TickYouOff
Sign in
Back
🔒

Apple iOS/iPadOS 26 STIG Compliance Checklist

Medium 20 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist converts the Apple iOS/iPadOS 26 STIG (Ver 1, Rel 2) into actionable steps for securing managed DOD Apple devices. It’s for IT administrators and security teams implementing STIG controls on COPE/COBO iPhones and iPads.

Source: https://ncp.nist.gov/checklist/1317

Progress
0 / 20
  1. Confirm STIG scope and applicability — Verify devices are COPE/COBO and running iOS/iPadOS 26 before applying controls.
  2. Obtain ABM customer number — Request and record the Apple Business/Automated Enrollment customer number at deploy.apple.com.
  3. Supervise devices — Enable supervised mode for institutionally owned devices to gain required management controls.
  4. Enroll devices in Automated Device Enrollment (ABM) — Register devices with ABM so supervision occurs during activation.
  5. Place devices in supervised mode using Apple Configurator — Use Apple Configurator (AC2) to manually supervise devices when ABM enrollment is not used.
  6. Install and configure Mobile Device Management (MDM) profile — Deploy MDM to enforce profiles, restrictions, and reporting on supervised devices.
  7. Restrict users from removing MDM profile — Prevent profile removal to maintain device management and compliance.
  8. Enable device encryption and data protection — Ensure iOS data protection is active to encrypt device storage contents.
  9. Set and enforce a strong passcode policy — Require complex, minimum-length passcodes and short auto-lock intervals via MDM.
  10. Require passcode fallback for biometric authentication — Allow biometrics but enforce a secure passcode as a fallback method.
  11. Configure MDM-controlled OS updates — Schedule and enforce managed iOS/iPadOS updates; block unsanctioned OS installs.
  12. Restrict App Store access per AO policy — Disable or limit App Store access and app installations according to AO decisions.
  13. Restrict unmanaged apps from accessing DOD data and document AO approvals — Use managed/unmanaged app controls and record any AO exceptions in writing.
  14. Install approved Wi‑Fi profiles and restrict to authorized SSIDs — Deploy enterprise Wi‑Fi settings and ensure networks meet Network Infrastructure STIG.
  15. Configure and enforce VPN profiles for DOD access — Require approved VPNs (per-app where applicable) for access to DOD resources.
  16. Disable AirDrop and restrict Bluetooth file exchange — Turn off AirDrop and limit Bluetooth sharing to reduce data leakage risks.
  17. Enable remote wipe and device locate in MDM — Configure remote wipe, lock, and locate capabilities for lost or compromised devices.
  18. Disable iCloud backups for work data or enforce managed backups — Prevent uncontrolled cloud backups of DOD data or use approved managed backup solutions.
  19. Record configurations, approvals, and maintain audit logs — Document profiles, AO approvals, change history, and retain logs for audits.
  20. Run STIG checks with XCCDF/SCAP and remediate findings — Validate device compliance using the XCCDF 1.1.4/STIG tools and fix reported issues.
Sign in to save
📝 My Notes