STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide

Version

V1R2

Benchmark ID

Apple_iOS-iPadOS_16_MDFPP_3-3_BYOAD_STIG

Total Checks

20

Tags

mobile
CAT I: 4CAT II: 13CAT III: 3

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (20)

V-257085MEDIUMThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.V-257086MEDIUMThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to initiate autonomous monitoring, compliance, and validation prior to granting the BYOAD access to DOD information and IT resources.V-257087MEDIUMThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD native security controls are disabled.V-257088MEDIUMThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if known malicious, blocked, or prohibited applications are installed on the BYOAD (DOD-managed segment only).V-257089MEDIUMThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to detect if the BYOAD is configured to access nonapproved third-party applications stores (DOD-managed segment only).V-257090MEDIUMThe EMM detection/monitoring system must use continuous monitoring of enrolled iOS/iPadOS 16 BYOAD.V-257091MEDIUMThe iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects native security controls are disabled.V-257092MEDIUMThe iOS/iPadOS 16 BYOAD must be configured to either disable access to DOD data, IT systems, and user accounts or wipe managed data and apps if the EMM system detects the BYOAD device has known malicious, blocked, or prohibited applications or is configured to access nonapproved managed third-party applications stores.V-257093MEDIUMThe iOS/iPadOS 16 BYOAD must be configured so that managed data and apps are removed if the device is no longer receiving security or software updates.V-257094HIGHThe BYOAD and DOD enterprise must be configured to limit access to only enterprise corporate-owned IT resources approved by the authorizing official (AO).V-257095LOWThe iOS/iPadOS 16 BYOAD must be configured to protect users' privacy, personal information, and applications.V-257096LOWThe EMM system supporting the iOS/iPadOS 16 BYOAD must be configured to only wipe managed data and apps and not unmanaged data and apps when the user's access is revoked or terminated, the user no longer has the need to access DOD data or IT, or the user reports a registered device as lost, stolen, or showing indicators of compromise.V-257097MEDIUMThe iOS/iPadOS 16 BYOAD must be deployed in Device Enrollment mode or User Enrollment mode.V-257098MEDIUMThe iOS/iPadOS 16 BYOAD device must be configured to disable copy and paste from managed (work profile) apps/contacts to unmanaged (personal profile) apps/contacts and vice versa.V-257100HIGHThe EMM system supporting the iOS/iPadOS 16 BYOAD must be NIAP validated (included on the NIAP list of compliant products or products in evaluation) unless the DOD CIO has granted an approved Exception to Policy (E2P).V-257101LOWThe User Agreement must include a description of what personal data and information is being monitored, collected, or managed by the EMM system or deployed agents or tools.V-257102MEDIUMThe DOD Mobile Service Provider must not allow BYOADs in facilities where personally owned mobile devices are prohibited.V-257103MEDIUMThe iOS/iPadOS 16 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.V-257136HIGHThe mobile device used for BYOAD must be NIAP validated.V-274443HIGHAll Apple iOS/iPadOS 16 BYOAD installations must be removed.