Rule ID
SV-282793r1195694_rule
Version
V1R1
CCIs
visionOS-iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous passcode has been compromised and the attacker has access to it and the Apple device, enterprise data and the enterprise network can be compromised. Currently there is no MDM control to force the old passcode to expire immediately after passcode change. The previous passcode will expire immediately after a passcode change if the MDM password history control is implemented. SFR ID: FMT_SMF.1.1 #47
Review configuration settings to confirm the Apple visionOS device has a passcode reuse prohibition of at least two generations. This procedure is performed in the Apple visionOS management tool and on the Vision Pro. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the Management tool, verify the "Passcode History" value is set to two or greater. On the Vision Pro: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the Configuration Profile from the Apple visionOS management tool containing the password policy. 5. Tap "Restrictions". 6. Tap "Passcode". 7. Verify "Number of unique recent passcodes required" is listed as "two" or greater. If the Apple visionOS device does not enforce a passcode reuse prohibition of at least two generations, this is a finding.
Install a configuration profile to enforce a passcode reuse prohibition of at least two generations (passcode history).