FINAL DRAFT APPLE ios 9 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) CONFIGURATION TABLE Version 1, Release 0.1 18 September 2015 Developed by Apple and for the DoD
LIST OF TABLES Page Table 1: Non-Supervised Controls...1 Table 2: Supervised Controls...11 ii
Table 1: Non-Supervised Controls General - Security Passcode Passcode Passcode Passcode Passcode Removal of configuration profile Allow Simple Value Require Alphanumeric value Minimum passcode length Minimum number of complex characters Maximum passcode age -Always -Never -With Authentication X Never AIOS-10-080103 Enable/Disable X Disable AIOS-01-080007 Enable/Disable X Disable 1 16 X 6 AIOS-01-080004 1 4, X 1 730, or None X None 1 15, or None X 1-5 recommended, 15 maximum allowable Passcode Passcode history 1 50, or None X None Passcode Maximum autolock AIOS-01-080002 Simple value passcodes include repeating, ascending, and descending character sequences. Device automatically locks when minutes elapse. If maximum auto-lock equals 15, the grace period shall be set to "Immediately". 1
Passcode Passcode Grace period for device lock -Immediately -1 min -5 min -15 min -1 hr -4 hrs X 15 minus value for maximum auto-lock time AIOS-01-080002 Maximum amount of time device can be locked without prompting for passcode on unlock. If maximum auto-lock equals 15, the grace period must be set to "Immediately". Maximum number of failed attempts 2 10 X 10 AIOS-01-080005 Allow use of Enable/Disable X Enable camera Allow FaceTime Enable/Disable X Disable "Disable" is a non-default value. Allow screenshots Enable/Disable X Disable Allow AirDrop Enable/Disable X Disable AIOS-05-080001 Allow voice dialing 080012 An ios management tool can only enforce this setting on a Supervised ios device. It is not required that ios devices be Supervised. For devices that are not Supervised, users must manually enforce the setting on each device. 2
Allow Siri Enable/Disable X Enable Allow Siri while device is locked Allow installing apps Allow in-app purchase Require itunes Store password for all purchases Allow icloud backup Allow icloud documents & data Allow icloud keychain Allow managed apps to store data in icloud Allow backup of enterprise books Allow notes and highlights sync for enterprise books Allow icloud photo sharing 080011 Enable/Disable X Enable Enable/Disable X Disable Enable/Disable X Enable 080002 080003 080004 080103 080101 Enable/Disable X Enable 080006 3
Allow My Photo Stream 080005 Allow automatic Enable/Disable X Disable sync while roaming Force encrypted Enable/Disable X Enable AIOS-02- backups 080017 Force limited ad Enable/Disable X Enable AIOS-02- tracking 080008 Allow users to Enable/Disable X Enable accept untrusted TLS certificates Allow automatic Enable/Disable X Enable updates to certificate trust settings Allow documents from managed apps 080014 in unmanaged apps Allow documents Enable/Disable X Disable from unmanaged apps in managed apps Allow Handoff 080102 Allow Internet search results in Spotlight Enable/Disable X Enable 4
Applications Applications Allow sending diagnostic and usage data to Apple Allow Touch ID to unlock device Require passcode on first AirPlay pairing Allow access when unlocked- Wallet Show Control Center in Lock screen Show Notification Center in Lock screen Show Today view in Lock screen Allow use of YouTube Allow installing apps using App Store and Apple Configurator Allow adding Game Center friends 080007 080013 Enable/Disable X Enable AIOS-02-080104 Enable/Disable X Disable Enable/Disable X Disable 080009 080010 Enable/Disable X Enable ios 4 and ios 5 devices only Enable/Disable X Enable Control function changed in ios 9 Enable/Disable X Disable 5
Force Apple Watch wrist detection Enable/Disable X Enable AIOS-11-080203 Media Content Allow use of Safari Enable/Disable X Enable Enable autofill 080016 Force fraud Enable/Disable X Enable warning Enable JavaScript Enable/Disable X Enable Block pop-ups Enable/Disable X Enable Accept Cookies Ratings region -Never -From visited sites -Always -Australia -Canada -France -Germany -Ireland -Japan -New Zealand -United Kingdom -United States X X From visited sites United States 6
Media Content Media Content Media Content Media Content Media Content Domains Exchange Active Sync Exchange Active Sync Exchange Active Sync Allowed Content Ratings (Movies) Allowed Content Ratings (TV Shows) Allowed Content Ratings () Allow playback of explicit, music, podcasts and itunes U media Allow explicit sexual content in ibooks Store Unmarked Email Domains Varies by country X Allow All Movies Varies by country X Allow All TV Shows 4+/9+/12+/17+ X Allow All Enable/Disable X Disable Enable/Disable X Disable Add/Remove X Enterprise email domain Enable S/MIME Enable/Disable X Enable Use SSL Enable/Disable X Enable AIOS-03-080101 Past Days of Mail to Sync -No limit -1 day -3 days -1 week -2 weeks -1 month X No limit "No limit" is not a default setting. 7
Exchange Active Sync Exchange Active Sync Exchange Active Sync Exchange Active Sync Allow messages to be moved Enable/Disable X Disable AIOS-03-080102 Allow recent Enable/Disable X Enable addresses to be synced Use only in Mail Enable/Disable X Disable Prevents third-party apps from sending messages using the Exchange email account. Allow MailDrop 090100 Prevents users from using the ios MailDrop feature. Control is New Certificates NA NA X NA It is not required to add certificates. If certificates are added, they must be DoD-approved certificates. MDM Server Option MDM Server Option App must be deleted when the MDM enrollment profile is removed Allow backup in Managed Enable/Disable X Enable AIOS-11-080202 Enable/Disable X Disable AIOS-11-080201 Must be configured on the MDM server for each Managed App. Must be configured on the MDM server for each Managed App. 8
Managed Domains Managed Safari Web Domains Add/Remove X List of.mil domains VPN Per App VPN Enable/Disable X Enable AIOS-11-080200 VPN Always-on VPN Enable/Disable X Enable AIOS-11-080200 An example configuration profile listing.mil domains will be provided as PKIprotected content at the IASE website (http://iase.disa.mil). Authorized individuals should visit the site for the latest guidance on appropriate use of managed domains. Not required if the Alwayson VPN profile is enabled or a DoD-approved VPN profile is installed or if the App has VPN functions already included in the App. This setting is only Not required if the Per App VPN is enabled or a DoDapproved VPN profile is installed or the App has VPN functions already included in the App. 9
VPN VPN Function included in App Allow icloud Photo Library NA X AIOS-11-080200 090101 Not required if the Alwayson VPN profile is enabled or the Per App VPN is enabled or a DoD-approved VPN profile is installed. New Enable/Disable Treat AirDrop as unmanaged destination Enable/Disable X Enable AIOS-02-090102 New 10
Table 2: Supervised Controls Policy Group Policy Rule Options Allow manual install of configuration profiles Allow account modification Enable/Disable X Disable This setting is only Enable/Disable X Disable This setting is only Allow Game Center Enable/Disable X Disable This setting is only Multiplayer gaming Enable/Disable X Disable This setting is only Adding Game Center Friends Enable/Disable X Disable This setting is only Allow AirDrop This setting can be set in conjunction with treating AirDrop as unmanaged. Allow Find my friends Allow removal of apps Enable/Disable X Disable This setting is only Enable/Disable X Disable This setting is only 11
Policy Group Policy Rule Options Allow pairing to computers for content sync Enable/Disable X Disable This setting is only Allow imessage Enable Siri Profanity Filter Show User Generated content in Siri Allow ibooks Store Allow installing apps using App Store Allow automatic app downloads Allow Erase All Content and Allow modifying cellular data app Became a Supervised control ios 9 Enable/Disable X Disable This setting is only New 12
Policy Group Policy Rule Options settings Allow modifying device name New Allow modifying passcode New Allow modifying Touch ID fingerprints New Allow modifying restrictions Allow modifying Wallpaper New Allow pairing with Apple Watch Enable/Disable X Enable (if approved by AO) This setting is only New Allow Predictive keyboard New in ios 8.4 Allow keyboard 13
Policy Group Policy Rule Options shortcuts New Allow auto correction New in ios 8.4 Allow Spell check New in ios 8.4 Allow Define New in ios 8.4 Allow use of News New Allow use of Podcasts Allow Trusting new Enterprise App Authors devices are supervised Enable/Disable X Disable This setting is only New 14