diff --git a/rules/icloud/icloud_managed_apps_store_data_disabled.yaml b/rules/icloud/icloud_managed_apps_store_data_disabled.yaml index 35130085b..16e3baf77 100644 --- a/rules/icloud/icloud_managed_apps_store_data_disabled.yaml +++ b/rules/icloud/icloud_managed_apps_store_data_disabled.yaml @@ -23,6 +23,8 @@ references: disa_stig: - AIOS-16-003600 - AIOS-16-703600 + - AIOS-16-009200 + - AIOS-16-709200 800-171r2: - N/A cis: diff --git a/rules/os/os_disallow_enterprise_app_trust.yaml b/rules/os/os_disallow_enterprise_app_trust.yaml new file mode 100644 index 000000000..1521d3338 --- /dev/null +++ b/rules/os/os_disallow_enterprise_app_trust.yaml @@ -0,0 +1,40 @@ +id: os_disallow_enterprise_app_trust +title: "Disallow Apps to be Installed from Unauthorized Sources" +discussion: |- + Apps _MUST_ be installed from authorized application repositories. Disallowing enterprise app trust prevents apps from being provisioned by universal provisioning profiles. +check: ' ' +fix: This is implemented by a Configuration Profile +references: + cce: + - CCE-93262-4 + cci: + - CCI-000366 + 800-53r5: + - CM-11 + sfr: + - 'FMT_SMF_EXT.1.1 #8a' + disa_stig: + - AIOS-16-007000 + - AIOS-16-707000 + 800-171r2: + - N/A + cis: + benchmark: + - N/A + controls v8: + - N/A +iOS: + - "16.0" +tags: + - ios + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - ios_stig + - ios_stig_byoad +severity: low +supervised: false +mobileconfig: true +mobileconfig_info: + con.apple.applicationaccess: + allowEnterpriseAppTrust: false diff --git a/rules/supplemental/supplemental_stig.yaml b/rules/supplemental/supplemental_stig.yaml index af9b388d0..23e576d69 100644 --- a/rules/supplemental/supplemental_stig.yaml +++ b/rules/supplemental/supplemental_stig.yaml @@ -1,33 +1,33 @@ id: supplemental_stig title: "DISA STIG Supplemental" discussion: | - This supplemental contains DISA STIG controls that require MDM. + These controls are controls that require additional considerations for your environment. + + Please refer to your vendor's MDM documentation for instructions on how to implement these controls. [cols="20%h, 80%a"] |=== |STIG ID - |Notes + |Rule Title - |AIOS-16-004900| - |AIOS-16-005000| - |AIOS-16-007000 + - AIOS-16-707000| + |AIOS-16-004900| Apple iOS/iPadOS 16 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM. + |AIOS-16-005000| Apple iOS/iPadOS 16 must [selection: remove Enterprise application, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM. |AIOS-16-008400 + - AIOS-16-708400| + AIOS-16-708400| Apple iOS/iPadOS 16 must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device. |AIOS-16-009200 + - AIOS-16-709200| - |AIOS-16-009800| + AIOS-16-709200| Apple iOS/iPadOS 16 must be configured to not allow backup of [all applications, configuration data] to locally connected systems. + |AIOS-16-009800| Apple iOS/iPadOS 16 must be configured to disable multiuser modes. |AIOS-16-009900 + - AIOS-16-709900| - |AIOS-16-010000| + AIOS-16-709900| Apple iOS/iPadOS 16 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM. + |AIOS-16-010000| Apple iOS/iPadOS 16 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM. |AIOS-16-011200 + - AIOS-16-711200| - |AIOS-16-011600| + AIOS-16-711200| iPhone and iPad must have the latest available iOS/iPadOS operating system installed. + |AIOS-16-011600| Apple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing. |AIOS-16-011900 + - AIOS-16-711900| + AIOS-16-711900| Apple iOS/iPadOS 16 users must complete required training. |AIOS-16-012000 + - AIOS-16-712000| - |AIOS-16-013500| + AIOS-16-712000| A managed photo app must be used to take and store work-related photos. + |AIOS-16-013500| Apple iOS must implement the management setting: Not allow a user to remove Apple iOS configuration profiles that enforce DoD security requirements. |=== check: | fix: |