| V-276384 | | Apple visionOS 2 must be configured to enforce a passcode reuse prohibition of at least two generations. | visionOS/iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the pre... |
| V-276392 | | Apple visionOS 2 must require a valid password be successfully entered before the mobile device data is unencrypted. | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may... |
| V-276396 | | Vision Pro must have the latest available visionOS operating system installed. | Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFR ID: FMT_SMF.1.... |
| V-276375 | | Apple visionOS 2 must not allow backup to remote systems (iCloud). | If a user can configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD inform... |
| V-276376 | | Apple visionOS 2 must not allow backup to remote systems (iCloud document and data synchronization). | If a user can configure the security setting, they could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD informatio... |
| V-276377 | | Apple visionOS 2 must not allow backup to remote systems (iCloud Keychain). | If a user can configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD inform... |
| V-276378 | | Apple visionOS 2 must not allow backup to remote systems (Cloud Photo Library). | If a user can configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD inform... |
| V-276379 | | Apple visionOS 2 must not allow backup to remote systems (managed applications data stored in iCloud). | If a user can configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD inform... |
| V-276380 | | Apple visionOS 2 must be configured to enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a ... |
| V-276381 | | Apple visionOS 2 must be configured to not allow passwords that include more than four repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or s... |
| V-276382 | | Apple visionOS 2 must be configured to lock the display after 15 minutes (or fewer) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-276383 | | Apple visionOS 2 must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on ... |
| V-276385 | | Apple visionOS 2 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store]. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-276386 | | Apple visionOS 2 must be configured to not display notifications when the device is locked. | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently ... |
| V-276388 | | Apple visionOS 2 must not allow non-DOD applications to access DOD data. | App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant ri... |
| V-276389 | | Apple visionOS 2 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM. | When a mobile device is no longer managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be protected b... |
| V-276390 | | Apple visionOS 2 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM. | When a mobile device is no longer managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be protected b... |
| V-276391 | | Apple visionOS 2 must be configured to disable ad hoc wireless client-to-client connection capability. | Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and... |
| V-276395 | | Apple visionOS 2 must implement the management setting: disable Allow MailDrop. | MailDrop allows users to send large attachments (up to 5 GB) via iCloud. Storing data with a non-DOD cloud provider may leave the data vulnerable to b... |
| V-276397 | | Apple visionOS 2 must implement the management setting: use Secure Sockets Layer (SSL) for Exchange ActiveSync. | Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. SSL, also referred to as... |
| V-276398 | | Apple visionOS 2 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple visionOS 2 Mail app. | The Apple visionOS Mail app can be configured to support multiple email accounts concurrently. These email accounts are likely to involve content of v... |
| V-276399 | | Apple visionOS 2 must implement the management setting: treat AirDrop as an unmanaged destination. | AirDrop is a way to send contact information or photos to other users with AirDrop enabled. This feature enables a possible attack vector for adversar... |
| V-276400 | | Apple visionOS 2 users must complete required training. | The security posture on visionOS devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (... |
| V-276401 | | A managed photo app must be used to take and store work-related photos. | The visionOS Photos app is unmanaged and may sync photos with a device or user's personal iCloud account. Therefore, work-related photos must not be t... |
| V-276404 | | Apple visionOS 2 must implement the management setting: disable AirDrop. | AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector fo... |
| V-276405 | | Apple visionOS 2 must disable "Password AutoFill" in browsers and applications. | The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without p... |
| V-276406 | | Apple visionOS 2 must disable password sharing. | This control allows sharing passwords between Apple devices using AirDrop. This could lead to a compromise of the device password with an unauthorized... |
| V-276407 | | The Apple visionOS 2 must be supervised by the MDM. | When visionOS is not supervised, the DOD mobile service provider cannot control when new visionOS updates are installed on site-managed devices. Most ... |
| V-276409 | | Apple visionOS must implement the management setting: not allow a user to remove Apple visionOS configuration profiles that enforce DOD security requirements. | Configuration profiles define security policies on Apple visionOS devices. If a user can remove a configuration profile, the user can then change the ... |
| V-276410 | | Apple visionOS 2 must disable "Allow network drive access in Files access". | Allowing network drive access by the Files app could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and c... |
| V-276411 | | Apple visionOS 2 must disable connections to Siri servers for the purpose of dictation. | If a user can configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD inform... |
| V-276412 | | Apple visionOS 2 must disable copy/paste of data from managed to unmanaged applications. | If a user can configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD inform... |
| V-276413 | | Apple visionOS 2 must have DOD root and intermediate PKI certificates installed. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed t... |
| V-276414 | | Apple visionOS 2 must disable ChatGPT connection for Apple Intelligence. | The ChatGPT feature of Apple Intelligence allows DOD information to be downloaded from the DOD Vision Pro and processed by the ChatGPT application in ... |
| V-276415 | | Apple visionOS 2 must disable the download of visionOS beta updates. | Beta operating system updates may contain features that could lead to the compromise of sensitive DOD information or provide a vector for the attack o... |
| V-276417 | | Apple visionOS 2 must disable the ability of the user to wipe the device. | This feature must be disabled to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users could wi... |
| V-276421 | | DOD Apple visionOS 2 devices must have a Mobile Threat Detection (MTD) app installed. | DOD mobile devices are in constant risk of cyber threats. Mobile Threat Detection (MTD) apps mitigate these risks by providing real-time threat detect... |
| V-279327 | | Apple visionOS 2 must implement the management setting: disable the Bluetooth radio. | Authorizing Official (AO) approval is required before the Apple device Bluetooth radio can be enabled. All AO approvals should be documented and based... |
| V-276374 | | Apple visionOS 2 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis]. | The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a ... |
| V-276387 | | Apple visionOS 2 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device. | Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner th... |
| V-276393 | | Apple visionOS 2 must implement the management setting: not allow automatic completion of Safari browser passcodes. | The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without prev... |
| V-276394 | | Apple visionOS 2 must implement the management setting: not allow use of Handoff. | Handoff permits a user of a Vision Pro to transition user activities from one device to another. Handoff passes sufficient information between the dev... |
| V-276402 | | Apple visionOS 2 must not allow managed apps to write contacts to unmanaged contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-276403 | | Apple visionOS 2 must not allow unmanaged apps to read contacts from managed contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-276408 | | The Apple visionOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. | Many software systems automatically send diagnostic data to the manufacturer or a third-party. This data enables the developers to understand real-wor... |
| V-276416 | | Apple Vision Pro hardware must not be modified to use the Developer Strap unless use is approved on a case-by-case basis by the authorizing official (AO). | The Apple Developer Strap provides a USB connector on the AVP and is used to download content on the AVP from a Mac. Using the Developer Strap without... |
| V-276418 | | Apple visionOS 2 must disable the use voice assistant (Siri) unless required to meet Section 508 compliance requirements. | Using voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1.2 #4... |
| V-276419 | | Apple visionOS 2 must disable Apple Intelligence feature: Image Generation. | The security of the Apple Intelligence system has not been vetted by the DOD and the risk to DOD sensitive information is not known at this time. Ther... |
| V-276420 | | Apple visionOS 2 must disable Apple Intelligence feature: generate new Genmoji. | The security of the Apple Intelligence system has not been vetted by the DOD and the risk to DOD sensitive information is not known at this time. Ther... |
| V-276422 | | DOD Apple visionOS 2 devices must disable screenshots and screen recordings. | A screenshot or screen recording of sensitive DOD information could lead to the inadvertent exposure of that information.
SFR ID: FMT_MOF_EXT.1.2 #47... |
