| Interview the site IAO and iOS device system administrator. Also, perform the following actions on a random sample of site-managed iOS devices (3-4 devices, iPhone and iPad). |
-Verify an iOS restriction has been placed on the iOS devices and the system administrator has assigned a four character passcode, so the user cannot remove it. The iOS Restriction passcode must meet the same complexity requirements as the device unlock passcode: no sequential numbers and no repeating numbers.
*Have the site iOS system administrator show that a Restriction policy is on the device. Go to Settings > General > Restrictions. Mark as a finding if no Restriction exists.
*Have the site iOS system administrator log into the Restriction policy. Mark as a finding if the restriction passcode is not 4 characters and does not meet the complexity requirements.
*Interview several users and determine if they have been given the Restriction passcode by the system administrator. If yes, mark as a finding.
-After the system administrator opens the Restriction, verify the following configuration setting has been set in the Restriction policy to disable the capability for a device wipe command to be initiated on the device when received from an iCloud account:
----Allow Changes > Accounts > Don't Allow Changes (If the DAA has not approved the use of personal email, this setting must be checked. If not checked, ask to see documentation showing DAA approval of personal email on site-managed iOS devices.)
-If personal email is allowed, verify the following configuration setting has been set in the Restriction policy:
----Privacy > Location Services > Find My iPhone set to Off.
Mark as a finding if any of these settings is not set as required.