- CCI-000097
- CCI-000366
- CCI-000370
800-53r5:
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
- AC-20
- AC-20(1)
- CM-7
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_MOF_EXT.1.2 #40"
- 'FMT_MOF_EXT.1.2 #40'
disa_stig:
- N/A
- AIOS-26-003600
indigo:
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX K
cis:
benchmark:
- 2.2.1.3 (level 1 - End-User Owned Devices)
- 3.2.1.7 (level 1 - Institutionally-Owned Devices)
- 2.2.1.3 (level 1 - End-User Owned Devices)
- 3.2.1.7 (level 1 - Institutionally-Owned Devices)
controls v8:
- 2.3
- 2.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1_byod
- cis_lvl2_byod
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1_byod
- cis_lvl2_byod
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

13
rules/icloud/icloud_photos_disable.yaml
View File

@@ -1,10 +1,10 @@
id: icloud_photos_disable
title: "Disable iCloud Photo Library"
title: Disable iCloud Photo Library
discussion: |
The iOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled.
Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -19,12 +19,12 @@ references:
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-003450
indigo:
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX K
- ANNEX K
cis:
benchmark:
- N/A
@@ -33,7 +33,7 @@ references:
- 4.8
- 15.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -43,6 +43,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

15
rules/icloud/icloud_shared_photo_stream_disable.yaml
View File

@@ -1,8 +1,8 @@
id: icloud_shared_photo_stream_disable
title: "Ensure Shared Photo Stream is set to Disabled"
title: Ensure Shared Photo Stream is set to Disabled
discussion: |
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -19,11 +19,11 @@ references:
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_MOF_EXT.1.2 #40"
- 'FMT_MOF_EXT.1.2 #40'
disa_stig:
- N/A
- AIOS-26-003500
indigo:
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX D (Section 5.4 - iCloud restrictions)
- ANNEX K
cis:
benchmark:
@@ -31,7 +31,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -41,7 +41,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

2
rules/os/os_account_modification_disable.yaml
View File

@@ -16,7 +16,7 @@ references:
indigo:
- ANNEX K
iOS:
- "26.0"
- "26.0"
tags:
- ios
- indigo_high

22
rules/os/os_airdrop_disable.yaml
View File

@@ -1,16 +1,16 @@
id: os_airdrop_disable
title: "Ensure AirDrop is set to Disabled"
title: Ensure AirDrop is set to Disabled
discussion: |
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices.
AirDrop allows users to share and receive files from other nearby Apple devices.
check: " "
AirDrop allows users to share and receive files from other nearby Apple devices.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-002536
- CCI-000366
- CCI-000097
@@ -21,10 +21,11 @@ references:
- CM-7
- CM-7(1)
sfr:
- "FMT_SMF_EXT.1.1/WLAN"
- "FMT_SMF_EXT.1.1 #47"
- FMT_SMF_EXT.1.1/WLAN
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-010200
- AIOS-26-012500
indigo:
- ANNEX K
cis:
@@ -33,7 +34,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -44,7 +45,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:

15
rules/os/os_airdrop_unmanaged_destination_enable.yaml
View File

@@ -1,14 +1,14 @@
id: os_airdrop_unmanaged_destination_enable
title: "Ensure Treat AirDrop as unmanaged destination is set to Enabled"
title: Ensure Treat AirDrop as unmanaged destination is set to Enabled
discussion: |
AirDrop _MUST_ be treated as an unmanaged destination.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-002008
800-53r5:
@@ -19,9 +19,9 @@ references:
- MP-2
- SC-7(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-011500
indigo:
- ANNEX D (Section 5.7.5 - AirDrop)
- ANNEX K
@@ -32,7 +32,7 @@ references:
controls v8:
- 3.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -48,7 +48,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

12
rules/os/os_airplay_incoming_password_require.yaml
View File

@@ -1,8 +1,8 @@
id: os_airplay_incoming_password_require
title: "Require Passcode for Incoming Airplay Connection Requests"
title: Require Passcode for Incoming Airplay Connection Requests
discussion: |
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DoD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -13,9 +13,10 @@ references:
800-53r5:
- IA-3
sfr:
- "FMT_SMF_EXT.1.1 #40"
- 'FMT_SMF_EXT.1.1 #40'
disa_stig:
- N/A
- AIOS-26-010900
- AIOS-26-010950
indigo:
- ANNEX K
cis:
@@ -24,7 +25,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_moderate
@@ -34,6 +35,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: low
supervised: false
mobileconfig: true

12
rules/os/os_airplay_outgoing_password_require.yaml
View File

@@ -1,8 +1,8 @@
id: os_airplay_outgoing_password_require
title: "Require the User to Enter a Password when Connecting to an AirPlay-enabled device for the First Time."
title: Require the User to Enter a Password when Connecting to an AirPlay-enabled device for the First Time.
discussion: |
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DoD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -13,9 +13,10 @@ references:
800-53r5:
- IA-3
sfr:
- "FMT_SMF_EXT.1.1 #40"
- 'FMT_SMF_EXT.1.1 #40'
disa_stig:
- N/A
- AIOS-26-010900
- AIOS-26-010950
indigo:
- ANNEX K
cis:
@@ -24,7 +25,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_moderate
@@ -34,6 +35,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: low
supervised: false
mobileconfig: true

33
rules/os/os_airprint_credential_storage_disable.yaml Normal file
View File

@@ -0,0 +1,33 @@
id: os_airprint_credential_storage_disable
title: Disable Storage of AirPrint Credentials
discussion: |
Storage of AirPrint credentials _MUST_ be disabled.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-6
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-016800
indigo:
- N/A
iOS:
- '26.0'
tags:
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
supervised: false
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowAirPrintCredentialsStorage: false

13
rules/os/os_airprint_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_airprint_disable
title: "Disable AirPrint"
title: Disable AirPrint
discussion: |
The iOS built-in AirPrint capability _MUST_ be disabled.
The service AirPrint _MUST_ be disabled to prevent intendedly printing content on unknown printers and leaking data.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -14,11 +14,18 @@ references:
- N/A
indigo:
- ANNEX K
cci:
- CCI-000366
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-016600
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_high
- ios_stig
supervised: false
mobileconfig: true
mobileconfig_info:

17
rules/os/os_airprint_force_trusted_TLS.yaml
View File

@@ -1,8 +1,8 @@
id: os_airprint_force_trusted_TLS
title: "Requires trusted certificates for TLS printing communication"
title: Requires trusted certificates for TLS printing communication
discussion: |
The service AirPrint _MUST_ be configured to require trusted certificates for TLS printing communication.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -11,14 +11,21 @@ references:
800-53r5:
- AC-17(02)
indigo:
- ANNEX K
- ANNEX K
cci:
- CCI-000366
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-016900
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_high
- 800-53r5_moderate
- 800-53r5_high
- 800-53r5_high
- ios_stig
supervised: false
mobileconfig: true
mobileconfig_info:

13
rules/os/os_allow_contacts_read_managed_sources_unmanaged_destinations_disable.yaml
View File

@@ -1,8 +1,8 @@
id: os_allow_contacts_read_managed_sources_unmanaged_destinations_disable
title: "Ensure Managed Apps Cannot Read Unmanaged Contact Accounts"
title: Ensure Managed Apps Cannot Read Unmanaged Contact Accounts
discussion: |
Managed Apps _MUST_ not be allowed to read contacts from unmanaged contact destinations.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -18,10 +18,10 @@ references:
- SC-7(10)
- SC-39
sfr:
- "FMT_SMF_EXT.1.1 #42"
- "FDP_ACF_EXT.1.2"
- 'FMT_SMF_EXT.1.1 #42'
- FDP_ACF_EXT.1.2
disa_stig:
- N/A
- AIOS-26-012400
indigo:
- ANNEX D (Section 5.6.3 - Contacts)
- ANNEX K
@@ -31,7 +31,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -42,6 +42,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: low
supervised: false
mobileconfig: true

17
rules/os/os_allow_contacts_write_managed_sources_unmanaged_destinations_disable.yaml
View File

@@ -1,8 +1,8 @@
id: os_allow_contacts_write_managed_sources_unmanaged_destinations_disable
title: "Ensure Managed Apps Cannot Write to Unmanaged Contact Accounts"
title: Ensure Managed Apps Cannot Write to Unmanaged Contact Accounts
discussion: |
Managed Apps _MUST_ not be allowed to write contacts to unmanaged contact destinations.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -18,12 +18,12 @@ references:
- SC-7(10)
- SC-39
sfr:
- "FMT_SMF_EXT.1.1 #42"
- "FDP_ACF_EXT.1.2"
- 'FMT_SMF_EXT.1.1 #42'
- FDP_ACF_EXT.1.2
disa_stig:
- N/A
- AIOS-26-012300
indigo:
- ANNEX D (Section 5.6.3 - Contacts)
- ANNEX D (Section 5.6.3 - Contacts)
- ANNEX K
cis:
benchmark:
@@ -31,7 +31,7 @@ references:
controls v8:
- 3.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -42,7 +42,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "low"
- ios_stig
severity: low
supervised: false
mobileconfig: true
mobileconfig_info:

17
rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml
View File

@@ -1,14 +1,14 @@
id: os_allow_documents_managed_sources_unmanaged_destinations_disable
title: "Ensure Allow documents from managed sources in unmanaged destinations is set to Disabled"
title: Ensure Allow documents from managed sources in unmanaged destinations is set to Disabled
discussion: |
Documents from managed sources _MUST_ not be allowed in unmanaged destinations.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-002233
- CCI-002530
800-53r5:
@@ -17,10 +17,10 @@ references:
- SC-7(10)
- SC-39
sfr:
- "FMT_SMF_EXT.1.1 #42"
- "FDP_ACF_EXT.1.2"
- 'FMT_SMF_EXT.1.1 #42'
- FDP_ACF_EXT.1.2
disa_stig:
- N/A
- AIOS-26-009700
indigo:
- ANNEX D (Section 5.6.3 - Contacts)
- ANNEX K
@@ -31,7 +31,7 @@ references:
controls v8:
- 3.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -47,7 +47,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

13
rules/os/os_apple_watch_pairing_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_apple_watch_pairing_disable
title: "Ensure Apple Watch Pairing is Disabled"
title: Ensure Apple Watch Pairing is Disabled
discussion: |
Pairing an Apple Watch _MUST_ be disabled.
NOTE: Any currently paired Apple Watch is unpaired and the watch's content is erased.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -18,9 +18,9 @@ references:
- CM-7
- CM-7(1)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-012600
indigo:
- ANNEX K
cis:
@@ -29,7 +29,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -40,6 +40,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

15
rules/os/os_apple_watch_wrist_detection_enable.yaml
View File

@@ -1,23 +1,23 @@
id: os_apple_watch_wrist_detection_enable
title: "Ensure Force Apple Watch wrist detection is set to Enabled"
title: Ensure Force Apple Watch wrist detection is set to Enabled
discussion: |
Wrist detection _MUST_ be enabled for paired Apple Watches.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000381
800-53r5:
- AC-3
- CM-7
- CM-7(1)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-011800
cis:
benchmark:
- 2.2.1.13 (level 1 - End-User Owned Devices)
@@ -25,7 +25,7 @@ references:
controls v8:
- 3.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -39,7 +39,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "low"
- ios_stig
severity: low
supervised: false
mobileconfig: true
mobileconfig_info:

11
rules/os/os_auto_unlock_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_auto_unlock_disable
title: "Prevent Apple Watch from Unlocking a Device"
title: Prevent Apple Watch from Unlocking a Device
discussion: |
Apple Watches are not an approved authenticator and their use _MUST_ be disabled.
Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
check: " "
check: ' '
fix: This is implemented by a Configuration Profile
references:
cce:
@@ -15,9 +15,9 @@ references:
800-53r5:
- AC-11
sfr:
- "FMT_MOF_EXT.1.2 #47"
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-014800
indigo:
- ANNEX K
cis:
@@ -26,7 +26,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_moderate
@@ -36,6 +36,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

34
rules/os/os_automatic_app_download_disable.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: os_automatic_app_download_disable
title: Disallow Automatic Downloads of Apps Purchased on other Apple Devices.
discussion: |
The automatic download of apps to a mobile device could cause the exposure of sensitive information when an unauthorized app is installed.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-016400
indigo:
- N/A
iOS:
- '26.0'
tags:
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
supervised: true
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowAutomaticAppDownloads: false

43
rules/os/os_bluetooth_modification_disable.yaml Normal file
View File

@@ -0,0 +1,43 @@
id: os_bluetooth_modification_disable
title: "Bluetooth Status Modification Disabled"
discussion: |
The ability to enable or disable Bluetooth _MUST_ be disabled.
check: " "
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- SC-07(10)
sfr:
- 'FMT_SMF.1.1 #47'
disa_stig:
- AIOS-26-018200
indigo:
- N/A
cis:
benchmark:
- N/A
controls v8:
- N/A
iOS:
- "26.0"
tags:
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
supervised: false
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowBluetoothModification: false

37
rules/os/os_call_recording_disable.yaml
View File

@@ -1,37 +1,38 @@
id: os_call_recording_disable
title: "Disable Call Recording"
title: Disable Call Recording
discussion: |
The built-in Call Recording _MUST_ be disabled in certain organizations or jurisdictions by legal statutes and/or privacy laws.
The Call Recording service announces to all users that a cellular phone call is about to be recorded. When recording stops (either manually by the user or by ending the call), the recording is saved to a new note in the Notes app. This functionality may be prohibited by certain organizations or jurisdictions by legal statutes and/or privacy laws.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95449-5
- CCE-95449-5
800-53r5:
- CM-6
- CM-6
cci:
- CCI-000366
- CCI-000366
sfr:
- "FMT_MOF_EXT.1.2 #47"
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-015700
indigo:
- ANNEX K
- ANNEX K
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
supervised: false
mobileconfig: true
mobileconfig_info:

43
rules/os/os_camera_disable.yaml Normal file
View File

@@ -0,0 +1,43 @@
id: os_camera_disable
title: Disable Camera
discussion: |
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants carry out the disconnect activity without having to go through complex and tedious procedures.
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.
For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
If the camera is not disconnected, covered, or physically disabled, the following configuration is required.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- SC-07(10)
sfr:
- 'FMT_SMF.1.1 #47'
disa_stig:
- 'AIOS-26-018100'
iOS:
- "26.0"
tags:
- ios
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowCamera: false

21
rules/os/os_diagnostics_reports_disable.yaml
View File

@@ -1,35 +1,35 @@
id: os_diagnostics_reports_disable
title: "Disable Sending Diagnostic and Usage Data to Apple"
title: Disable Sending Diagnostic and Usage Data to Apple
discussion: |
The ability to submit diagnostic data to Apple _MUST_ be disabled.
The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.
check: " "
The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-001199
800-53r5:
- AC-20
- SC-7(10)
- SI-11
sfr:
- "FMT_SMF_EXT.1.1 #47a"
- 'FMT_SMF_EXT.1.1 #47a'
disa_stig:
- N/A
- AIOS-26-013400
indigo:
- ANNEX K
cis:
benchmark:
benchmark:
- 2.2.1.12 (level 1 - End-User Owned Devices)
- 3.2.1.25 (level 1 - Institutionally-Owned Devices)
controls v8:
- 4.8
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -45,7 +45,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

13
rules/os/os_disallow_enterprise_app_trust.yaml
View File

@@ -1,8 +1,8 @@
id: os_disallow_enterprise_app_trust
title: "Disallow Apps to be Installed from Unauthorized Sources"
title: Disallow Apps to be Installed from Unauthorized Sources
discussion: |
Apps _MUST_ be installed from authorized application repositories. Disallowing enterprise app trust prevents apps from being provisioned by universal provisioning profiles.
check: " "
check: ' '
fix: This is implemented by a Configuration Profile
references:
cce:
@@ -12,18 +12,18 @@ references:
800-53r5:
- CM-11
sfr:
- "FMT_SMF_EXT.1.1 #8a"
- 'FMT_SMF_EXT.1.1 #8a'
disa_stig:
- N/A
- AIOS-26-007000
indigo:
- ANNEX D - (Section 5.8.5)
- ANNEX D - (Section 5.8.5)
cis:
benchmark:
- N/A
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -34,6 +34,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: low
supervised: false
mobileconfig: true

12
rules/os/os_enterprise_books_disable.yaml
View File

@@ -1,8 +1,8 @@
id: os_enterprise_books_disable
title: "Ensure Backup of Enterprise Books is set to Disabled"
title: Ensure Backup of Enterprise Books is set to Disabled
discussion: |
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information.
check: " "
check: ' '
fix: This is implemented by a Configuration Profile
references:
cce:
@@ -13,9 +13,9 @@ references:
800-53r5:
- CM-6
sfr:
- "FMT_MOF_EXT.1.2 #40"
- 'FMT_MOF_EXT.1.2 #40'
disa_stig:
- N/A
- AIOS-26-003700
indigo:
- ANNEX K
cis:
@@ -24,12 +24,12 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- ios_stig
- indigo_high
severity: "medium"
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

45
rules/os/os_erase_contents_and_settings_disable.yaml
View File

@@ -1,41 +1,42 @@
id: os_erase_contents_and_settings_disable
title: "Ensure Allow Erase All Content and Settings is set to Disabled"
title: Ensure Allow Erase All Content and Settings is set to Disabled
discussion: |
Erase all contents and settings _MUST_ be disabled on institutionally owned iOS devices.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95460-2
- CCE-95460-2
cci:
- N/A
- CCI-000366
800-53r5:
- CM-6
- CM-7
- CM-7(1)
- CM-6
- CM-7
- CM-7(1)
sfr:
- N/A
- 'FMT_SMF.1.1 #47'
disa_stig:
- N/A
- AIOS-26-016000
cis:
benchmark:
- 3.2.1.12 (level 1 - Institutionally-Owned Devices)
- 3.2.1.12 (level 1 - Institutionally-Owned Devices)
controls v8:
- 4.1
- 4.1
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
supervised: true
mobileconfig: true
mobileconfig_info:

25
rules/os/os_esim_delete.yaml
View File

@@ -1,28 +1,29 @@
id: os_esim_delete
title: "Ensure the eSIM Contents are Deleted When Device is Erased"
title: Ensure the eSIM Contents are Deleted When Device is Erased
discussion: |
An eSIM may contain sensitive data and must be wiped of data when the mobile device is wiped to protect sensitive data from exposure.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95461-0
- CCE-95461-0
cci:
- CCI-001033
- CCI-001033
800-53r5:
- MP-6
- MP-6
sfr:
- "FMT_MOF_EXT.1.2 #47"
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-015100
iOS:
- "26.0"
- '26.0'
tags:
- ios
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

15
rules/os/os_esim_transfers_disable.yaml
View File

@@ -1,21 +1,26 @@
id: os_esim_transfers_disable
title: "Ensure the ability to transfer an eSIM is set to Disabled"
title: Ensure the ability to transfer an eSIM is set to Disabled
discussion: |
Outgoing transfers of eSIMs _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- N/A
cci:
- CCI-000366
800-53r5:
- N/A
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-017900
iOS:
- "26.0"
- '26.0'
tags:
- ios
- ios_stig
supervised: false
mobileconfig: true
mobileconfig_info:

2
rules/os/os_exchange_SMIME_encryption_certificate_overwirte_disable.yaml → rules/os/os_exchange_SMIME_encryption_certificate_overwrite_disable.yaml
View File

@@ -1,4 +1,4 @@
id: os_exchange_SMIME_encryption_certificate_overwirte_disable
id: os_exchange_SMIME_encryption_certificate_overwrite_disable
title: "Disable changing the S/MIME encryption settings."
discussion: |
The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements.

2
rules/os/os_exchange_SMIME_signing_certificate_overwirte_disable.yaml → rules/os/os_exchange_SMIME_signing_certificate_overwrite_disable.yaml
View File

@@ -1,4 +1,4 @@
id: os_exchange_SMIME_signing_certificate_overwirte_disable
id: os_exchange_SMIME_signing_certificate_overwrite_disable
title: "Disable changing the S/MIME signing settings"
discussion: |
The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements.

12
rules/os/os_exchange_notes_disable.yaml
View File

@@ -1,7 +1,6 @@
id: os_exchange_notes_disable
title: "Ensure Notes service is disabled for Exchange ActiveSync"
discussion: |-
Exchange ActiveSync Notes service can be disabled for an account. Note: The user can reenable the Notes service unless the setting EnableNotesUserOverridable is set to false.
title: Ensure Notes service is disabled for Exchange ActiveSync
discussion: 'Exchange ActiveSync Notes service can be disabled for an account. Note: The user can reenable the Notes service unless the setting EnableNotesUserOverridable is set to false.'
check: ' '
fix: This is implemented by a Configuration Profile
references:
@@ -14,18 +13,21 @@ references:
sfr:
- 'FMT_SMF_EXT.1.1 #47'
indigo:
- ANNEX D (Section 5.6.1 - Mail)
- ANNEX D (Section 5.6.1 - Mail)
cis:
benchmark:
- N/A
controls v8:
- N/A
disa_stig:
- AIOS-26-011300
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

12
rules/os/os_exchange_notes_user_override_disable.yaml
View File

@@ -1,7 +1,6 @@
id: os_exchange_notes_user_override_disable
title: "Ensure Notes service override is disabled for Exchange ActiveSync"
discussion: |-
Exchange ActiveSync Notes service can be disabled for a user. Setting EnableNotesUserOverridable to false prevents the user from altering the service status.
title: Ensure Notes service override is disabled for Exchange ActiveSync
discussion: Exchange ActiveSync Notes service can be disabled for a user. Setting EnableNotesUserOverridable to false prevents the user from altering the service status.
check: ' '
fix: This is implemented by a Configuration Profile
references:
@@ -14,18 +13,21 @@ references:
sfr:
- 'FMT_SMF_EXT.1.1 #47'
indigo:
- ANNEX D (Section 5.6.1 - Mail)
- ANNEX D (Section 5.6.1 - Mail)
cis:
benchmark:
- N/A
controls v8:
- N/A
disa_stig:
- AIOS-26-011300
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

27
rules/os/os_exchange_prevent_move_enforce.yaml
View File

@@ -1,27 +0,0 @@
id: os_exchange_prevent_move_enforce
title: "Prevent move manged mails to another account."
discussion: |
The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements.
The setting, prevent moving to another account _MUST_ be configured to prevent data leakage.
check: " "
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
800-53r5:
- N/A
indigo:
- ANNEX D (Section 5.6.1 - Mail)
iOS:
- "26.0"
tags:
- ios
- indigo_base
- indigo_high
supervised: false
mobileconfig: true
mobileconfig_info:
com.apple.mail.managed:
PreventMove: true

12
rules/os/os_exchange_reminders_disable.yaml
View File

@@ -1,7 +1,6 @@
id: os_exchange_reminders_disable
title: "Ensure Reminders service is disabled for Exchange ActiveSync"
discussion: |-
Exchange ActiveSync system can disable the Reminders service for an account. Note: The user can reenable the Notes service unless the setting 'EnableRemindersUserOverridable' is set to false.
title: Ensure Reminders service is disabled for Exchange ActiveSync
discussion: 'Exchange ActiveSync system can disable the Reminders service for an account. Note: The user can reenable the Notes service unless the setting ''EnableRemindersUserOverridable'' is set to false.'
check: ' '
fix: This is implemented by a Configuration Profile
references:
@@ -14,18 +13,21 @@ references:
sfr:
- 'FMT_SMF_EXT.1.1 #47'
indigo:
- ANNEX D (Section 5.6.1 - Mail)
- ANNEX D (Section 5.6.1 - Mail)
cis:
benchmark:
- N/A
controls v8:
- N/A
disa_stig:
- AIOS-26-011300
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

12
rules/os/os_exchange_reminders_user_override_disable.yaml
View File

@@ -1,7 +1,6 @@
id: os_exchange_reminders_user_override_disable
title: "Ensure Reminders service override is disabled for Exchange ActiveSync"
discussion: |-
Exchange ActiveSync system can disable the Reminders service for an account, but it can be reenabled by the user. The Reminders service is completely disabled when the 'EnableRemindersUserOverridable' setting is set to 'false'.
title: Ensure Reminders service override is disabled for Exchange ActiveSync
discussion: Exchange ActiveSync system can disable the Reminders service for an account, but it can be reenabled by the user. The Reminders service is completely disabled when the 'EnableRemindersUserOverridable' setting is set to 'false'.
check: ' '
fix: This is implemented by a Configuration Profile
references:
@@ -14,18 +13,21 @@ references:
sfr:
- 'FMT_SMF_EXT.1.1 #47'
indigo:
- ANNEX D (Section 5.6.1 - Mail)
- ANNEX D (Section 5.6.1 - Mail)
cis:
benchmark:
- N/A
controls v8:
- N/A
disa_stig:
- AIOS-26-011300
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

35
rules/os/os_external_intelligence_integration_disable.yaml
View File

@@ -1,34 +1,35 @@
id: os_external_intelligence_integration_disable
title: "External Intelligence Integrations Must Be Disabled"
title: External Intelligence Integrations Must Be Disabled
discussion: |
The external intelligence integration feature of Apple Intelligence allows information to be downloaded from the device and processed by an external application in the cloud. The external intelligence integration feature of Apple Intelligence increases the risk of compromise of sensitive information.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95473-5
- CCE-95473-5
cci:
- CCI-000366
- CCI-000366
800-53r5:
- CM-6
- CM-7
- AC-20
- CM-6
- CM-7
- AC-20
sfr:
- "FMT_MOF_EXT.1.2 #47"
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-015400
indigo:
- ANNEX K
- ANNEX K
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

11
rules/os/os_external_intelligence_integration_sign_in_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_external_intelligence_integration_sign_in_disable
title: "Sign In to External Intelligence Integrations Must Be Disabled"
title: Sign In to External Intelligence Integrations Must Be Disabled
discussion: |
The ability to sign into external intelligence integrations _MUST_ be disabled.
The external intelligence integration feature of Apple Intelligence allows information to be downloaded from the device and processed by an external application in the cloud. The external intelligence integration feature of Apple Intelligence increases the risk of compromise of sensitive information.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -17,9 +17,9 @@ references:
- CM-7
- AC-20
sfr:
- "FMT_MOF_EXT.1.2 #47"
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-015400
cis:
benchmark:
- 2.9.1 (level 1 - End-User Owned Devices)
@@ -31,7 +31,7 @@ references:
indigo:
- ANNEX K
iOS:
- "26.0"
- '26.0'
tags:
- ios
- cis_lvl1_byod
@@ -44,6 +44,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

35
rules/os/os_facetime_disable.yaml Normal file
View File

@@ -0,0 +1,35 @@
id: os_facetime_disable
title: Disable FaceTime App
discussion: |
FaceTime _MUST_ be disabled.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-6
- CM-7
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-017800
indigo:
- N/A
iOS:
- '26.0'
tags:
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
severity: high
supervised: true
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowVideoConferencing: false

15
rules/os/os_files_network_drive_access_disable.yaml
View File

@@ -1,23 +1,23 @@
id: os_files_network_drive_access_disable
title: "Ensure Allow Network Drive Access in Files App is Set to Disabled"
title: Ensure Allow Network Drive Access in Files App is Set to Disabled
discussion: |
Network drive access in Files app _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000097
- CCI-000370
800-53r5:
- AC-20(2)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-014300
indigo:
- ANNEX K
cis:
@@ -26,7 +26,7 @@ references:
controls v8:
- 1.2
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_moderate
@@ -38,7 +38,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:

17
rules/os/os_files_usb_drive_access_disable.yaml
View File

@@ -1,25 +1,25 @@
id: os_files_usb_drive_access_disable
title: "Ensure Allow USB Drive Access in Files App is Set to Disabled"
title: Ensure Allow USB Drive Access in Files App is Set to Disabled
discussion: |
USB drive access in Files app _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000097
- CCI-000370
800-53r5:
- AC-20(2)
800-53r4:
800-53r4:
- N/A
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-013300
indigo:
- ANNEX K
cis:
@@ -28,7 +28,7 @@ references:
controls v8:
- 1.2
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_moderate
@@ -40,7 +40,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:

11
rules/os/os_find_my_friends_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_find_my_friends_disable
title: "Disable Find My Friends Service"
title: Disable Find My Friends Service
discussion: |
The Find My Friends service _MUST_ be disabled.
Sharing the location of a device may be an violation to an organization and potentially put users at risk.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -19,9 +19,9 @@ references:
- CM-7
- CM-7(1)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-013100
indigo:
- ANNEX K
cis:
@@ -30,7 +30,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -40,6 +40,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: low
supervised: true
mobileconfig: true

15
rules/os/os_force_encrypted_backups_enable.yaml
View File

@@ -1,8 +1,8 @@
id: os_force_encrypted_backups_enable
title: "Ensure Force Encrypted Backups is Enabled"
title: Ensure Force Encrypted Backups is Enabled
discussion: |
iOS and iPadOS backups _MUST_ be encrypted.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -18,11 +18,11 @@ references:
- CP-09(8)
- SC-28
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-010700
indigo:
- ANNEX D (Section 5.3 - Description of security/key management)
- ANNEX D (Section 5.3 - Description of security/key management)
- ANNEX K
cis:
benchmark:
@@ -31,7 +31,7 @@ references:
controls v8:
- 11.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -47,7 +47,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

33
rules/os/os_genmoji_disable.yaml
View File

@@ -1,32 +1,33 @@
id: os_genmoji_disable
title: "Ensure the Ability to Create Genmojis is Set to Disabled"
title: Ensure the Ability to Create Genmojis is Set to Disabled
discussion: |
Use of Genmojis _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95480-0
- CCE-95480-0
cci:
- N/A
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- CM-7
- CM-7(1)
sfr:
- N/A
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-017400
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
supervised: false
mobileconfig: true
mobileconfig_info:

17
rules/os/os_handoff_disable.yaml
View File

@@ -1,16 +1,16 @@
id: os_handoff_disable
title: "Disable Handoff"
title: Disable Handoff
discussion: |
Handoff _MUST_ be disabled.
Handoff _MUST_ be disabled.
Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000370
- CCI-000381
@@ -20,9 +20,9 @@ references:
- CM-7
- CM-7(1)
disa_stig:
- N/A
- AIOS-26-010800
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
indigo:
- ANNEX K
cis:
@@ -32,7 +32,7 @@ references:
controls v8:
- 3.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -46,7 +46,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "low"
- ios_stig
severity: low
supervised: false
mobileconfig: true
mobileconfig_info:

31
rules/os/os_hide_apps_disable.yaml Normal file
View File

@@ -0,0 +1,31 @@
id: os_hide_apps_disable
title: Disable Ability to Hide Apps
discussion: |
Hidden apps cannot be seen by enterprise management applications (e.g., MDM server), and therefore, unauthorized apps or apps with embedded malware could be installed and hidden from the MDM or mobile threat detection (MTD) apps. Hidden apps may lead to the compromise of sensitive data.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- SC-07(10)
sfr:
- 'FMT_SMF.1.1 #47'
disa_stig:
- 'AIOS-26-015600'
iOS:
- "26.0"
tags:
- ios
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowAppsToBeHidden: false

33
rules/os/os_ibeacon_airprint_disable.yaml Normal file
View File

@@ -0,0 +1,33 @@
id: os_ibeacon_airprint_disable
title: Disable Discovery of AirPrint Printers using iBeacons
discussion: |
iBeacon discovery _MUST_ be disabled to prevent AirPrint Bluebooth beacons from being potentially exploited for network phishing.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-6
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-016700
indigo:
- N/A
iOS:
- '26.0'
tags:
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
supervised: true
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowAirPrintiBeaconDiscovery: false

33
rules/os/os_image_playground_disable.yaml
View File

@@ -1,32 +1,33 @@
id: os_image_playground_disable
title: "Ensure the Ability to Use AI Image Generation is Set to Disabled"
title: Ensure the Ability to Use AI Image Generation is Set to Disabled
discussion: |
AI image generation _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95482-6
- CCE-95482-6
cci:
- N/A
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- CM-7
- CM-7(1)
sfr:
- N/A
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-017300
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
supervised: false
mobileconfig: true
mobileconfig_info:

37
rules/os/os_image_wand_disable.yaml
View File

@@ -1,37 +1,38 @@
id: os_image_wand_disable
title: "Disable Apple Intelligence ImageWand"
title: Disable Apple Intelligence ImageWand
discussion: |
Apple Intelligence features such as Apple ImageWand _MUST_ be disabled.
check: " "
check: ' '
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95483-4
- CCE-95483-4
cci:
- N/A
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- CM-7
- CM-7(1)
sfr:
- N/A
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-017200
indigo:
- ANNEX K
- ANNEX K
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- indigo_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:

45
rules/os/os_install_configuration_profile_disable.yaml
View File

@@ -1,44 +1,45 @@
id: os_install_configuration_profile_disable
title: "Ensure Allow Installing Configuration Profiles is Set to Disabled"
title: Ensure Allow Installing Configuration Profiles is Set to Disabled
discussion: |
Configuration profiles _MUST_ be installed via an organization's MDM.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95484-2
- CCE-95484-2
cci:
- N/A
- N/A
800-53r5:
- CM-6
- CM-7
- CM-7(1)
- CM-6
- CM-7
- CM-7(1)
800-53r4:
- N/A
- N/A
sfr:
- N/A
- N/A
disa_stig:
- N/A
- AIOS-26-015500
indigo:
- ANNEX K
cis:
benchmark:
- 3.2.1.15 (level 1 - Institutionally-Owned Devices)
- 3.2.1.15 (level 1 - Institutionally-Owned Devices)
controls v8:
- 4.1
- 4.1
iOS:
- "26.0"
- '26.0'
tags:
- ios
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- cis_lvl1_enterprise
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

17
rules/os/os_install_vpn_configuration_disable.yaml
View File

@@ -1,14 +1,14 @@
id: os_install_vpn_configuration_disable
title: "Ensure Allow Adding VPN Configurations is Set to Disabled"
title: Ensure Allow Adding VPN Configurations is Set to Disabled
discussion: |
VPN configurations _MUST_ be installed via an organization's MDM.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000370
- CCI-000066
@@ -16,12 +16,12 @@ references:
- AC-17
- AC-17(1)
- AC-17(3)
800-53r4:
800-53r4:
- N/A
sfr:
- "FMT_SMF_EXT.1.1 #3"
- 'FMT_SMF_EXT.1.1 #3'
disa_stig:
- N/A
- AIOS-26-001000
indigo:
- ANNEX D (Section 5.10.3 - Manual VPN)
cis:
@@ -30,7 +30,7 @@ references:
controls v8:
- 12.7
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -44,7 +44,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "low"
- ios_stig
severity: low
supervised: true
mobileconfig: true
mobileconfig_info:

3
rules/os/os_iphone_mirroring_disable.yaml
View File

@@ -20,11 +20,12 @@ references:
indigo:
- ANNEX K
disa_stig:
- N/A
- AIOS-26-015800
iOS:
- "26.0"
tags:
- ios
- ios_stig
- indigo_base
- indigo_high
- cnssi-1253_moderate

31
rules/os/os_iphone_widgets_on_mac_disable.yaml
View File

@@ -1,34 +1,35 @@
id: os_iphone_widgets_on_mac_disable
title: "Disable Use of iPhone Widgets on Mac"
title: Disable Use of iPhone Widgets on Mac
discussion: |
iPhone widgets on Mac _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95487-5
- CCE-95487-5
cci:
- CCI-000366
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- CM-7
- CM-7(1)
sfr:
- "FMT_SMF_EXT.1.1 #8b"
- 'FMT_SMF_EXT.1.1 #8b'
disa_stig:
- N/A
- AIOS-26-010850
cis:
benchmark:
- N/A
- N/A
controls v8:
- N/A
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: low
supervised: true
mobileconfig: true

11
rules/os/os_limit_ad_tracking_enable.yaml
View File

@@ -1,10 +1,10 @@
id: os_limit_ad_tracking_enable
title: "Enable Limit Ad Tracking"
title: Enable Limit Ad Tracking
discussion: |
Ad tracking and targeted ads _MUST_ be disabled.
The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -20,9 +20,9 @@ references:
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-010500
indigo:
- ANNEX K
cis:
@@ -31,7 +31,7 @@ references:
controls v8:
- 4.8
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -42,6 +42,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: low
supervised: false
mobileconfig: true

17
rules/os/os_mail_maildrop_disable.yaml
View File

@@ -1,14 +1,14 @@
id: os_mail_maildrop_disable
title: "Ensure Allow Mail Drop is Set to Disabled"
title: Ensure Allow Mail Drop is Set to Disabled
discussion: |
Mail Drop _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000370
- CCI-002314
@@ -19,11 +19,11 @@ references:
- CM-7(1)
- SC-07(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-011000
indigo:
- ANNEX D (Section 5.6.1 - Mail)
- ANNEX D (Section 5.6.1 - Mail)
cis:
benchmark:
- 2.7.2 (level 2 - End-User Owned Devices)
@@ -31,7 +31,7 @@ references:
controls v8:
- 3.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -45,7 +45,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

21
rules/os/os_mail_move_messages_disable.yaml
View File

@@ -1,14 +1,14 @@
id: os_mail_move_messages_disable
title: "Ensure Allow User to Move Messages from This Account is Set to Disabled"
title: Ensure Allow User to Move Messages from This Account is Set to Disabled
discussion: |
Mail from institutionally configured mail accounts _MUST_ not be allowed to move to personal mail accounts.
check: " "
Mail from institutionally configured mail accounts _MUST_ not be allowed to move to personal mail accounts to prevent data leakage.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000370
- CCI-000764
@@ -19,11 +19,11 @@ references:
- SC-4
- SC-07(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-011400
indigo:
- ANNEX D (Section 5.6.1 - Mail)
- ANNEX D (Section 5.6.1 - Mail)
cis:
benchmark:
- 2.7.1 (level 1 - End-User Owned Devices)
@@ -31,7 +31,7 @@ references:
controls v8:
- 3.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -47,9 +47,10 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:
com.apple.mail.managed:
PreventMove: false
PreventMove: true

37
rules/os/os_marketplace_prevent.yaml
View File

@@ -1,35 +1,36 @@
id: os_marketplace_prevent
title: "Prevent Third Party Marketplaces"
title: Prevent Third Party Marketplaces
discussion: |
The iOS device _MUST_ be configured to prevent third party marketplaces from being installed.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95495-8
- CCE-95495-8
cci:
- CCI-000366
- CCI-000366
sfr:
- "FMT_MOF_EXT.1.2 #47"
- 'FMT_MOF_EXT.1.2 #47'
800-53r5:
- CM-11
- CM-11
disa_stig:
- N/A
- AIOS-26-014900
indigo:
- ANNEX K
- ANNEX K
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- indigo_base
- indigo_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

47
rules/os/os_movie_content_allowed.yaml Normal file
View File

@@ -0,0 +1,47 @@
id: os_movie_content_allowed
title: Disable Movie Content
discussion: |
Movie Rating content _MUST_ be set to $ODV on the device.
Possible values, with the U.S. description of the rating level:
- `1000`: All
- `500`: NC-17
- `400`: R
- `300`: PG-13
- `200`: PG
- `100`: G
- `0`: None
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-7
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-017000
indigo:
- N/A
iOS:
- '26.0'
odv:
hint: Ratings Level
recommended: 0
ios_stig: 0
tags:
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
supervised: false
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
ratingMovies: $ODV

15
rules/os/os_new_device_proximity_disable.yaml
View File

@@ -1,14 +1,14 @@
id: os_new_device_proximity_disable
title: "Ensure Allow Setting Up New Nearby Devices is Set to Disabled"
title: Ensure Allow Setting Up New Nearby Devices is Set to Disabled
discussion: |
The setting up of new nearby devices _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000097
- CCI-000370
@@ -17,9 +17,9 @@ references:
- CM-7
- CM-7(1)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-012800
indigo:
- ANNEX K
cis:
@@ -28,7 +28,7 @@ references:
controls v8:
- 3.13
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -42,7 +42,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:

11
rules/os/os_on_device_dictation_enforce.yaml
View File

@@ -1,10 +1,10 @@
id: os_on_device_dictation_enforce
title: "Ensure On Device Dictation is Enforced"
title: Ensure On Device Dictation is Enforced
discussion: |
The device _MUST_ be configured for on device dictation.
By enforcing on device dictation this will mitigate the risk of unwanted data being sent to Apple.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -19,9 +19,9 @@ references:
- AC-20
- SC-7(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-014400
indigo:
- ANNEX K
cis:
@@ -30,7 +30,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -41,6 +41,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

11
rules/os/os_on_device_translation_enforce.yaml
View File

@@ -1,10 +1,10 @@
id: os_on_device_translation_enforce
title: "Ensure On Device Translation is Enforced"
title: Ensure On Device Translation is Enforced
discussion: |
The device _MUST_ be configured for on device translation.
By enforcing on device translation this will mitigate the risk of unwanted data being sent to Apple.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -19,9 +19,9 @@ references:
- AC-20
- SC-7(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-014500
indigo:
- ANNEX K
cis:
@@ -30,7 +30,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -41,6 +41,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

47
rules/os/os_pairing_non_configurator_hosts_disable.yaml
View File

@@ -1,44 +1,45 @@
id: os_pairing_non_configurator_hosts_disable
title: "Ensure Allow Pairing with Non-Configurator Hosts is Set to Disabled"
title: Ensure Allow Pairing with Non-Configurator Hosts is Set to Disabled
discussion: |
Host pairing with a non-Configurator host _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95503-9
- CCE-95503-9
cci:
- N/A
- CCI-000366
800-53r5:
- CM-6
- CM-7
- CM-7(1)
- CM-6
- CM-7
- CM-7(1)
sfr:
- N/A
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-016500
indigo:
- ANNEX K
cis:
benchmark:
- 3.2.1.20 (level 2 - Institutionally-Owned Devices)
- 3.2.1.20 (level 2 - Institutionally-Owned Devices)
controls v8:
- 4.8
- 4.8
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
supervised: true
mobileconfig: true
mobileconfig_info:

13
rules/os/os_password_autofill_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_password_autofill_disable
title: "Disable Password Autofill"
title: Disable Password Autofill
discussion: |
Password Autofill _MUST_ be disabled.
Password Autofill _MUST_ be disabled.
iOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the device, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -21,16 +21,16 @@ references:
- IA-11
- IA-5
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-012700
cis:
benchmark:
- N/A
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -39,6 +39,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

19
rules/os/os_password_proximity_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_password_proximity_disable
title: "Disable Proximity Based Password Sharing Requests"
title: Disable Proximity Based Password Sharing Requests
discussion: |
Proximity based password sharing requests _MUST_ be disabled.
Proximity based password sharing requests _MUST_ be disabled.
The default behavior of iOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -15,11 +15,11 @@ references:
- CCI-000097
- CCI-000370
800-53r5:
- IA-5
- IA-5
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-012900
indigo:
- ANNEX K
cis:
@@ -28,7 +28,7 @@ references:
controls v8:
- 13.5
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -42,7 +42,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:

15
rules/os/os_password_sharing_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_password_sharing_disable
title: "Disable Password Sharing"
title: Disable Password Sharing
discussion: |
Password Sharing _MUST_ be disabled.
Password Sharing _MUST_ be disabled.
The default behavior of iOS/iPadOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -17,9 +17,9 @@ references:
800-53r5:
- IA-5
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-013000
indigo:
- ANNEX K
cis:
@@ -28,7 +28,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -39,6 +39,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: true
mobileconfig: true

13
rules/os/os_require_managed_pasteboard_enforce.yaml
View File

@@ -1,10 +1,10 @@
id: os_require_managed_pasteboard_enforce
title: "Ensure Copy/Paste of Data from Managed to Unmanaged Applications is Disabled"
title: Ensure Copy/Paste of Data from Managed to Unmanaged Applications is Disabled
discussion: |
The device _MUST_ be configured to disable copy/paste of data from managed to unmanaged applications.
If 'true', copy and paste functionality respects the 'allowOpenFromManagedToUnmanaged' and 'allowOpenFromUnmanagedToManaged' restrictions.
check: " "
If 'true', copy and paste functionality respects the 'allowOpenFromManagedToUnmanaged' and 'allowOpenFromUnmanagedToManaged' restrictions.
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -18,9 +18,9 @@ references:
- AC-23
- SC-7(10)
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-014600
indigo:
- ANNEX K
cis:
@@ -29,7 +29,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
@@ -37,6 +37,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

15
rules/os/os_safari_password_autofill_disable.yaml
View File

@@ -1,14 +1,14 @@
id: os_safari_password_autofill_disable
title: "Disable Automatic Completion of Safari Browser Passcodes"
title: Disable Automatic Completion of Safari Browser Passcodes
discussion: |
The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone or iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining additional information about the device's user or compromising other systems is significantly mitigated.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000370
- CCI-000381
@@ -19,9 +19,9 @@ references:
- IA-11
- IA-5
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-010600
cis:
benchmark:
- N/A
@@ -29,7 +29,7 @@ references:
- 4.1
- 4.8
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -39,7 +39,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "low"
- ios_stig
severity: low
supervised: true
mobileconfig: true
mobileconfig_info:

43
rules/os/os_screenshots_disable.yaml
View File

@@ -7,38 +7,39 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95521-1
- CCE-95521-1
cci:
- N/A
- CCI-000366
800-53r5:
- CM-7
- CM-7(1)
- SC-07(10)
- CM-7
- CM-7(1)
- SC-07(10)
sfr:
- N/A
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- N/A
- AIOS-26-018000
indigo:
- ANNEX K
cis:
benchmark:
- 3.2.1.1 (level 2 - Institutionally-Owned Devices)
- 3.2.1.1 (level 2 - Institutionally-Owned Devices)
controls v8:
- 3.3
- 3.3
iOS:
- "26.0"
- "26.0"
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl2_enterprise
- cisv8
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
supervised: false
mobileconfig: true
mobileconfig_info:

11
rules/os/os_show_calendar_lock_screen_disable.yaml
View File

@@ -1,8 +1,8 @@
id: os_show_calendar_lock_screen_disable
title: "Ensure Calendar Notifications When the Device is Locked is Set to Disabled"
title: Ensure Calendar Notifications When the Device is Locked is Set to Disabled
discussion: |
Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -13,16 +13,16 @@ references:
800-53r5:
- AC-11(1)
sfr:
- "FMT_SMF_EXT.1.1 #18"
- 'FMT_SMF_EXT.1.1 #18'
disa_stig:
- N/A
- AIOS-26-007600
cis:
benchmark:
- N/A
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_moderate
@@ -30,6 +30,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

15
rules/os/os_show_notification_center_lock_screen_disable.yaml
View File

@@ -1,21 +1,21 @@
id: os_show_notification_center_lock_screen_disable
title: "Ensure Show Notification Center in Lock Screen is Set to Disabled"
title: Ensure Show Notification Center in Lock Screen is Set to Disabled
discussion: |
Notification Center _MUST_ be disabled in the lock screen.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000060
800-53r5:
- AC-11(1)
sfr:
- "FMT_SMF_EXT.1.1 #18"
- 'FMT_SMF_EXT.1.1 #18'
disa_stig:
- N/A
- AIOS-26-007500
indigo:
- ANNEX K
cis:
@@ -25,9 +25,10 @@ references:
controls v8:
- 4.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- ios_stig
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1_byod
@@ -40,7 +41,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

19
rules/os/os_siri_assistant_disable.yaml
View File

@@ -1,10 +1,10 @@
id: os_siri_assistant_disable
title: "Disable Siri service"
title: Disable Siri service
discussion: |
The iOS built-in Siri service _MUST_ be disabled to prevent organizational data from being synchronized to Apple servers.
Apple's Siri service does not provide an organization with enough control over the storage and access of data, and, therefore, automated synchronization _MUST_ be controlled by an organization approved service.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -17,21 +17,28 @@ references:
- SC-7(10)
indigo:
- ANNEX K
cci:
- CCI-000366
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-016100
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r5_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "high"
- ios_stig
severity: high
supervised: false
mobileconfig: true
mobileconfig_info:
mobileconfig_info:
com.apple.applicationaccess:
allowAssistant: false

19
rules/os/os_siri_user_generated_content_disable.yaml
View File

@@ -9,18 +9,25 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95528-6
- CCE-95528-6
cci:
- CCI-000366
800-53r5:
- AC-20
- CM-7
- CM-7(1)
- SC-7(10)
- AC-20
- CM-7
- CM-7(1)
- SC-7(10)
indigo:
- ANNEX K
- ANNEX K
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-016200
iOS:
- "26.0"
tags:
- ios
- ios_stig
- indigo_base
- indigo_high
- 800-53r5_low

13
rules/os/os_siri_when_locked_disabled.yaml
View File

@@ -1,8 +1,8 @@
id: os_siri_when_locked_disabled
title: "Ensure Allow Siri While Device is Locked is Set to Disabled"
title: Ensure Allow Siri While Device is Locked is Set to Disabled
discussion: |
Accessing Siri while the device is locked _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -16,9 +16,9 @@ references:
- CM-7(1)
- SC-7(10)
sfr:
- "FMT_SMF_EXT.1.1 #8b"
- 'FMT_SMF_EXT.1.1 #8b'
disa_stig:
- N/A
- AIOS-26-007200
indigo:
- ANNEX K
cis:
@@ -28,7 +28,7 @@ references:
controls v8:
- 4.3
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -44,7 +44,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

13
rules/os/os_ssl_for_exchange_activesync_enable.yaml
View File

@@ -1,8 +1,8 @@
id: os_ssl_for_exchange_activesync_enable
title: "Ensure SSL for Exchange ActiveSync"
title: Ensure SSL for Exchange ActiveSync
discussion: |
Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. Secure Sockets Layer (SSL), also referred to as Transport Layer Security (TLS), provides encryption and authentication services that mitigate the risk of breach.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -13,22 +13,23 @@ references:
800-53r5:
- N/A
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-011300
indigo:
- ANNEX D (Section 5.6.1 - Mail)
- ANNEX D (Section 5.6.1 - Mail)
cis:
benchmark:
- N/A
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
- indigo_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

13
rules/os/os_supervised_mdm_require.yaml
View File

@@ -1,8 +1,8 @@
id: os_supervised_mdm_require
title: "Enforce Supervised Enrollment in Mobile Device Management"
title: Enforce Supervised Enrollment in Mobile Device Management
discussion: |
iOS/iPadOS _MUST_ be supervised by a Mobile Device Management (MDM) software.
check: " "
check: ' '
fix: |
Enroll the iOS/iPadOS device in a supervised MDM.
references:
@@ -16,16 +16,16 @@ references:
- CM-2
- CM-6
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-013200
cis:
benchmark:
- N/A
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- manual
- ios
@@ -35,6 +35,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
mobileconfig: false
mobileconfig_info:
mobileconfig_info: null

13
rules/os/os_system_settings_find_my_friends_modification_disable.yaml
View File

@@ -7,17 +7,22 @@ fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95534-4
- CCE-95534-4
800-53r5:
- AC-20
- CM-7
- CM-7(1)
- AC-20
- CM-7
- CM-7(1)
sfr:
- 'FMT_SMF.1.1 #47'
disa_stig:
- AIOS-26-013100
indigo:
- ANNEX K
iOS:
- "26.0"
tags:
- ios
- ios_stig
- indigo_high
- 800-53r5_low
- 800-53r5_moderate

48
rules/os/os_tv_content_allowed.yaml Normal file
View File

@@ -0,0 +1,48 @@
id: os_tv_content_allowed
title: Disable TV Content
discussion: |
TV Rating content _MUST_ be set to $ODV on the device.
Possible values, with the U.S. description of the rating level:
- `1000`: All
- `600`: TV-MA
- `500`: TV-14
- `400`: TV-PG
- `300`: TV-G
- `200`: TV-Y7
- `100`: TV-Y
- `0`: None
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
- CCI-000366
800-53r5:
- CM-7
sfr:
- 'FMT_MOF_EXT.1.2 #47'
disa_stig:
- AIOS-26-017100
indigo:
- N/A
iOS:
- '26.0'
odv:
hint: Ratings Level
recommended: 0
ios_stig: 0
tags:
- ios
- ios_stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
supervised: false
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
ratingTVShows: $ODV

15
rules/os/os_usb_accessories_when_locked_disable.yaml
View File

@@ -1,14 +1,14 @@
id: os_usb_accessories_when_locked_disable
title: "Ensure Allow USB Accessories While the Device is Locked is Set to Disabled"
title: Ensure Allow USB Accessories While the Device is Locked is Set to Disabled
discussion: |
USB devices _MUST_ not be allowed to connect while the device is locked.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
- CCI-000097
- CCI-000370
@@ -18,9 +18,9 @@ references:
- SC-7(10)
- SC-41
sfr:
- "FMT_SMF_EXT.1.1 #47"
- 'FMT_SMF_EXT.1.1 #47'
disa_stig:
- N/A
- AIOS-26-012200
indigo:
- ANNEX K
cis:
@@ -29,7 +29,7 @@ references:
controls v8:
- 1.2
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -43,7 +43,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: true
mobileconfig: true
mobileconfig_info:

35
rules/os/os_web_distribution_app_installation_disable.yaml
View File

@@ -2,34 +2,35 @@ id: os_web_distribution_app_installation_disable
title: Ensure the Ability to Install Apps Directly from the Web is Set to Disabled
discussion: |
Web distrubtion of app installation _MUST_ be disabled.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95544-3
- CCE-95544-3
cci:
- CCI-000366
- CCI-000366
800-53r5:
- CM-11
- CM-11
indigo:
- ANNEX K
- ANNEX K
sfr:
- "FMT_SMF_EXT.1.1 #3"
- 'FMT_SMF_EXT.1.1 #3'
disa_stig:
- N/A
- AIOS-26-015000
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: medium
supervised: false
mobileconfig: true

21
rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
View File

@@ -1,10 +1,10 @@
id: pwpolicy_account_lockout_enforce
title: "Limit Consecutive Failed Login Attempts to $ODV"
title: Limit Consecutive Failed Login Attempts to $ODV
discussion: |
The iOS _MUST_ be configured to limit the number of failed login attempts to a maximum of $ODV.
This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
check: " "
This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
@@ -15,10 +15,10 @@ references:
800-53r5:
- AC-7
sfr:
- "FMT_SMF_EXT.1.1 #2c"
- 'FIA_AFL_EXT.1.5'
- 'FMT_SMF_EXT.1.1 #2c'
- FIA_AFL_EXT.1.5
disa_stig:
- N/A
- AIOS-26-006900
indigo:
- ANNEX D (Section 5.9.1 - Device-Code)
- ANNEX K
@@ -29,14 +29,14 @@ references:
controls v8:
- 4.3
iOS:
- "26.0"
- '26.0'
odv:
hint: "Number of failed attempts."
hint: Number of failed attempts.
recommended: 6
cis_lvl1_byod: 6
cis_lvl2_byod: 6
cis_lvl1_enterprise: 6
cis_lvl2_enterprise: 6
cis_lvl2_enterprise: 6
ios_stig: 10
ios_stig_byoad: 10
indigo_base: 10
@@ -56,7 +56,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

11
rules/pwpolicy/pwpolicy_force_pin_enable.yaml
View File

@@ -1,10 +1,10 @@
id: pwpolicy_force_pin_enable
title: "Ensure Force Pin is Set to Enabled"
title: Ensure Force Pin is Set to Enabled
discussion: |
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk.
Note: MDF PP v2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile
references:
@@ -15,9 +15,9 @@ references:
800-53r5:
- SC-28
sfr:
- 'FIA_UAU_EXT.1.1'
- FIA_UAU_EXT.1.1
disa_stig:
- N/A
- AIOS-26-010400
indigo:
- ANNEX D (Section 5.9.1 - Device-Code)
cis:
@@ -26,7 +26,7 @@ references:
controls v8:
- N/A
iOS:
- "26.0"
- '26.0'
tags:
- ios
- indigo_base
@@ -34,6 +34,7 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: high
mobileconfig: 'true'
mobileconfig_info:

37
rules/pwpolicy/pwpolicy_history_enforce.yaml
View File

@@ -2,40 +2,41 @@ id: pwpolicy_history_enforce
title: Prohibit Password Reuse for a Minimum of $ODV Generations
discussion: |
The iOS _MUST_ be configured to enforce a password history of at least $ODV previous passwords when a password is created.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95549-2
- CCE-95549-2
800-53r5:
- IA-5(1)
- IA-5(1)
indigo:
- ANNEX D (Section 5.9.1 - Device-Code)
- ANNEX K
- ANNEX D (Section 5.9.1 - Device-Code)
- ANNEX K
cci:
- CCI-004061
- CCI-004061
sfr:
- "FMT_SMF.1.1 #47"
- 'FMT_SMF.1.1 #47'
disa_stig:
- N/A
- AIOS-26-006950
iOS:
- "26.0"
- '26.0'
odv:
hint: Number of previous passwords.
recommended: 2
indigo_base: 2
indigo_high: 2
tags:
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- indigo_base
- indigo_high
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
- ios_stig
severity: high
supervised: false
mobileconfig: true

19
rules/pwpolicy/pwpolicy_max_grace_period_enforce.yaml
View File

@@ -1,24 +1,24 @@
id: pwpolicy_max_grace_period_enforce
title: "Ensure Maximum Grace Period for Device Lock is Set to Immediately"
title: Ensure Maximum Grace Period for Device Lock is Set to Immediately
discussion: |
The iOS grace period for device lock _MUST_ be configured to immediately.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000057
800-53r5:
- AC-11
- IA-11
sfr:
- "FMT_SMF_EXT.1.1 #2a"
- 'FMT_SMF_EXT.1.1 #2a'
disa_stig:
- N/A
- AIOS-26-006800
indigo:
- ANNEX D (Section 5.9.1 - Device-Code)
- ANNEX D (Section 5.9.1 - Device-Code)
cis:
benchmark:
- 2.4.5 (level 1 - End-User Owned Devices)
@@ -26,9 +26,9 @@ references:
controls v8:
- 4.3
iOS:
- "26.0"
- '26.0'
odv:
hint: "Maximum Grace Period in Minutes."
hint: Maximum Grace Period in Minutes.
recommended: 0
cis_lvl1_byod: 0
cis_lvl2_byod: 0
@@ -53,7 +53,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

19
rules/pwpolicy/pwpolicy_max_inactivity_enforce.yaml
View File

@@ -1,24 +1,24 @@
id: pwpolicy_max_inactivity_enforce
title: "Ensure Maximum Auto-Lock is Set to $ODV Minutes or Less"
title: Ensure Maximum Auto-Lock is Set to $ODV Minutes or Less
discussion: |
The iOS _MUST_ be configured to auto-lock after $ODV minutes.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000057
800-53r5:
- AC-11
- IA-11
sfr:
- "FMT_SMF_EXT.1.1 #2b"
- 'FMT_SMF_EXT.1.1 #2b'
disa_stig:
- N/A
- AIOS-26-006800
indigo:
- ANNEX D (Section 5.9.1 - Device-Code)
- ANNEX D (Section 5.9.1 - Device-Code)
- ANNEX K
cis:
benchmark:
@@ -27,9 +27,9 @@ references:
controls v8:
- 4.3
iOS:
- "26.0"
- '26.0'
odv:
hint: "Maximum Auto-Lock in Minutes."
hint: Maximum Auto-Lock in Minutes.
recommended: 2
cis_lvl1_byod: 2
cis_lvl2_byod: 2
@@ -54,7 +54,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

19
rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
View File

@@ -1,23 +1,23 @@
id: pwpolicy_minimum_length_enforce
title: "Require a Minimum Passcode Length of $ODV Characters"
title: Require a Minimum Passcode Length of $ODV Characters
discussion: |
The iOS _MUST_ be configured to require a minimum of $ODV characters be used when a passcode is created.
This rule enforces passcode complexity by requiring users to set passcode that are less vulnerable to malicious users.
check: " "
This rule enforces passcode complexity by requiring users to set passcode that are less vulnerable to malicious users.
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000205
800-53r5:
- IA-5(1)
sfr:
- "FMT_SMF_EXT.1.1 #1a"
- 'FMT_SMF_EXT.1.1 #1a'
disa_stig:
- N/A
- AIOS-26-006500
indigo:
- ANNEX D (Section 5.9 - Device authentication)
- ANNEX K
@@ -28,9 +28,9 @@ references:
controls v8:
- 5.2
iOS:
- "26.0"
- '26.0'
odv:
hint: "Minimum passcode length."
hint: Minimum passcode length.
recommended: 6
cis_lvl1_byod: 6
cis_lvl2_byod: 6
@@ -55,7 +55,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

15
rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
View File

@@ -1,23 +1,23 @@
id: pwpolicy_simple_sequence_disable
title: "Prohibit Repeating, Ascending, and Descending Character Sequences"
title: Prohibit Repeating, Ascending, and Descending Character Sequences
discussion: |
The iOS device _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a passcode is created.
This rule enforces password complexity by requiring users to set passcodes that are less vulnerable to malicious users.
check: " "
check: ' '
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- N/A
cci:
cci:
- CCI-000366
800-53r5:
- IA-5(1)
sfr:
- "FMT_SMF_EXT.1.1 #1b"
- 'FMT_SMF_EXT.1.1 #1b'
disa_stig:
- N/A
- AIOS-26-006600
indigo:
- ANNEX D (Section 5.9 - Device authentication)
- ANNEX K
@@ -28,7 +28,7 @@ references:
controls v8:
- 5.2
iOS:
- "26.0"
- '26.0'
tags:
- ios
- 800-53r5_low
@@ -44,7 +44,8 @@ tags:
- cnssi-1253_moderate
- cnssi-1253_low
- cnssi-1253_high
severity: "medium"
- ios_stig
severity: medium
supervised: false
mobileconfig: true
mobileconfig_info:

1
rules/supplemental/supplemental_bsi.yaml
View File

@@ -48,4 +48,3 @@ tags:
- supplemental
mobileconfig: false
mobileconfig_info:

2
rules/supplemental/supplemental_cis_manual.yaml
View File

@@ -140,7 +140,7 @@ discussion: |
[cols="15%h, 85%a"]
|===
|Section
|Additional Reccomendations
|Additional Recommendations
|Recommendations
|4.1.1 Review Manage Sharing & Access +

60
rules/supplemental/supplemental_stig.yaml
View File

@@ -1,35 +1,48 @@
id: supplemental_stig
title: "DISA STIG Supplemental"
discussion: |
These controls are controls that require additional considerations for your environment.
These are controls that require additional considerations for your environment.
[cols="20%h, 80%a"]
|===
|STIG ID
|Rule Title
|AIOS-18-007400 +
AIOS-18-707400| Apple iOS/iPadOS 18 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoD servers; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
|AIOS-18-008400 +
AIOS-18-708400| Apple iOS/iPadOS 18 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
|AIOS-18-009200 +
AIOS-18-709200| Apple iOS/iPadOS 18 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
|AIOS-18-009800| Apple iOS/iPadOS 18 must be configured to disable multi-user modes.
|AIOS-18-009900 +
AIOS-18-709900| Apple iOS/iPadOS 18 must be configured to [selection: wipe protected data, wipe sensitive data] upon un-enrollment from MDM.
|AIOS-18-010000| Apple iOS/iPadOS 18 must be configured to [selection: remove Enterprise applications, remove all non-core applications (any non-factory installed application)] upon un-enrollment from MDM.
|AIOS-18-011200 +
AIOS-18-711200| iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
|AIOS-18-011600| Apple iOS/iPadOS 18 must implement the management setting: Not have any Family Members in Family Sharing.
|AIOS-18-011700| Apple iOS/iPadOS 18 must implement the management setting: not share location data through iCloud.
|AIOS-18-011900 +
AIOS-18-711900| Apple iOS/iPadOS 18 users must complete required training.
|AIOS-18-012000 +
AIOS-18-712000| A managed photo app must be used to take and store work-related photos.
|AIOS-18-012650| Apple iOS/iPadOS 18 must implement the management setting: approved Apple Watches must be managed by an MDM.
|AIOS-18-013500| Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
|AIOS-18-014700| Apple iOS/iPadOS 18 must have DOD root and intermediate PKI certificates installed.
|AIOS-18-015500| Apple iOS/iPadOS 18 must disable the download of iOS/iPadOS beta updates.
|AIOS-26-001000| Apple iOS/iPadOS 26 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].
|AIOS-26-007400| Apple iOS/iPadOS 26 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DoD servers; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.
|AIOS-26-008400| Apple iOS/iPadOS 26 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
|AIOS-26-009200| Apple iOS/iPadOS 26 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
|AIOS-26-009800| Apple iOS/iPadOS 26 must be configured to disable multi-user modes.
|AIOS-26-009900| Apple iOS/iPadOS 26 must be configured to [selection: wipe protected data, wipe sensitive data] upon un-enrollment from MDM.
|AIOS-26-010000| Apple iOS/iPadOS 26 must be configured to [selection: remove Enterprise applications, remove all non-core applications (any non-factory installed application)] upon un-enrollment from MDM.
|AIOS-26-011200| iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
|AIOS-26-011600| Apple iOS/iPadOS 26 must implement the management setting: Not have any Family Members in Family Sharing.
|AIOS-26-011700| Apple iOS/iPadOS 26 must implement the management setting: not share location data through iCloud.
|AIOS-26-011900| Apple iOS/iPadOS 26 users must complete required training.
|AIOS-26-012000| A managed photo app must be used to take and store work-related photos.
|AIOS-26-012650| Apple iOS/iPadOS 26 must implement the management setting: approved Apple Watches must be managed by an MDM.
|AIOS-26-013500| Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
|AIOS-26-014700| Apple iOS/iPadOS 26 must have DOD root and intermediate PKI certificates installed.
|AIOS-26-015500| Apple iOS/iPadOS 26 must disable the download of iOS/iPadOS beta updates.
|AIOS-26-017700| Apple iOS/iPadOS 26 must have Mobile Threat Detection app installed.
|AIOS-26-018300| Apple iOS/iPadOS 26 must be configurated to disable Wi-Fi Aware.
|===
These are controls that will not be configurable if the following are applied.
- `AIOS-26-016100` Apple iOS/iPadOS 26 must disable the use voice assistant (Siri) unless required to meet Section 508 compliance requirements.
- `AIOS-26-016600` Apple iOS/iPadOS 26 must disable AirPrint.
[cols="20%h, 80%a"]
|===
|STIG ID
|Rule Title
|AIOS-26-016200| Apple iOS/iPadOS 26 must disable the use voice assistant (Show user-generated content in Siri) unless required to meet Section 508 compliance requirements.
|AIOS-26-016300| Apple iOS/iPadOS 26 must disable the use voice assistant (Siri suggestions) unless required to meet Section 508 compliance requirements.
|AIOS-26-016700| Apple iOS/iPadOS 26 must disable AirPrint: Allow discovery of AirPrint printers using iBeacons.
|AIOS-26-016800| Apple iOS/iPadOS 26 must disable AirPrint: Allow storage of AirPrint credentials in Keychain.
|AIOS-26-016900| Apple iOS/iPadOS 26 must allow AirPrint feature: Disallow AirPrint to destinations with untrusted certificates.
|===
check: |
fix: |
@@ -48,5 +61,6 @@ iOS:
- "26.0"
tags:
- supplemental
- ios_stig
mobileconfig: false
mobileconfig_info:

2
templates/adoc_additional_docs.adoc
View File

@@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_18_V1R3_STIG.zip[STIG Ver 1, Rel 3]|_Apple iOS/iPadOS 18 STIG - Ver 1, Rel 3_
|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_26_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1_
|===
[%header, cols=2*a]