Apple iOS must implement the management setting: remove managed applications upon unenrollment from MDM.

From Apple iOS 10 Security Technical Implementation Guide

Part of PP-MDF-991000

Associated with: CCI-000366

SV-86501r1_rule Apple iOS must implement the management setting: remove managed applications upon unenrollment from MDM.

Vulnerability discussion

When a device is unenrolled from MDM, it is possible to relax the security policies that the MDM had implemented on the device. This may cause apps and data to be more vulnerable than they were prior to enrollment. Removing managed apps (and consequently the data they maintain) upon unenrollment mitigates this risk because on appropriately configured Apple iOS devices, DoD-sensitive information exists only within managed apps.SFR ID: FMT_SMF_EXT.1.1 #45

Check content

Note: The procedure below is exactly the same for requirement AIOS-11-080202. This procedure needs to be performed only once. Note: Not all Apple iOS deployments involve MDM. If the site uses an authorized alternative to MDM for distribution of configuration profiles (Apple Configurator), this check procedure is not applicable. This check procedure is performed on the Apple iOS management tool. In the Apple iOS management tool, for each managed app, verify the app is configured to be removed when the MDM profile is removed. If one or more managed apps are not set to be removed upon device MDM unenrollment, this is a finding.

Fix text

Install a configuration profile to delete all managed apps upon device unenrollment.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer