| 2.1.2 Ensure 'Controls when the profile can be removed' is set to 'Always' | MobileIron - CIS Apple iPadOS 17 v1.1.0 End User Owned L1 | MDM | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.2 Ensure 'Controls when the profile can be removed' is set to 'Always' | MobileIron - CIS Apple iPadOS 18 v1.0.0 L1 End User Owned | MDM | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.2.1.3 Ensure 'Allow managed apps to store data in iCloud' is set to 'Disabled' | MobileIron - CIS Apple iOS 17 v1.1.0 End User Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 2.2.1.3 Ensure 'Allow managed apps to store data in iCloud' is set to 'Disabled' | AirWatch - CIS Apple iPadOS 18 v1.0.0 L1 End User Owned | MDM | CONFIGURATION MANAGEMENT |
| 2.2.1.8 Ensure 'Allow documents from managed sources in unmanaged destinations' is set to 'Disabled' | AirWatch - CIS Apple iPadOS 18 v1.0.0 L1 End User Owned | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.8 Ensure 'Treat AirDrop as unmanaged destination' is set to 'Enabled' | AirWatch - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1 | MDM | ACCESS CONTROL |
| 2.2.1.8 Ensure 'Treat AirDrop as unmanaged destination' is set to 'Enabled' | MobileIron - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1 | MDM | ACCESS CONTROL |
| 2.2.1.11 Ensure 'Show Control Center in Lock screen' is set to 'Disabled' | AirWatch - CIS Apple iOS 12 v1.0.0 End User Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 2.2.1.12 Ensure 'Show Notification Center in Lock screen' is set to 'Disabled' | AirWatch - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1 | MDM | ACCESS CONTROL |
| 2.2.1.12 Ensure 'Show Notification Center in Lock screen' is set to 'Disabled' | MobileIron - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1 | MDM | ACCESS CONTROL |
| 2.5.1.2 Ensure Writing Tools Is Disabled | CIS Apple macOS 15.0 Sequoia v1.1.0 L1 | Unix | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.6.1 Ensure 'Allow user to move messages from this account' is set to 'Disabled' | AirWatch - CIS Apple iOS 10 v2.0.0 End User Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 3.1.1 Ensure 'Controls when the profile can be removed' is set to 'Never' | AirWatch - CIS Apple iOS 17 Institution Owned L1 | MDM | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.1 Ensure 'Controls when the profile can be removed' is set to 'Never' | MobileIron - CIS Apple iPadOS 18 v1.0.0 L1 Institutionally Owned | MDM | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.2.1.4 Ensure 'Allow iCloud backup' is set to 'Disabled' | AirWatch - CIS Apple iOS 10 v2.0.0 Institution Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 3.2.1.6 Ensure 'Allow iCloud Keychain' is set to 'Disabled' | MobileIron - CIS Apple iOS 10 v2.0.0 Institution Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 3.2.1.7 Ensure 'Allow managed apps to store data in iCloud' is set to 'Disabled' | MobileIron - CIS Apple iPadOS 17 Institutionally Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 3.2.1.12 Ensure 'Allow adding VPN configurations' is set to 'Disabled' | MobileIron - CIS Apple iOS 11 v1.0.0 Institution Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 3.2.1.13 Ensure 'Allow modifying cellular data app settings' is set to 'Disabled' | AirWatch - CIS Apple iOS 12 v1.0.0 Institution Owned L2 | MDM | CONFIGURATION MANAGEMENT |
| 3.2.1.13 Ensure 'Allow modifying cellular data app settings' is set to 'Disabled' | MobileIron - CIS Apple iOS 12 v1.0.0 Institution Owned L2 | MDM | CONFIGURATION MANAGEMENT |
| 3.2.1.18 Ensure 'Treat AirDrop as unmanaged destination' is set to 'Enabled' | MobileIron - CIS Apple iOS 12 v1.0.0 Institution Owned L1 | MDM | |
| 3.2.1.19 Ensure 'Allow USB accessories while the device is locked' is set to 'Disabled' | AirWatch - CIS Apple iPadOS 18 v1.0.0 L1 Institutionally Owned | MDM | CONFIGURATION MANAGEMENT |
| 3.2.1.21 Ensure 'Allow documents from managed sources in unmanaged destinations' is set to 'Disabled' | AirWatch - CIS Apple iOS 18 v1.0.0 L1 Institution Owned | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.21 Ensure 'Allow documents from managed sources in unmanaged destinations' is set to 'Disabled' | AirWatch - CIS Apple iPadOS 18 v1.0.0 L1 Institutionally Owned | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.24 Ensure 'Allow setting up new nearby devices' is set to 'Disabled' | MobileIron - CIS Apple iOS 13 and iPadOS 13 Institution Owned L1 | MDM | SECURITY ASSESSMENT AND AUTHORIZATION |
| 3.2.1.26 Ensure 'Show Control Center in Lock screen' is set to 'Disabled' | MobileIron - CIS Apple iOS 13 and iPadOS 13 Institution Owned L1 | MDM | ACCESS CONTROL |
| 3.6.1 Ensure 'Allow user to move messages from this account' is set to 'Disabled' | AirWatch - CIS Apple iOS 10 v2.0.0 Institution Owned L1 | MDM | CONFIGURATION MANAGEMENT |
| 3.8.1 Ensure 'If Lost, Return to... Message' is 'Configured' | AirWatch - CIS Apple iOS 12 v1.0.0 Institution Owned L1 | MDM | |
| 3.8.1 Ensure 'If Lost, Return to... Message' is 'Configured' | MobileIron - CIS Apple iOS 12 v1.0.0 Institution Owned L1 | MDM | |
| 4.2 Ensure device is not obviously jailbroken or compromised | AirWatch - CIS Apple iOS 18 v1.0.0 L1 Institution Owned | MDM | SYSTEM AND SERVICES ACQUISITION |
| 4.2 Ensure device is not obviously jailbroken or compromised | AirWatch - CIS Apple iPadOS 18 v1.0.0 L1 End User Owned | MDM | SYSTEM AND SERVICES ACQUISITION |
| AIOS-15-012200 - Apple iOS/iPadOS 15 must implement the management setting: enable USB Restricted Mode. | AirWatch - DISA Apple iOS/iPadOS 14 v1r4 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-16-012200 - Apple iOS/iPadOS 16 must implement the management setting: Enable USB Restricted Mode. | AirWatch - DISA Apple iOS/iPadOS 16 v2r1 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| APPL-12-000012 - The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours. | DISA STIG Apple macOS 12 v1r9 | Unix | ACCESS CONTROL |
| APPL-12-000023 - The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the operating system. | DISA STIG Apple macOS 12 v1r9 | Unix | ACCESS CONTROL |
| APPL-12-000056 - The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration. | DISA STIG Apple macOS 12 v1r9 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| APPL-12-001003 - The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system. | DISA STIG Apple macOS 12 v1r9 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| APPL-12-001014 - The macOS system must be configured with audit log files group-owned by wheel. | DISA STIG Apple macOS 12 v1r9 | Unix | AUDIT AND ACCOUNTABILITY |
| APPL-12-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system. | DISA STIG Apple macOS 12 v1r9 | Unix | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| APPL-12-001030 - The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. | DISA STIG Apple macOS 12 v1r9 | Unix | AUDIT AND ACCOUNTABILITY |
| APPL-12-002003 - The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-002004 - The macOS system must be configured to disable Location Services. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-002005 - The macOS system must be configured to disable Bonjour multicast advertising. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-002006 - The macOS system must be configured to disable the UUCP service. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-002013 - The macOS system must be configured to disable the iCloud Reminders services. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-002038 - The macOS system must be configured to disable the tftp service. | DISA STIG Apple macOS 12 v1r9 | Unix | IDENTIFICATION AND AUTHENTICATION |
| APPL-12-002039 - The macOS system must be configured to disable the Siri Setup services. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-002063 - The macOS system must enforce access restrictions. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-002066 - The macOS system must not allow an unattended or automatic logon to the system. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
| APPL-12-003051 - The macOS system must be configured so that the su command requires smart card authentication. | DISA STIG Apple macOS 12 v1r9 | Unix | CONFIGURATION MANAGEMENT |
