TickYouOff
Sign in
Back
🔒

Apple iOS/iPadOS 17 STIG Checklist

Medium 18 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist summarizes the core actions to apply the Apple iOS/iPadOS 17 STIG for institutionally owned (COPE/COBO) devices. It’s designed for IT administrators, device managers, and security teams who must harden iPhones and iPads and enforce DoD-aligned controls.

Source: https://ncp.nist.gov/checklist/1074

Progress
0 / 18
  1. Place devices in supervised mode — Supervision is required for DoD deployments and enables advanced management controls.
  2. Enroll devices using Apple Automated Device Enrollment (ADE) — Preferred method to supervise at activation via Apple Business/School Manager.
  3. Supervise devices via Apple Configurator (AC2) as an alternate method — Use AC2 for manual supervision when ADE is not available.
  4. Provide ABM (Apple Business/School) customer number to reseller or procurement — Obtain ABM customer number at deploy.apple.com to enable ADE enrollment.
  5. Enroll devices in a Mobile Device Management (MDM) solution and install the MDM profile — Install a managed MDM profile to control device settings and policies.
  6. Configure MDM policies to enforce passcodes and biometric requirements — Set complexity, retry limits, and biometric allowances via MDM.
  7. Enforce strong passcode complexity and automatic lock — Require long numeric or alphanumeric codes and short auto-lock interval.
  8. Enable device data encryption (Data Protection) — Ensure data is protected at rest by enforcing device encryption.
  9. Enable remote wipe and enterprise lock via MDM — Allow administrators to remotely wipe, lock, or disable lost/stolen devices.
  10. Restrict installation of unmanaged/personal apps without AO approval — Follow AO-approved exceptions; otherwise block unmanaged app installs.
  11. Configure managed/unmanaged app data separation and data controls — Use MDM app policies to separate corporate and personal data and restrict sharing.
  12. Restrict App Store and app installation settings — Disable or limit App Store access and require managed app distribution when possible.
  13. Disable or limit AirDrop and Bluetooth file sharing — Prevent unauthorized file transfer vectors by restricting AirDrop/Bluetooth.
  14. Disable Siri, Dictation, and lock screen voice access where required — Turn off voice services that can leak sensitive info if not needed.
  15. Prevent users from removing accounts or management profiles — Use supervision and MDM to block profile removal and account deletion.
  16. Manage OS updates through MDM and restrict direct OS installs — Control update timing and prevent unmanaged OS upgrades that break policy.
  17. Limit Wi-Fi connections to compliant networks and follow Network STIG guidance — Allow only approved networks and ensure network infrastructure STIGs are met.
  18. Test configurations, implement logging/reporting, and document exceptions for AO approval — Validate settings in a lab, enable audit reporting, and record any authorized deviations.
Sign in to save
📝 My Notes