refactor[rules] Modified and Added rule

Added os_disallow_enterprise_app_trust
Added STIG IDs to icloud_managed_apps_store_data_disabled

rules/icloud/icloud_managed_apps_store_data_disabled.yaml

@@ -23,6 +23,8 @@ references:
   disa_stig:
     - AIOS-16-003600
     - AIOS-16-703600
+    - AIOS-16-009200
+    - AIOS-16-709200
   800-171r2:
     - N/A
   cis:

rules/os/os_disallow_enterprise_app_trust.yaml

@@ -0,0 +1,40 @@
+id: os_disallow_enterprise_app_trust
+title: "Disallow Apps to be Installed from Unauthorized Sources"
+discussion: |-
+  Apps _MUST_ be installed from authorized application repositories. Disallowing enterprise app trust prevents apps from being provisioned by universal provisioning profiles.
+check: ' '
+fix: This is implemented by a Configuration Profile
+references:
+  cce:
+    - CCE-93262-4
+  cci:
+    - CCI-000366
+  800-53r5:
+    - CM-11
+  sfr:
+    - 'FMT_SMF_EXT.1.1 #8a'
+  disa_stig:
+    - AIOS-16-007000
+    - AIOS-16-707000
+  800-171r2:
+    - N/A
+  cis:
+    benchmark:
+      - N/A
+    controls v8:
+      - N/A
+iOS:
+  - "16.0"
+tags:
+  - ios
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - ios_stig
+  - ios_stig_byoad
+severity: low
+supervised: false
+mobileconfig: true
+mobileconfig_info:
+  con.apple.applicationaccess:
+    allowEnterpriseAppTrust: false

rules/supplemental/supplemental_stig.yaml

@@ -1,33 +1,33 @@
 id: supplemental_stig
 title: "DISA STIG Supplemental"
 discussion: |
-  This supplemental contains DISA STIG controls that require MDM.
+  These controls are controls that require additional considerations for your environment. 
+
+  Please refer to your vendor's MDM documentation for instructions on how to implement these controls.
   
   [cols="20%h, 80%a"]
   |===
   |STIG ID
-  |Notes
+  |Rule Title
 
-  |AIOS-16-004900|
-  |AIOS-16-005000|
-  |AIOS-16-007000 +
-  AIOS-16-707000|
+  |AIOS-16-004900| Apple iOS/iPadOS 16 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
+  |AIOS-16-005000| Apple iOS/iPadOS 16 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM.
   |AIOS-16-008400 +
-  AIOS-16-708400|
+  AIOS-16-708400| Apple iOS/iPadOS 16 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
   |AIOS-16-009200 +
-  AIOS-16-709200|
-  |AIOS-16-009800|
+  AIOS-16-709200| Apple iOS/iPadOS 16 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
+  |AIOS-16-009800| Apple iOS/iPadOS 16 must be configured to disable multiuser modes.
   |AIOS-16-009900 +
-  AIOS-16-709900|
-  |AIOS-16-010000|
+  AIOS-16-709900| Apple iOS/iPadOS 16 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
+  |AIOS-16-010000|  Apple iOS/iPadOS 16 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.
   |AIOS-16-011200 +
-  AIOS-16-711200|
-  |AIOS-16-011600|
+  AIOS-16-711200| iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
+  |AIOS-16-011600| Apple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing.
   |AIOS-16-011900 +
-  AIOS-16-711900|
+  AIOS-16-711900| Apple iOS/iPadOS 16 users must complete required training.
   |AIOS-16-012000 +
-  AIOS-16-712000|
-  |AIOS-16-013500|
+  AIOS-16-712000| A managed photo app must be used to take and store work-related photos.
+  |AIOS-16-013500| Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements.
   |===
 check: |
 fix: |