TickYouOff
Sign in
Back
🔒

iOS 18 STIG

Hard 18 items · 1 hour
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates the Apple iOS/iPadOS 18 STIG into practical configuration steps for device hardening and compliance. It’s intended for IT administrators, MDM operators, and security personnel preparing COPE/COBO Apple devices for Department of Defense or similarly high-security environments.

Source: https://ncp.nist.gov/checklist/1263

Progress
0 / 18
  1. Place device in supervised mode — Supervision is required for DoD deployments to enable advanced controls.
  2. Enroll device via Automated Device Enrollment (ABM) — Use ABM during activation; procurement must provide the ABM customer number.
  3. Place device in supervised mode using Apple Configurator — Use Apple Configurator 2 for manual supervision when ABM is unavailable.
  4. Enroll device in MDM and install the management profile — Register the device with your enterprise MDM and push the management profile.
  5. Disable user removal of the management (MDM) profile — Require that the MDM profile cannot be removed by the end user.
  6. Enforce device passcode complexity and auto-lock — Require strong passcodes, minimum length, and short auto-lock timeout.
  7. Ensure data protection and device encryption is enabled — Verify iOS data protection is active; hardware encryption is used when passcode set.
  8. Configure managed app controls to separate work and personal data — Use MDM app management to enforce data separation for COPE/COBO devices.
  9. Restrict installation of unmanaged apps or block the App Store — Apply App Store restrictions per AO policy to limit unvetted apps.
  10. Disable or restrict iCloud backups and syncing for DOD data — Prevent unauthorized cloud storage of controlled/unclassified data.
  11. Configure Wi-Fi with enterprise settings and enforce Network STIG compliance — Use WPA2/3-Enterprise (EAP) and avoid direct AP-to-enclave bridges.
  12. Disable or limit AirDrop to contacts only — Turn off AirDrop or restrict it to reduce unsolicited file exchange risks.
  13. Disable Siri and voice assistant access from the lock screen — Prevent unintended data exposure via voice assistant features.
  14. Disable Bluetooth file sharing and restrict accessory pairing — Limit Bluetooth to authorized accessories to reduce attack surface.
  15. Configure automatic OS updates or manage updates via MDM — Keep devices on supported iOS versions and control update rollout.
  16. Document AO approvals and exceptions for personal app use — Record official approvals when DOD data storage in unmanaged apps is allowed.
  17. Test configurations in a representative environment before deployment — Validate settings to avoid loss of required functionality at scale.
  18. Subscribe to DISA STIG updates and maintain a change log — Monitor cyber.mil/public.cyber.mil and track STIG version changes.
Sign in to save
📝 My Notes