From Apple iOS 11 Security Technical Implementation Guide
Part of PP-MDF-301150
Associated with: CCI-000366 CCI-000370 CCI-000381
Facial recognition systems can be used to authenticate the user in order to unlock the mobile device. At this time, the Apple iOS Face ID has not been evaluated by the NIAP to confirm it meets the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.
Review configuration settings to confirm "Allow Touch ID to unlock device" is disabled. Note: This control also controls Face ID. This check procedure is performed on both the Apple iOS management tool and the Apple iOS device. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. Note: This requirement is applicable only for iOS devices that support Face ID (iPhone X). Note: The same control (“Allow Touch ID to unlock device”) enables/disables both Touch ID and Face ID. Therefore, it is recommended that Face ID-capable iOS devices (iPhone X) be placed in a separate management group from all other iOS devices so that when Face ID is disabled, devices supporting only Touch ID can still use the feature. In the iOS management tool, verify "Allow Touch ID to unlock device" is unchecked. On the iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Profiles" or "Profiles & Device Management" or "Device Management". 4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Touch ID unlock not allowed" is listed. If "Allow Touch ID to unlock device" is checked in the iOS management tool or the restrictions policy on the Apple iOS device from the Apple iOS management tool does not list "Touch ID unlock not allowed", this is a finding.
Install a configuration profile to disable Face ID for device unlock. iOS devices with Face ID (for example, iPhone X) should be placed in a management group separate from other iOS devices without Face ID so that Face ID can be disabled. Note: The same control (“Allow Touch ID to unlock device”) enables/disables both Touch ID and Face ID. Therefore, it is recommended that Face ID-capable iOS devices (iPhone X) be placed in a separate management group from all other iOS devices so that when Face ID is disabled, devices supporting only Touch ID can still use the feature.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer