| V-278718 | | Apple iOS/iPadOS 26 must not allow backup to remote systems (iCloud). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278719 | | Apple iOS/iPadOS 26 must not allow backup to remote systems (iCloud document and data synchronization). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278720 | | Apple iOS/iPadOS 26 must not allow backup to remote systems (iCloud Keychain). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278721 | | Apple iOS/iPadOS 26 must not allow backup to remote systems (Cloud Photo Library). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278722 | | Apple iOS/iPadOS 26 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Stream or Shared Photo Stream). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278723 | | Apple iOS/iPadOS 26 must not allow backup to remote systems (managed applications data stored in iCloud). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278724 | | Apple iOS/iPadOS 26 must not allow backup to remote systems (enterprise books). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278747 | | Apple iOS/iPadOS 26 must be configured to enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a ... |
| V-278748 | | Apple iOS/iPadOS 26 must be configured to not allow passwords that include more than four repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or s... |
| V-278750 | | Apple iOS/iPadOS 26 must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-278751 | | Apple iOS/iPadOS 26 must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on ... |
| V-278753 | | Apple iOS/iPadOS 26 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store]. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-278755 | | Apple iOS/iPadOS 26 must not include applications with the following characteristics: access to Siri when the device is locked. | Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) th... |
| V-278757 | | Apple iOS/iPadOS 26 allow list must be configured to not include applications with the following characteristics:
- Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmits MD diagnostic data to non-DOD servers;
- Allows synchronization of data or applications between devices associated with user;
- Allows unencrypted (or encrypted but not FIPS 140-3-validated) data sharing with other MDs or printers; and
- Backs up own data to a remote system. | Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) th... |
| V-278758 | | Apple iOS/iPadOS 26 must be configured to not display notifications when the device is locked. | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently ... |
| V-278759 | | Apple iOS/iPadOS 26 must not display notifications (calendar information) when the device is locked. | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently ... |
| V-278773 | | Apple iOS/iPadOS 26 must be configured to not allow backup of [all applications, configuration data] to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed u... |
| V-278777 | | Apple iOS/iPadOS 26 must not allow non-DOD applications to access DOD data. | App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant ri... |
| V-278778 | | Apple iPadOS 26 must be configured to disable multiuser modes. | Multiuser mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with mu... |
| V-278779 | | Apple iOS/iPadOS 26 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM. | When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be... |
| V-278780 | | Apple iOS/iPadOS 26 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM. | When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be... |
| V-278782 | | Apple iOS/iPadOS 26 must be configured to disable ad hoc wireless client-to-client connection capability. | Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and... |
| V-278788 | | Apple iOS/iPadOS 26 must implement the management setting: encrypt backups/Encrypt local backup. | If iCloud backups are not encrypted, this could lead to the unauthorized disclosure of DOD sensitive information if non-DOD personnel are able to acce... |
| V-278792 | | Apple iOS/iPadOS 26 must implement the management setting: disable Allow MailDrop. | MailDrop allows users to send large attachments (up to 5GB) via iCloud. Storing data with a non-DOD cloud provider may leave the data vulnerable to br... |
| V-278794 | | Apple iOS/iPadOS 26 must implement the management setting: use SSL for Exchange ActiveSync. | Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. Secure Sockets Layer (SS... |
| V-278795 | | Apple iOS/iPadOS 26 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 26 Mail app. | The Apple iOS/iPadOS Mail app can be configured to support multiple email accounts concurrently. These email accounts are likely to involve content of... |
| V-278796 | | Apple iOS/iPadOS 26 must implement the management setting: treat AirDrop as an unmanaged destination. | AirDrop is a way to send contact information or photos to other users with AirDrop enabled. This feature enables a possible attack vector for adversar... |
| V-278798 | | Apple iOS/iPadOS 26 must implement the management setting: not share location data through iCloud. | Sharing of location data is an operational security (OPSEC) risk because it potentially allows an adversary to determine a DOD user's location, moveme... |
| V-278800 | | Apple iOS/iPadOS 26 users must complete required training. | The security posture on iOS devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) ... |
| V-278801 | | A managed photo app must be used to take and store work-related photos. | The iOS Photos app is unmanaged and may sync photos with a device or user's personal iCloud account; therefore, work-related photos must not be taken ... |
| V-278803 | | Apple iOS/iPadOS 26 must implement the management setting: enable USB Restricted Mode. | The USB port on an iOS device can be used to access data on the device. The required settings ensure the Apple device password is entered before a pre... |
| V-278806 | | Apple iOS/iPadOS 26 must implement the management setting: disable AirDrop. | AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector fo... |
| V-278807 | | Apple iOS/iPadOS 26 must implement the management setting: disable paired Apple Watch. | Sensitive DOD could be exposed if an unauthorized Apple Watch is paired to a DOD iPhone.
SFR ID: FMT_SMF.1.1 #47... |
| V-278809 | | Apple iOS/iPadOS 26 must disable "Password AutoFill" in browsers and applications. | The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without p... |
| V-278810 | | Apple iOS/iPadOS 26 must disable "Allow setting up new nearby devices". | This control allows Apple device users to request passwords from nearby devices. This could lead to a compromise of the device password with an unauth... |
| V-278811 | | Apple iOS/iPadOS 26 must disable password proximity requests. | This control allows one Apple device to be notified to share its password with a nearby device. This could lead to a compromise of the device password... |
| V-278812 | | Apple iOS/iPadOS 26 must disable password sharing. | This control allows sharing passwords between Apple devices using AirDrop. This could lead to a compromise of the device password with an unauthorized... |
| V-278814 | | The Apple iOS/iPadOS 26 must be supervised by the MDM. | When an iOS/iPadOS is not supervised, the DOD mobile service provider cannot control when new iOS/iPadOS updates are installed on site-managed devices... |
| V-278815 | | Apple iOS/iPadOS 26 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DOD-approved USB storage drives with iOS/iPadOS devices. | Unauthorized use of USB storage drives could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and compromis... |
| V-278817 | | Apple iOS must implement the management setting: not allow a user to remove Apple iOS configuration profiles that enforce DOD security requirements. | Configuration profiles define security policies on Apple iOS devices. If a user is able to remove a configuration profile, the user can then change th... |
| V-278818 | | Apple iOS/iPadOS 26 must disable "Allow network drive access in Files access". | Allowing network drive access by the Files app could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and c... |
| V-278819 | | Apple iOS/iPadOS 26 must disable connections to Siri servers for the purpose of dictation. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278820 | | Apple iOS/iPadOS 26 must disable connections to Siri servers for the purpose of translation. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278821 | | Apple iOS/iPadOS 26 must disable copy/paste of data from managed to unmanaged applications. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-278822 | | Apple iOS/iPadOS 26 must have DOD root and intermediate PKI certificates installed. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed t... |
| V-278823 | | Apple iOS/iPadOS 26 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch. | Auto Unlock allows an Apple Watch to automatically unlock an iPhone or Mac when in close proximity (not available for iPad). This feature allows the i... |
| V-278824 | | Apple iOS/iPadOS 26 must disable the installation of alternative marketplace apps. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-278825 | | Apple iOS/iPadOS 26 must disable app installation from a website. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-278826 | | Apple iOS/iPadOS 26 must delete eSIM content when the device is erased. | An eSIM may contain sensitive DOD data and must be wiped of data when the mobile device is wiped to protect sensitive data from exposure.
SFR ID: FMT... |
| V-278827 | | Apple iOS/iPadOS 26 must disable ChatGPT connection for Apple Intelligence. | The ChatGPT feature of Apple Intelligence allows DOD information to be downloaded from the DOD iPhone/iPad and processed by the ChatGPT application in... |
| V-278828 | | Apple iOS/iPadOS 26 must disable the download of iOS/iPadOS beta updates. | Beta operating system updates may contain features that could lead to the compromise of sensitive DOD information or provide a vector for the attack o... |
| V-278829 | | Apple iOS/iPadOS 26 must disable the ability to hide apps. | Hidden apps cannot be seen by enterprise management applications (e.g., MDM server), and therefore, unauthorized apps or apps with embedded malware co... |
| V-278830 | | Apple iOS/iPadOS 26 must disable recording cell phone calls on the iPhone. | Cell phone recordings are saved as unmanaged recordings in the Notes app, which may be accessible to unmanaged apps. There is a risk that sensitive DO... |
| V-278831 | | Apple iOS/iPadOS 26 must disable iPhone Mirroring on Mac. | iPhone Mirroring allows managed data on a DOD iPhone to be manipulated by an unmanaged Mac. In certain situations, this may lead to the exposure of se... |
| V-278832 | | Apple iOS/iPadOS 26 must disable the ability of the user to wipe the device. | This feature must be disabled in order to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users... |
| V-278836 | | Apple iOS/iPadOS 26 must disable automatic downloads of apps purchased on other Apple devices. | The automatic download of apps to a DOD mobile device could cause the exposure of sensitive DOD information when an unauthorized app is installed.
SF... |
| V-278837 | | Apple iOS/iPadOS 26 must disable pairing with a host Mac or PC. | The connection of a DOD iPhone to a Mac or PC could cause the exposure of sensitive DOD information.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-278847 | | DOD Apple iOS/iPadOS 26 devices must have a Mobile Threat Detection (MTD) app installed. | DOD mobile devices are in constant risk of cyber threats. MTD apps partially mitigate these risks by providing real-time threat detection, malware pre... |
| V-278851 | | Apple iOS/iPadOS 26 must implement the management setting: disable Camera. | There are three possible use cases regarding camera use on a DOD iPhone or iPad:
1. Disable use of the camera devicewide – both unmanaged and managed ... |
| V-278852 | | Apple iOS/iPadOS 26 must implement the management setting: disable the Bluetooth radio. | Authorizing Official (AO) approval is required before the Apple device Bluetooth radio can be enabled. All AO approvals should be documented and based... |
| V-278853 | | Apple iOS/iPadOS 26 must be configured to disable Wi-Fi Aware. | Wi-Fi Aware allows direct connections between nearby devices for fast data transfer, video streaming, and multiplayer gaming. It allows full peer-to-p... |
| V-278697 | | Apple iOS/iPadOS 26 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis]. | The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a ... |
| V-278767 | | Apple iOS/iPadOS 26 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device. | Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner th... |
| V-278786 | | Apple iOS/iPadOS 26 must implement the management setting: limit Ad Tracking. | Ad Tracking refers to the advertisers' ability to categorize the device and spam the user with ads that are most relevant to the user's preferences. B... |
| V-278787 | | Apple iOS/iPadOS 26 must implement the management setting: not allow automatic completion of Safari browser passcodes. | The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without prev... |
| V-278789 | | Apple iOS/iPadOS 26 must implement the management setting: not allow use of Handoff. | Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff passes sufficient information between t... |
| V-278790 | | Apple iOS/iPadOS 26 must implement the management setting: not allow use of iPhone widgets on Mac. | iPhone widgets on Mac use Handoff. Handoff permits a user of an iPhone and iPad to transition user activities from one device to another. Handoff pass... |
| V-278791 | | Apple iOS/iPadOS 26 must implement the management setting: require the user to enter a password when connecting to an AirPlay-enabled device. | When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than th... |
| V-278797 | | Apple iOS/iPadOS 26 must implement the management setting: not have any Family Members in Family Sharing. | Apple's Family Sharing service allows Apple iOS/iPadOS users to create a Family Group whose members have several shared capabilities, including the ab... |
| V-278799 | | Apple iOS/iPadOS 26 must implement the management setting: force Apple Watch wrist detection. | Because Apple Watch is a personal device, it is key that any sensitive DOD data displayed on the Apple Watch cannot be viewed when the watch is not in... |
| V-278804 | | Apple iOS/iPadOS 26 must not allow managed apps to write contacts to unmanaged contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-278805 | | Apple iOS/iPadOS 26 must not allow unmanaged apps to read contacts from managed contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-278813 | | Apple iOS/iPadOS 26 must disable "Find My Friends" in the "Find My" app. | This control does not share a DOD user's location but encourages location sharing between DOD mobile device users, which can lead to operational secur... |
| V-278816 | | The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-wor... |
| V-278833 | | Apple iOS/iPadOS 26 must disable the use voice assistant (Siri) unless required to meet Section 508 compliance requirements. | The use of voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1... |
| V-278834 | | Apple iOS/iPadOS 26 must disable the use voice assistant (Show user-generated content in Siri) unless required to meet Section 508 compliance requirements. | The use of voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1... |
| V-278835 | | Apple iOS/iPadOS 26 must disable the use voice assistant (Siri suggestions) unless required to meet Section 508 compliance requirements. | The use of voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1... |
| V-278838 | | Apple iOS/iPadOS 26 must disable AirPrint. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-278839 | | Apple iOS/iPadOS 26 must disable AirPrint: Allow discovery of AirPrint printers using iBeacons. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-278840 | | Apple iOS/iPadOS 26 must disable AirPrint: Allow storage of AirPrint credentials in Keychain. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-278841 | | Apple iOS/iPadOS 26 must allow AirPrint feature: Disallow AirPrint to destinations with untrusted certificates. | AirPrint allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information.
... |
| V-278842 | | Apple iOS/iPadOS 26 must disable Allowed Content Ratings (Movies). | There is no known mission need for this personal use feature.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-278843 | | Apple iOS/iPadOS 26 must disable Allowed Content Ratings (TV Shows). | There is no known mission need for this personal use feature.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-278844 | | Apple iOS/iPadOS 26 must disable Apple Intelligence feature: Image Wand. | The security of the Apple Intelligence system has not been vetted by the DOD and the risk to DOD sensitive information is not known at this time. Ther... |
| V-278845 | | Apple iOS/iPadOS 26 must disable Apple Intelligence feature: Image Generation. | The security of the Apple Intelligence system has not been vetted by the DOD and the risk to DOD sensitive information is not known at this time. Ther... |
| V-278846 | | Apple iOS/iPadOS 26 must disable Apple Intelligence feature: generate new Genmoji. | The security of the Apple Intelligence system has not been vetted by the DOD and the risk to DOD sensitive information is not known at this time. Ther... |
| V-278848 | | DOD Apple iOS/iPadOS 26 devices must disable FaceTime. | FaceTime is considered a personal use feature.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-278849 | | DOD Apple iOS/iPadOS 26 devices must disable eSIM transfers. | eSIM transfers could lead to the unauthorized use of DOD paid cellular service.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-278850 | | DOD Apple iOS/iPadOS 26 devices must disable screenshots and screen recordings. | A screenshot or screen recording of sensitive DOD information could lead to the inadvertent exposure of that information.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-278752 | | Apple iOS/iPadOS 26 must be configured to enforce a passcode reuse prohibition of at least two generations. | iOS/iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous... |
| V-278784 | | Apple iOS/iPadOS 26 must require a valid password be successfully entered before the mobile device data is unencrypted. | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may... |
| V-278793 | | iPhone and iPad must have the latest available iOS/iPadOS operating system installed. | Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFR ID: FMT_SMF.1.... |
