| V-282784 | | Apple visionOS 26 must not allow backup to remote systems (iCloud). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-282785 | | Apple visionOS 26 must not allow backup to remote systems (iCloud document and data synchronization). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-282786 | | Apple visionOS 26 must not allow backup to remote systems (iCloud Keychain). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-282787 | | Apple visionOS 26 must not allow backup to remote systems (Cloud Photo Library). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-282788 | | Apple visionOS 26 must not allow backup to remote systems (managed applications data stored in iCloud). | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-282789 | | Apple visionOS 26 must be configured to enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a ... |
| V-282790 | | Apple visionOS 26 must be configured to not allow passwords that include more than four repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Passwords that contain repeating or s... |
| V-282791 | | Apple visionOS 26 must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the wi... |
| V-282792 | | Apple visionOS 26 must be configured to not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on ... |
| V-282794 | | Apple visionOS 26 must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DOD-approved commercial app repository, MDM server, mobile application store]. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being insta... |
| V-282795 | | Apple visionOS 26 must be configured to not display notifications when the device is locked. | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently ... |
| V-282797 | | Apple visionOS 26 must not allow non-DOD applications to access DOD data. | App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant ri... |
| V-282798 | | Apple visionOS 26 must be configured to [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM. | When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be... |
| V-282799 | | Apple visionOS 26 must be configured to [selection: remove Enterprise applications, remove all noncore applications (any nonfactory-installed application)] upon unenrollment from MDM. | When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be... |
| V-282800 | | Apple visionOS 26 must be configured to disable ad hoc wireless client-to-client connection capability. | Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and... |
| V-282804 | | Apple visionOS 26 must implement the management setting: disable Allow MailDrop. | MailDrop allows users to send large attachments (up to 5 GB) via iCloud. Storing data with a non-DOD cloud provider may leave the data vulnerable to b... |
| V-282806 | | Apple visionOS 26 must implement the management setting: use SSL for Exchange ActiveSync. | Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. Secure Sockets Layer (SS... |
| V-282807 | | Apple visionOS 26 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple visionOS 26 Mail app. | The Apple visionOS Mail app can be configured to support multiple email accounts concurrently. These email accounts are likely to involve content of v... |
| V-282808 | | Apple visionOS 26 must implement the management setting: treat AirDrop as an unmanaged destination. | AirDrop is a way to send contact information or photos to other users with AirDrop enabled. This feature enables a possible attack vector for adversar... |
| V-282809 | | Apple visionOS 26 must implement the management setting: not share location data through iCloud. | Sharing of location data is an operational security risk because it potentially allows an adversary to determine a DOD user's location, movements, and... |
| V-282810 | | Apple visionOS 26 users must complete required training. | The security posture on visionOS devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (... |
| V-282811 | | A managed photo app must be used to take and store work-related photos. | The visionOS Photos app is unmanaged and may sync photos with a device or user's personal iCloud account. Therefore, work-related photos must not be t... |
| V-282814 | | Apple visionOS 26 must implement the management setting: disable AirDrop. | AirDrop is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector fo... |
| V-282815 | | Apple visionOS 26 must disable "Password AutoFill" in browsers and applications. | The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as Personally Ide... |
| V-282816 | | Apple visionOS 26 must disable password sharing. | This control allows sharing passwords between Apple devices using AirDrop. This could lead to a compromise of the device password with an unauthorized... |
| V-282817 | | The Apple visionOS 26 must be supervised by the MDM. | When visionOS is not supervised, the DOD mobile service provider cannot control when new visionOS updates are installed on site-managed devices. Most ... |
| V-282819 | | Apple visionOS must implement the management setting: not allow a user to remove Apple visionOS configuration profiles that enforce DOD security requirements. | Configuration profiles define security policies on Apple visionOS devices. If a user is able to remove a configuration profile, the user can then chan... |
| V-282820 | | Apple visionOS 26 must disable "Allow network drive access in Files access". | Allowing network drive access by the Files app could lead to the introduction of malware or unauthorized software into the DOD IT infrastructure and c... |
| V-282821 | | Apple visionOS 26 must disable connections to Siri servers for the purpose of dictation. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-282822 | | Apple visionOS 26 must disable copy/paste of data from managed to unmanaged applications. | If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD... |
| V-282823 | | Apple visionOS 26 must have DOD root and intermediate PKI certificates installed. | DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed t... |
| V-282824 | | Apple visionOS 26 must disable ChatGPT connection for Apple Intelligence. | The ChatGPT feature of Apple Intelligence allows DOD information to be downloaded from the DOD Vision Pro and processed by the ChatGPT application in ... |
| V-282825 | | Apple visionOS 26 must disable the download of visionOS beta updates. | Beta operating system updates may contain features that could lead to the compromise of sensitive DOD information or provide a vector for the attack o... |
| V-282827 | | Apple visionOS 26 must disable the user's ability to wipe the device. | This feature must be disabled to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users could wi... |
| V-282832 | | DOD Apple visionOS 26 devices must have a Mobile Threat Detection (MTD) app installed. | DOD mobile devices are in constant risk of cyber threats. MTD apps mitigate these risks by providing real-time threat detection, malware prevention, a... |
| V-282783 | | Apple visionOS 26 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis]. | The system administrator must have the capability to configure VPN access to meet organization-specific policies based on mission needs. Otherwise, a ... |
| V-282796 | | Apple visionOS 26 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device. | Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner th... |
| V-282802 | | Apple visionOS 26 must implement the management setting: not allow automatic completion of Safari browser passcodes. | The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as Personally Identi... |
| V-282803 | | Apple visionOS 26 must implement the management setting: not allow use of Handoff. | Handoff permits a Vision Pro user to transition user activities from one device to another. Handoff passes sufficient information between the devices ... |
| V-282812 | | Apple visionOS 26 must not allow managed apps to write contacts to unmanaged contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-282813 | | Apple visionOS 26 must not allow unmanaged apps to read contacts from managed contacts accounts. | Managed apps have been approved for the handling of DOD sensitive information. Unmanaged apps are provided for productivity and morale purposes but ar... |
| V-282818 | | The Apple visionOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. | Many software systems automatically send diagnostic data to the manufacturer or a third-party. This data enables the developers to understand real-wor... |
| V-282826 | | Apple Vision Pro (AVP) hardware must not be modified to use the Developer Strap unless the authorizing official (AO) approves use on a case-by-case basis. | The Apple Developer Strap provides a USB connector on the AVP and is used to download content on the AVP from a Mac. The use of the Developer Strap wi... |
| V-282828 | | Apple visionOS 26 must disable the use of voice assistant (Siri) unless required to meet Section 508 compliance requirements. | The use of voice assistants could expose sensitive DOD data to cloud-based servers during the processing of assistant requests.
SFR ID: FMT_MOF_EXT.1... |
| V-282829 | | Apple visionOS 26 must disable the Apple Intelligence feature: Image Wand. | The security of the Apple Intelligence system has not been vetted by the DOD, and the risk to DOD sensitive information is not known at this time. The... |
| V-282830 | | Apple visionOS 26 must disable the Apple Intelligence feature: Image Generation. | The security of the Apple Intelligence system has not been vetted by the DOD, and the risk to DOD sensitive information is not known at this time. The... |
| V-282831 | | Apple visionOS 26 must disable the Apple Intelligence feature: generate new Genmoji. | The security of the Apple Intelligence system has not been vetted by the DOD, and the risk to DOD sensitive information is not known at this time. The... |
| V-282833 | | DOD Apple visionOS 26 devices must disable screenshots and screen recordings. | A screenshot or screen recording of sensitive DOD information could lead to the inadvertent exposure of that information.
SFR ID: FMT_MOF_EXT.1.2 #47... |
| V-282793 | | Apple visionOS 26 must be configured to enforce a passcode reuse prohibition of at least two generations. | visionOS-iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the pre... |
| V-282801 | | Apple visionOS 26 must require a valid password be successfully entered before the mobile device data is unencrypted. | Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may... |
| V-282805 | | Vision Pro must have the latest available visionOS operating system installed. | Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFR ID: FMT_SMF.1.... |
