Detections
Analytics
AIOS-26-006950 - Apple iOS/iPadOS 26 must be configured to enforce a passcode reuse prohibition of at least two generations.
Information
iOS/iPadOS 17 and later versions include a feature that allows the previous passcode to be valid for 72 hours after a passcode change. If the previous passcode has been compromised and the attacker has access to it and the Apple device, enterprise data and the enterprise network can be compromised. Currently there is no MDM control to force the old passcode to expire immediately after passcode change. The previous passcode will expire immediately after a passcode change if the MDM password history control is implemented.SFR ID: FMT_SMF.1.1 #47
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Install a configuration profile to enforce a passcode reuse prohibition of at least two generations (passcode history).Configuration Profile Key: pinHistory
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_iOS-iPadOS_26_V1R2_STIG.zip
Item Details
Audit Name: AirWatch - DISA Apple iOS/iPadOS 26 v1r2
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1)(b), CAT|I, CCI|CCI-004061, Rule-ID|SV-278752r1150865_rule, STIG-ID|AIOS-26-006950, Vuln-ID|V-278752
Plugin: MDM
Control ID: bc6b22dbf210494bce21ee47ed3ef2f27426cbac27dd670e8ed14b87cf659bca