STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Apple iOS/iPadOS 17 MDFPP 3.3 BYOAD Security Technical Implementation Guide

Version

V1R2

Benchmark ID

Apple_iOS_iPadOS_17_MDFPP_3-3_BYOAD_STIG

Total Checks

35

Tags

mobile

CAT I: 3CAT II: 24CAT III: 8

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (35)

V-259760LOWApple iOS/iPadOS 17 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device.V-259761MEDIUMApple iOS/iPadOS 17 must not allow backup to remote systems (managed applications data stored in iCloud).V-259762MEDIUMApple iOS/iPadOS 17 must not allow backup to remote systems (enterprise books).V-259763MEDIUMApple iOS/iPadOS 17 must be configured to enforce a minimum password length of six characters.V-259764MEDIUMApple iOS/iPadOS 17 must be configured to not allow passwords that include more than four repeating or sequential characters.V-259766MEDIUMApple iOS/iPadOS 17 must be configured to lock the display after 15 minutes (or less) of inactivity.V-259767MEDIUMApple iOS/iPadOS 17 must be configured to not allow more than 10 consecutive failed authentication attempts.V-259768HIGHApple iOS/iPadOS 17 must be configured to enforce a passcode reuse prohibition of at least two generations.V-259769MEDIUMApple iOS/iPadOS 17 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store].V-259770MEDIUMApple iOS/iPadOS 17 allow list must be configured to not include applications with the following characteristics: - backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - transmits MD diagnostic data to non-DOD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2/FIPS 140-3 validated) data sharing with other MDs or printers.V-259771MEDIUMApple iOS/iPadOS 17 must be configured to not display notifications when the device is locked.V-259772MEDIUMApple iOS/iPadOS 17 must not display notifications (calendar information) when the device is locked.V-259773LOWApple iOS/iPadOS 17 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.V-259774MEDIUMApple iOS/iPadOS 17 must be configured to not allow backup of [all applications, configuration data] to locally connected systems.V-259775MEDIUMApple iOS/iPadOS 17 must not allow non-DOD applications to access DOD data.V-259776MEDIUMApple iOS/iPadOS 17 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.V-259777MEDIUMApple iOS/iPadOS 17 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory installed application)] upon unenrollment from MDM.V-259778HIGHApple iOS/iPadOS 17 must require a valid password be successfully entered before the mobile device data is unencrypted.V-259779MEDIUMApple iOS/iPadOS 17 must implement the management setting: Encrypt backups/Encrypt local backup.V-259780LOWApple iOS/iPadOS 17 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device.V-259781LOWApple iOS/iPadOS 17 must implement the management setting: require passcode for incoming Airplay connection requests.V-259782HIGHiPhone and iPad must have the latest available iOS/iPadOS operating system installed.V-259783MEDIUMApple iOS/iPadOS 17 must implement the management setting: use SSL for Exchange ActiveSync.V-259784MEDIUMApple iOS/iPadOS 17 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 17 Mail app.V-259785MEDIUMApple iOS/iPadOS 17 must implement the management setting: Treat AirDrop as an unmanaged destination.V-259786LOWApple iOS/iPadOS 17 must implement the management setting: force Apple Watch wrist detection.V-259787MEDIUMApple iOS/iPadOS 17 users must complete required training.V-259788MEDIUMA managed photo app must be used to take and store work-related photos.V-259789LOWApple iOS/iPadOS 17 must not allow managed apps to write contacts to unmanaged contacts accounts.V-259790LOWApple iOS/iPadOS 17 must not allow unmanaged apps to read contacts from managed contacts accounts.V-259791LOWThe Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.V-259792MEDIUMApple iOS/iPadOS 17 must disable copy/paste of data from managed to unmanaged applications.V-259793MEDIUMApple iOS/iPadOS 17 must have DOD root and intermediate PKI certificates installed.V-259794MEDIUMApple iOS/iPadOS 17 must not allow DOD applications to access non-DOD data.V-274439MEDIUMAll Apple iOS/iPadOS 17 BYOAD installations must be removed.