The EMM system supporting the iOS/iPadOS 16 BYOAD must be configured for autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-257085	PP-BYO-000020	AIOS-16-800020	SV-257085r904000_rule	2023-08-14	1

Description
DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and managed data and apps can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure. Examples of possible EMM security controls are as follows: 1. Device access restrictions: Restrict or isolate access based on the device's access type (i.e., from the internet), authentication type (e.g., password), credential strength, etc. 2. User and device activity monitoring: Configured to detect anomalous activity, malicious activity, and unauthorized attempts to access DOD information. 3. Device health tracking: Monitor device attestation, health, and agents reporting compromised applications, connections, intrusions, and/or signatures. Reference: DOD policy "Use of Non-Government Mobile Devices". 3.a.(3)ii, 3.b.(2)ii,1 and 2. SFR ID: FMT_SMF_EXT.1.1 #47

Description

DOD policy requires BYOAD devices with DOD data be managed by a DOD MDM server, MAM server, or VMI system. This ensures the device can be monitored for compliance with the approved security baseline and managed data and apps can be removed when the device is out of compliance, which protects DOD data from unauthorized exposure. Examples of possible EMM security controls are as follows: 1. Device access restrictions: Restrict or isolate access based on the device's access type (i.e., from the internet), authentication type (e.g., password), credential strength, etc. 2. User and device activity monitoring: Configured to detect anomalous activity, malicious activity, and unauthorized attempts to access DOD information. 3. Device health tracking: Monitor device attestation, health, and agents reporting compromised applications, connections, intrusions, and/or signatures. Reference: DOD policy "Use of Non-Government Mobile Devices". 3.a.(3)ii, 3.b.(2)ii,1 and 2. SFR ID: FMT_SMF_EXT.1.1 #47

ℹ️ Check
Verify the EMM system supporting the iOS/iPadOS 16 BYOAD has been configured to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline. The exact procedure will depend on the EMM system used at the site. If the EMM system supporting the iOS/iPadOS 16 BYOAD has not been configured to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices, this is a finding.

ℹ️ Check

Verify the EMM system supporting the iOS/iPadOS 16 BYOAD has been configured to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline. The exact procedure will depend on the EMM system used at the site. If the EMM system supporting the iOS/iPadOS 16 BYOAD has not been configured to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices, this is a finding.

✔️ Fix
Configure the EMM system supporting the iOS/iPadOS 16 BYOAD to conduct autonomous monitoring, compliance, and validation to ensure security/configuration settings of mobile devices do not deviate from the approved configuration baseline. The exact procedure will depend on the EMM system used at the site.