TickYouOff
Sign in
Back
🔒

Apple visionOS 2 STIG

Medium 16 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist condenses key configuration and operational steps from the Apple visionOS 2 Security Technical Implementation Guide (STIG). It’s designed for IT admins, procurement, and security teams preparing Corporate Owned devices (COPE/COBO) for managed deployments. Use it to verify supervision, enrollment, app-install controls, user training, and network compliance for Vision Pro devices.

Source: https://ncp.nist.gov/checklist/1307

Progress
0 / 16
  1. Set Vision Pro devices to supervised mode — Supervision is required for DOD/managed deployments to enable advanced MDM controls.
  2. Use Automated Device Enrollment (ABM) to supervise during activation — Prefer ABM for bulk enrollment and persistent supervision.
  3. Use Apple Configurator (AC2) to place devices in supervised mode — Use AC2 when ABM enrollment is not available or for manual supervision.
  4. Configure and deploy MDM profiles to managed devices — Include device restrictions, certificates, and compliance settings.
  5. Prevent users from removing the management (MDM) profile — Lock removal to maintain enforced policies and device compliance.
  6. Disable Vision Pro Developer Mode on managed devices — Developer Mode increases risk; disallow for institutional deployments.
  7. Disable Guest User mode on managed devices — Guest accounts can bypass controls; disallow where sensitive data is present.
  8. Prohibit installing or using the Vision Pro developer strap — Restrict developer hardware that could bypass device protections.
  9. Restrict App Store access and unapproved app installations — Require AO approval for unmanaged/personal apps that may store DOD data.
  10. Document and enforce AO approvals for unmanaged app use — Record approvals and any imposed restrictions for auditability.
  11. Train users not to enable Developer Mode, Guest User, or dev strap — Include these prohibitions in user onboarding and refresher training.
  12. Add developer/guest prohibitions to the Vision Pro User Agreement — Make forbidden behaviors part of the device terms of use.
  13. Ensure Wi‑Fi networks comply with the Network Infrastructure STIG before connecting devices — Verify access points and bridges are not directly on enclave networks.
  14. Limit Vision Pro deployments to COPE and COBO use cases — Scope device ownership and allowed usage consistent with the STIG.
  15. Provide procurement instructions to suppliers to include ABM customer number — Ensure resellers register devices to your ABM account at purchase time.
  16. Maintain and review the official STIG documents from the DOD Cyber Exchange — Keep copies and check for updates on cyber.mil or public.cyber.mil.
Sign in to save
📝 My Notes