Apple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254578	AIOS-16-001000	SV-254578r862237_rule		Low

Description
The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. SFR ID: FMT_SMF_EXT.1.1 #3

Description

The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a user could inadvertently or maliciously set up a VPN and connect to a network that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. SFR ID: FMT_SMF_EXT.1.1 #3

STIG	Date
Apple iOS/iPadOS 16 Security Technical Implementation Guide	2022-10-03

Details

Check Text ( C-58189r861988_chk )
Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DoD network (work) VPN profile. This validation procedure is performed on the iOS device only. On the iPhone and iPad: 1. Open the Settings app. 2. Tap "General". 3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists. 4. If not, the requirement has been met. 5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client. 6. Verify no DoD network VPN profiles are configured on the VPN client. If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DoD network VPN profile configured on the client, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.

Check Text ( C-58189r861988_chk )

Review the list of unmanaged apps installed on the iPhone and iPad and determine if any third-party VPN clients are installed. If so, verify the VPN app is not configured with a DoD network (work) VPN profile.

This validation procedure is performed on the iOS device only.

On the iPhone and iPad:
1. Open the Settings app.
2. Tap "General".
3. Tap the "VPN and Device Management" line and determine if any "Personal VPN" exists.
4. If not, the requirement has been met.
5. If there are personal VPNs, open each VPN app. Review the list of VPN profiles configured on the VPN client.
6. Verify no DoD network VPN profiles are configured on the VPN client.

If any third-party unmanaged VPN apps are installed (personal VPN) and they have a DoD network VPN profile configured on the client, this is a finding.

Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.

Fix Text (F-58135r861989_fix)
If a third-party unmanaged VPN app is installed on the iOS 16 device, do not configure the VPN app with a DoD network VPN profile.