| CCE-93201-2 |
icloud_backup_disabled |
Ensure iCloud Backup is set to Disabled |
iCloud backup _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudBackup</key> <false/> ---- |
SC-4 AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_MOF_EXT.1.2 #40 |
AIOS-16-003000 |
3.2.1.4 (level 1 - Institutionally-Owned Devices) |
2.3 |
NaN |
NaN |
CCI-001090 |
medium |
NaN |
| CCE-93207-9 |
icloud_drive_disable |
Ensure Allow iCloud Documents and Data is set to Disabled |
Institutionally owned devices _MUST_ not sync data through iCloud. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudDocumentSync</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_MOF_EXT.1.2 #40 |
AIOS-16-003200 |
3.2.1.5 (level 1 - Institutionally-Owned Devices) |
2.3 |
NaN |
NaN |
CCI-000097 CCI-000366 CCI-000370 |
medium |
NaN |
| CCE-93202-0 |
icloud_keychain_disable |
Disable iCloud Keychain Sync |
The iOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudKeychainSync</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_MOF_EXT.1.2 #40 |
AIOS-16-003300 |
3.2.1.6 (level 1 - Institutionally-Owned Devices) |
4.1 4.8 15.3 |
NaN |
NaN |
CCI-000097 CCI-000366 CCI-000370 |
NaN |
NaN |
| CCE-93203-8 |
icloud_managed_apps_store_data_disabled |
Ensure Managed Apps Storing Data in iCloud is Set to Disabled |
Managed Apps _MUST_ not store data in iCloud. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowManagedAppsCloudSync</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_MOF_EXT.1.2 #40 |
AIOS-16-003600 AIOS-16-703600 AIOS-16-009200 AIOS-16-709200 |
2.2.1.3 (level 1 - End-User Owned Devices)3.2.1.7 (level 1 - Institutionally-Owned Devices) |
2.3 |
NaN |
NaN |
CCI-000097 CCI-000366 CCI-000370 |
medium |
NaN |
| CCE-93204-6 |
icloud_photo_stream_disable |
Ensure Photo Stream is set to Disabled |
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPhotoStream</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_MOF_EXT.1.2 #40 |
AIOS-16-003400 |
NaN |
NaN |
NaN |
NaN |
CCI-000097 CCI-000366 CCI-000370 |
medium |
NaN |
| CCE-93205-3 |
icloud_photos_disable |
Disable iCloud Photo Library |
The iOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowCloudPhotoLibrary</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-011000 |
NaN |
4.1 4.8 15.3 |
NaN |
NaN |
CCI-000381 |
medium |
NaN |
| CCE-93206-1 |
icloud_shared_photo_stream_disable |
Ensure Shared Photo Stream is set to Disabled |
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowSharedStream</key> <false/> ---- |
AC-20 AC-20(1) CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_MOF_EXT.1.2 #40 |
AIOS-16-003500 |
NaN |
NaN |
NaN |
NaN |
CCI-000097 CCI-000366 CCI-000370 |
medium |
NaN |
| CCE-93208-7 |
os_airdrop_disable |
Ensure AirDrop is set to Disabled |
AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. AirDrop allows users to share and receive files from other nearby Apple devices. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAirDrop</key> <false/> ---- |
AC-3 AC-20 CM-7 CM-7(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1/WLAN FMT_SMF_EXT.1.1 #47 |
AIOS-16-010200 AIOS-16-012500 |
NaN |
NaN |
NaN |
NaN |
CCI-002536 CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93209-5 |
os_airdrop_unmanaged_destination_enable |
Ensure Treat AirDrop as unmanaged destination is set to Enabled |
AirDrop _MUST_ be treated as an unmanaged destination. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceAirDropUnmanaged</key> <true/> ---- |
AC-3 AC-20 CM-7 CM-7(1) MP-2 SC-7(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-011500 AIOS-16-711500 |
2.2.1.10 (level 1 - End-User Owned Devices)3.2.1.23 (level 1 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
CCI-000366 CCI-002008 |
medium |
NaN |
| CCE-93210-3 |
os_airplay_password_require |
Require the User to Enter a Password when Connecting to an AirPlay-enabled device for the First Time. |
When a user is allowed to use AirPlay without a password, it may mistakenly associate the iPhone and iPad with an AirPlay-enabled device other than the one intended (i.e., by choosing the wrong one from the AirPlay list displayed). This creates the potential for someone in control of a mistakenly associated device to obtain DoD sensitive information without authorization. Requiring a password before such an association mitigates this risk. Passwords do not require any administration and are not required to comply with any complexity requirements. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceAirPlayOutgoingRequestsPairingPassword</key> <true/> ---- |
IA-3 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #40 |
AIOS-16-010900 AIOS-16-710900 |
NaN |
NaN |
NaN |
NaN |
CCI-000063 |
low |
NaN |
| CCE-93211-1 |
os_allow_contacts_read_managed_sources_unmanaged_destinations_disable |
Ensure Managed Apps Cannot Read Unmanaged Contact Accounts |
Managed Apps _MUST_ not be allowed to read contacts from unamanged contact destinations. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowUnmanagedToReadManagedContacts</key> <false/> ---- |
AC-3 MP-2 SC-7(10) SC-39 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #42 FDP_ACF_EXT.1.2 |
AIOS-16-012400 AIOS-16-012400 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000051 CCI-000370 |
low |
NaN |
| CCE-93212-9 |
os_allow_contacts_write_managed_sources_unmanaged_destinations_disable |
Ensure Managed Apps Cannot Write to Unmanaged Contact Accounts |
Managed Apps _MUST_ not be allowed to write contacts to unamanged contact destinations. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowManagedToWriteUnmanagedContacts</key> <false/> ---- |
AC-3 MP-2 SC-7(10) SC-39 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #42 FDP_ACF_EXT.1.2 |
AIOS-16-012300 AIOS-16-712300 |
NaN |
3.3 |
NaN |
NaN |
CCI-000366 CCI-000051 CCI-000370 |
low |
NaN |
| CCE-93213-7 |
os_allow_documents_managed_sources_unmanaged_destinations_disable |
Ensure Allow documents from managed sources in unmanaged destinations is set to Disabled |
Documents from managed sources _MUST_ not be allowed in unmanaged destinations. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowOpenFromManagedToUnmanaged</key> <false/> ---- |
AC-3 MP-2 SC-7(10) SC-39 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #42 FDP_ACF_EXT.1.2 |
AIOS-16-009700 AIOS-16-709700 |
2.2.1.8 (level 1 - End-User Owned Devices)3.2.1.21 (level 1 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
CCI-002233 CCI-002530 |
medium |
NaN |
| CCE-93214-5 |
os_allow_documents_unmanaged_sources_managed_destinations_disable |
Ensure Allow documents from unmanaged sources in managed destinations is set to Disabled |
Documents from unmanaged sources _MUST_ not be allowed in managed destinations. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowOpenFromUnmanagedToManaged</key> <false/> ---- |
AC-3 MP-2 SC-7(10) SC-39 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #42 FDP_ACF_EXT.1.2 |
AIOS-16-714900 |
2.2.1.9 (level 1 - End-User Owned Devices)3.2.1.22 (level 1 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
CCI-002233 CCI-002530 |
medium |
NaN |
| CCE-93215-2 |
os_apple_watch_pairing_disable |
Ensure Apple Watch Pairing is Disabled |
Pairing an Apple Watch _MUST_ be disabled. NOTE: Any currently paired Apple Watch is unpaired and the watch's content is erased. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPairedWatch</key> <false/> ---- |
CM-7 CM-7(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-012600 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93216-0 |
os_apple_watch_wrist_detection_enable |
Ensure Force Apple Watch wrist detection is set to Enabled |
Wrist detection _MUST_ be enabled for paired Apple Watches. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceWatchWristDetection</key> <true/> ---- |
AC-3 CM-7 CM-7(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-011800 AIOS-16-711800 |
2.2.1.13 (level 1 - End-User Owned Devices)3.2.1.27 (level 1 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
CCI-000381 |
low |
NaN |
| CCE-93217-8 |
os_application_allow_list |
Define Allowed Applications |
Requiring all authorized applications to be in an application allow list prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allow list. Failure to configure an application allow list properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment. Application note: The application allow list, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. Core application: Any application integrated into the OS by the OS or MD vendors. Preinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. NOTE: See rule YAML file for implementation comments. |
Manual |
|
NaN |
This is implemented by a Configuration Profile |
CM-7(5) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #8b |
AIOS-16-007400 AIOS-16-707400 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 |
medium |
NaN |
| CCE-93218-6 |
os_authentication_password_autofill_enable |
Ensure Require Touch ID / Face ID authentication before AutoFill is set to Enabled |
Re-authentication _MUST_ be enabled at each Autofill operation. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceAuthenticationBeforeAutoFill</key> <true/> ---- |
AC-3 IA-11 |
NaN |
NaN |
NaN |
NaN |
3.2.1.26 (level 1 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93219-4 |
os_auto_unlock_disable |
Prevent Apple Watch from Unlocking a Device |
Apple Watches are not an approved authenticator and their use _MUST_ be disabled. Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAutoUnlock</key> <false/> ---- |
AC-11 |
NaN |
NaN |
FMT_MOF_EXT.1.2 #47 |
AIOS-16-014800 |
NaN |
NaN |
NaN |
NaN |
CCI-000767 CCI-002235 |
medium |
NaN |
| CCE-93220-2 |
os_diagnostics_reports_disable |
Disable Sending Diagnostic and Usage Data to Apple |
The ability to submit diagnostic data to Apple _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowDiagnosticSubmission</key> <false/> ---- |
AC-20 SC-7(10) SI-11 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47a |
AIOS-16-013400 AIOS-16-713400 |
2.2.1.12 (level 1 - End-User Owned Devices)3.2.1.25 (level 1 - Institutionally-Owned Devices) |
4.8 |
NaN |
NaN |
CCI-001199 |
medium |
NaN |
| CCE-93262-4 |
os_disallow_enterprise_app_trust |
Disallow Apps to be Installed from Unauthorized Sources |
Apps _MUST_ be installed from authorized application repositories. Disallowing enterprise app trust prevents apps from being provisioned by universal provisioning profiles. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowEnterpriseAppTrust</key> <false/> ---- |
CM-11 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #8a |
AIOS-16-007000 AIOS-16-707000 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 |
low |
NaN |
| CCE-93221-0 |
os_enterprise_books_disable |
Ensure Backup of Enterprise Books is set to Disabled |
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DoD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DoD sensitive information. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowEnterpriseBookBackup</key> <false/> ---- |
CM-6 b |
NaN |
NaN |
FMT_MOF_EXT.1.2 #40 |
AIOS-16-003700 AIOS-16-703700 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-002110 |
medium |
NaN |
| CCE-93222-8 |
os_erase_contents_and_settings_disable |
Ensure Allow Erase All Content and Settings is set to Disabled |
Erase all contents and settings _MUST_ be disabled on institutionally owned iOS devices. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowEraseContentAndSettings</key> <false/> ---- |
CM-6 CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
3.2.1.12 (level 1 - Institutionally-Owned Devices) |
4.1 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93223-6 |
os_files_network_drive_access_disable |
Ensure Allow network drive access in Files app is set to Disabled |
Network drive acces in Files app _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowFilesNetworkDriveAccess</key> <false/> ---- |
AC-20(2) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-014300 |
3.2.1.9 (level 2 - Institutionally-Owned Devices) |
1.2 |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93224-4 |
os_files_usb_drive_access_disable |
Ensure Allow USB drive access in Files app is set to Disabled |
USB drive acces in Files app _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowFilesUSBDriveAccess</key> <false/> ---- |
AC-20(2) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-013300 |
3.2.1.8 (level 2 - Institutionally-Owned Devices) |
1.2 |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93225-1 |
os_find_my_friends_disable |
Disable Find My Friends Service |
The Find My Friends service _MUST_ be disabled. Sharing the location of a device may be an violation to an organization and potentially put users at risk. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowFindMyFriends</key> <false/> ---- |
AC-20 CM-7 CM-7(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-013100 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
low |
NaN |
| CCE-93226-9 |
os_force_date_and_time_enable |
Ensure Force automatic date and time is set to Enabled |
Automatic date and time _MUST_ be enabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceAutomaticDateAndTime</key> <true/> ---- |
AU-12(1) SC-45(1) |
NaN |
NaN |
NaN |
NaN |
2.2.1.7 (level 1 - End-User Owned Devices)3.2.1.17 (level 1 - Institutionally-Owned Devices) |
8.4 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93227-7 |
os_force_encrypted_backups_enable |
Ensure Force Encrypted Backups is Enabled |
iOS and iPadOS backups _MUST_ be encrypted. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceEncryptedBackup</key> <true/> ---- |
CM-7 CM-7(1) CP-09(8) SC-28 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-010700 AIOS-16-710700 |
2.2.1.4 (level 1 - End-User Owned Devices)3.2.1.10 (level 1 - Institutionally-Owned Devices) |
11.3 |
NaN |
NaN |
CCI-000366 CCI-000370 CCI-000381 |
medium |
NaN |
| CCE-93228-5 |
os_handoff_disable |
Disable Handoff |
Handoff _MUST_ be disabled. Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowActivityContinuation</key> <false/> ---- |
AC-3 AC-20 CM-7 CM-7(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-010800 |
2.2.1.11 (level 2 - End-User Owned Devices)3.2.1.24 (level 2 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
CCI-000366 CCI-000370 CCI-000381 |
low |
NaN |
| CCE-93229-3 |
os_install_configuration_profile_disable |
Ensure Allow Installing Configuration Profiles is Set to Disabled |
Configuration profiles _MUST_ be installed via an organization's MDM. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowUIConfigurationProfileInstallation</key> <false/> ---- |
CM-6 CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
3.2.1.15 (level 1 - Institutionally-Owned Devices) |
4.1 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93462-0 |
os_install_vpn_configuration_disable |
Ensure Allow adding VPN configurations is set to Disabled |
VPN configurations _MUST_ be installed via an organization's MDM. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowVPNCreation</key> <false/> ---- |
AC-17 AC-17(1) AC-17(3) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #3 |
AIOS-16-001000 AIOS-16-701000 |
3.2.1.16 (level 1 - Institutionally-Owned Devices) |
12.7 |
NaN |
NaN |
CCI-000366 CCI-000370 CCI-000066 |
low |
NaN |
| CCE-93231-9 |
os_limit_ad_tracking_enable |
Enable Limit Ad Tracking |
Ad tracking and targeted ads _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceLimitAdTracking</key> <true/> ---- |
AC-20 CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-010500 |
NaN |
4.8 |
NaN |
NaN |
CCI-000366 CCI-000370 CCI-001199 |
low |
NaN |
| CCE-93232-7 |
os_mail_maildrop_disable |
Ensure Allow Mail Drop is set to Disabled |
Mail Drop _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mail.managed) payload type: [source,xml] ---- <key>allowMailDrop</key> <false/> ---- |
AC-3 AC-20 CM-7 CM-7(1) SC-07(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-011000 |
2.7.2 (level 2 - End-User Owned Devices)3.7.2 (level 2 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
CCI-000366 CCI-000370 CCI-002314 |
medium |
NaN |
| CCE-93233-5 |
os_mail_move_messages_disable |
Ensure Allow user to move messages from this account is set to Disabled |
Mail from institutionally configured mail accounts _MUST_ not be allowed to move to personaly mail accounts. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mail.managed) payload type: [source,xml] ---- <key>PreventMove</key> <false/> ---- |
AC-21 CM-7 CM-7(1) SC-4 SC-07(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-011400 AIOS-16-711400 |
2.7.1 (level 1 - End-User Owned Devices)3.7.1 (level 1 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
CCI-000366 CCI-000370 CCI-000764 |
medium |
NaN |
| CCE-93234-3 |
os_modify_cellular_data_app_settings_disable |
Ensure Allow modifying cellular data app settings is set to Disabled |
The ability to modify cellular data app settings _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAppCellularDataModification</key> <false/> ---- |
CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
3.2.1.18 (level 2 - Institutionally-Owned Devices) |
4.1 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93235-0 |
os_new_device_proximity_disable |
Ensure Allow setting up new nearby devices is set to Disabled |
The setting up of new nearby devices _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowProximitySetupToNewDevice</key> <false/> ---- |
CM-6 CM-7 CM-7(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-012800 |
3.2.1.28 (level 1 - Institutionally-Owned Devices) |
3.13 |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93236-8 |
os_on_device_dictation_enforce |
Ensure On Device Dictation is Enforced |
The device _MUST_ be configured for on device dictation. By enforcing on device dictation this will mitigate the risk of unwanted data being sent to Apple. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceOnDeviceOnlyDictation</key> <true/> ---- |
SI-11 AC-20 SC-7(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-014400 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93237-6 |
os_on_device_translation_enforce |
Ensure On Device Translation is Enforced |
The device _MUST_ be configured for on device translation. By enforcing on device translation this will mitigate the risk of unwanted data being sent to Apple. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>forceOnDeviceOnlyTranslation</key> <true/> ---- |
SI-11 AC-20 SC-7(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-014500 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93238-4 |
os_pairing_non_configurator_hosts_disable |
Ensure Allow pairing with non-Configurator hosts is set to Disabled |
Host pairing with a non-Configurator host _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowHostPairing</key> <false/> ---- |
CM-6 CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
3.2.1.20 (level 2 - Institutionally-Owned Devices) |
4.8 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93239-2 |
os_password_autofill_disable |
Disable Password Autofill |
Password Autofill _MUST_ be disabled. iOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the device, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordAutoFill</key> <false/> ---- |
IA-5(13) CM-7 CM-7(1) IA-11 IA-5 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-012700 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93240-0 |
os_password_proximity_disable |
Disable Proximity Based Password Sharing Requests |
Proximity based password sharing requests _MUST_ be disabled. The default behavior of iOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordProximityRequests</key> <false/> ---- |
IA-5 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-012900 |
3.2.1.29 (level 1 - Institutionally-Owned Devices) |
13.5 |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93241-8 |
os_password_sharing_disable |
Disable Password Sharing |
Password Sharing _MUST_ be disabled. The default behavior of iOS/iPadOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowPasswordSharing</key> <false/> ---- |
IA-5 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-013000 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93242-6 |
os_personalized_advertising_disable |
Disable Personalized Advertising |
Ad tracking and targeted ads _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowApplePersonalizedAdvertising</key> <false/> ---- |
AC-20 CM-7 CM-7(1) |
NaN |
NaN |
NaN |
NaN |
2.2.1.5 (level 1 - End-User Owned Devices)3.2.1.11 (level 1 - Institutionally-Owned Devices) |
4.8 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93243-4 |
os_require_managed_pasteboard_enforce |
Ensure copy/paste of data from Managed to Unmanaged Applications is Disabled |
The device _MUST_ be configured to disable copy/paste of data from managed to unmanaged applications. If 'true', copy and paste functionality respects the 'allowOpenFromManagedToUnmanaged' and 'allowOpenFromUnmanagedToManaged' restrictions. |
Manual |
NaN |
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>requireManagedPasteboard</key> <true/> ---- |
AC-23 SC-7(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-014600 AIOS-16-714600 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93244-2 |
os_safari_cookies_set |
Ensure Accept cookies is set to From websites I visit or From current website only |
Acceptance of cookies _MUST_ be only from sites visited. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>safariAcceptCookies</key> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
2.2.2.2 (level 1 - End-User Owned Devices)3.2.2.2 (level 1 - Institutionally-Owned Devices) |
9.4 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93263-2 |
os_safari_force_fraud_warning_enable |
Ensure Force Fraud Warning is set to Enabled |
Force fraud warning _MUST_ be enabled in Safari. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>safariForceFraudWarning</key> <true/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
2.2.2.1 (level 1 - End-User Owned Devices)3.2.2.1 (level 1 - Institutionally-Owned Devices) |
9.4 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93245-9 |
os_safari_password_autofill_disable |
Disable Automatic Completion of Safari Browser Passcodes |
The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's iPhone or iPad passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining additional information about the device's user or compromising other systems is significantly mitigated. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>safariAllowAutoFill</key> <false/> ---- |
IA-5(13) CM-7 CM-7(1) IA-11 IA-5 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-010600 |
NaN |
4.1 4.8 |
NaN |
NaN |
CCI-000366 CCI-000370 CCI-000381 |
low |
NaN |
| CCE-93246-7 |
os_screenshots_disable |
Ensure Allow screenshots and screen recording is set to Disabled |
Screenshots and screen recordings on iOS _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowScreenShot</key> <false/> ---- |
CM-7 CM-7(1) SC-07(10) |
NaN |
NaN |
NaN |
NaN |
3.2.1.1 (level 2 - Institutionally-Owned Devices) |
3.3 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93248-3 |
os_show_calendar_lock_screen_disable |
Ensure Calendar Notifications when the Device is Locked is set to Disabled |
Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowLockScreenTodayView</key> <false/> ---- |
AC-11(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #18 |
AIOS-16-007600 AIOS-16-707600 |
NaN |
NaN |
NaN |
NaN |
CCI-000060 |
medium |
NaN |
| CCE-93249-1 |
os_show_control_center_lock_screen_disable |
Ensure Show Control Center in Lock screen is set to Disabled |
Control Center _MUST_ be disabled in the lock screen. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowLockScreenControlCenter</key> <false/> ---- |
AC-11(1) |
NaN |
NaN |
NaN |
NaN |
2.2.1.14 (level 1 - End-User Owned Devices)3.2.1.31 (level 1 - Institutionally-Owned Devices) |
4.3 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93250-9 |
os_show_notification_center_lock_screen_disable |
Ensure Show Notification Center in Lock screen is set to Disabled |
Notification Center _MUST_ be disabled in the lock screen. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowLockScreenNotificationsView</key> <false/> ---- |
AC-11(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #18 |
AIOS-16-007500 AIOS-16-707500 |
2.2.1.15 (level 1 - End-User Owned Devices)3.2.1.32 (level 1 - Institutionally-Owned Devices) |
4.3 |
NaN |
NaN |
CCI-000060 |
medium |
NaN |
| CCE-93251-7 |
os_siri_when_locked_disabled |
Ensure Allow Siri while device is locked is set to Disabled |
Accessing Siri while the device is locked _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowAssistantWhileLocked</key> <false/> ---- |
AC-20 CM-7 CM-7(1) SC-7(10) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #8b |
AIOS-16-007200 |
2.2.1.2 (level 1 - End-User Owned Devices)3.2.1.3 (level 1 - Institutionally-Owned Devices) |
4.3 |
NaN |
NaN |
CCI-000366 |
medium |
NaN |
| CCE-93252-5 |
os_ssl_for_exchange_activesync_enable |
Ensure SSL for Exchange ActiveSync |
Exchange email messages are a form of data in transit and thus are vulnerable to eavesdropping and man-in-the-middle attacks. Secure Sockets Layer (SSL), also referred to as Transport Layer Security (TLS), provides encryption and authentication services that mitigate the risk of breach. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.eas.account) payload type: [source,xml] ---- <key>ssl</key> <true/> ---- |
NaN |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-011300 AIOS-16-711300 |
NaN |
NaN |
NaN |
NaN |
CCI-000764 |
medium |
NaN |
| CCE-93253-3 |
os_supervised_mdm_require |
Enforce Supervised Enrollment in Mobile Device Management |
iOS/iPadOS _MUST_ be supervised by a Mobile Device Management (MDM) software. |
Manual |
NaN |
NaN |
Enroll the iOS/iPadOS device in a supervised MDM. |
CM-2 CM-6 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-013200 |
NaN |
NaN |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93264-0 |
os_untrusted_tls_disable |
Ensure Allow Users to Accept Untrusted TLS Certificates is set to Disabled |
Users _MUST_ not be allowed to accept self-signed or unverified certificates. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowUntrustedTLSPrompt</key> <false/> ---- |
NaN |
NaN |
NaN |
NaN |
NaN |
2.2.1.6 (level 2 - End-User Owned Devices)3.2.1.13 (level 2 - Institutionally-Owned Devices) |
4.1 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-93254-1 |
os_usb_accessories_when_locked_disable |
Ensure Allow USB accessories while the device is locked is set to Disabled |
USB devices _MUST_ not be allowed to connect while the device is locked. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowUSBRestrictedMode</key> <false/> ---- |
CM-8(3) MP-7 SC-7(10) SC-41 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #47 |
AIOS-16-012200 |
3.2.1.19 (level 1 - Institutionally-Owned Devices) |
1.2 |
NaN |
NaN |
CCI-000366 CCI-000097 CCI-000370 |
medium |
NaN |
| CCE-93255-8 |
os_voice_dialing_when_locked_disabled |
Ensure Allow voice dialing while device is locked is set to Disabled |
Voice dialing while the device is locked _MUST_ be disabled. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.applicationaccess) payload type: [source,xml] ---- <key>allowVoiceDialing</key> <false/> ---- |
CM-7 CM-7(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #8b |
AIOS-16-007300 |
2.2.1.1 (level 1 - End-User Owned Devices)3.2.1.2 (level 1 - Institutionally-Owned Devices) |
4.3 |
NaN |
NaN |
CCI-000366 |
medium |
NaN |
| CCE-93256-6 |
pwpolicy_account_lockout_enforce |
Limit Consecutive Failed Login Attempts to 6 |
The iOS _MUST_ be configured to limit the number of failed login attempts to a maximum of 6. This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxFailedAttempts</key> <integer>6</integer> ---- |
AC-7 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #2c FIA_AFL_EXT.1.5 |
AIOS-16-006900 AIOS-16-706900 |
2.4.6 (level 1 - End-User Owned Devices)3.4.6 (level 1 - Institutionally-Owned Devices) |
4.3 |
NaN |
NaN |
CCI-000044 |
medium |
NaN |
| CCE-93257-4 |
pwpolicy_force_pin_enable |
Ensure Force Pin is set to Enabled |
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. Note: MDF PP v2.0 requires a Password Authentication Factor and requires management of its length and complexity. It leaves open whether the existence of a password is subject to management. This requirement addresses the configuration to require a password, which is critical to the cybersecurity posture of the device. |
Manual |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>forcePIN</key> <true/> ---- |
SC-28 |
NaN |
NaN |
FIA_UAU_EXT.1.1 |
AIOS-16-010400 AIOS-16-710400 |
NaN |
NaN |
NaN |
NaN |
CCI-001199 |
high |
NaN |
| CCE-93258-2 |
pwpolicy_max_grace_period_enforce |
Ensure Maximum grace period for device lock is set to 0 minutes |
The iOS grace period for device lock _MUST_ be configured to 0 minutes. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxGracePeriod</key> <integer>0</integer> ---- |
AC-11 IA-11 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #2a |
AIOS-16-006700 AIOS-16-706700 |
2.4.5 (level 1 - End-User Owned Devices)3.4.5 (level 1 - Institutionally-Owned Devices) |
4.3 |
NaN |
NaN |
CCI-000057 |
medium |
NaN |
| CCE-93259-0 |
pwpolicy_max_inactivity_enforce |
Ensure Maximum Auto-Lock is set to 2 minutes or less |
The iOS _MUST_ be configured to auto-lock after 2 minutes. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>maxInactivity</key> <integer>2</integer> ---- |
AC-11 IA-11 |
NaN |
NaN |
FMT_SMF_EXT.1.1 #2b |
AIOS-16-006800 AIOS-16-706800 |
2.4.4 (level 1 - End-User Owned Devices)3.4.4 (level 1 - Institutionally-Owned Devices) |
4.3 |
NaN |
NaN |
CCI-000057 |
medium |
NaN |
| CCE-93260-8 |
pwpolicy_minimum_length_enforce |
Require a Minimum Passcode Length of 6 Characters |
The iOS _MUST_ be configured to require a minimum of 6 characters be used when a passcode is created. This rule enforces passcode complexity by requiring users to set passcode that are less vulnerable to malicious users. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>minLength</key> <integer>6</integer> ---- |
IA-5(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #1a |
AIOS-16-006500 AIOS-16-706500 |
2.4.3 (level 1 - End-User Owned Devices)3.4.3 (level 1 - Institutionally-Owned Devices) |
5.2 |
NaN |
NaN |
CCI-000205 |
medium |
NaN |
| CCE-93261-6 |
pwpolicy_simple_sequence_disable |
Prohibit Repeating, Ascending, and Descending Character Sequences |
The iOS device _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a passcode is created. This rule enforces password complexity by requiring users to set passcodes that are less vulnerable to malicious users. |
Configuration Profile |
|
NaN |
Create a configuration profile containing the following keys in the (com.apple.mobiledevice.passwordpolicy) payload type: [source,xml] ---- <key>allowSimple</key> <false/> ---- |
IA-5(1) |
NaN |
NaN |
FMT_SMF_EXT.1.1 #1b |
AIOS-16-006600 AIOS-16-706600 |
2.4.1 (level 1 - End-User Owned Devices)3.4.1 (level 1 - Institutionally-Owned Devices) |
5.2 |
NaN |
NaN |
CCI-000366 |
medium |
NaN |