800-53|CM-11b.

Title

USER-INSTALLED SOFTWARE

Description

Enforces software installation policies through [Assignment: organization-defined methods]; and

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.4.12 Configure 'Allow deployment operations in special profiles'	Windows	CIS Windows 8 L1 v1.0.0
18.7.9 (L2) Ensure 'Configure Windows protected print' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 L2
18.7.9 (L2) Ensure 'Configure Windows protected print' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2025 v1.0.0 L2 DC
18.7.9 (L2) Ensure 'Configure Windows protected print' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2025 v1.0.0 L2 MS
18.7.9 (L2) Ensure 'Configure Windows protected print' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v4.0.0 L2 BitLocker
AIOS-02-080011 - Apple iOS must not include applications with the following characteristics: Siri when the device is locked.	MDM	AirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080011 - Apple iOS must not include applications with the following characteristics: Siri when the device is locked.	MDM	MobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080012 - Apple iOS must not include applications with the following: Voice dialing application if available when MD is locked.	MDM	AirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080012 - Apple iOS must not include applications with the following: Voice dialing application if available when MD is locked.	MDM	MobileIron - DISA Apple iOS 10 v1r3
AIOS-12-001900 - Apple iOS must not display notifications (calendar information) when the device is locked.	MDM	MobileIron - DISA Apple iOS 12 v2r1
AIOS-12-001900 - Apple iOS must not display notifications (calendar information) when the device is locked.	MDM	AirWatch - DISA Apple iOS 12 v2r1
AIOS-12-004000 - Apple iOS must not allow backup of managed app data to locally connected systems.	MDM	MobileIron - DISA Apple iOS 12 v2r1
AIOS-12-004000 - Apple iOS must not allow backup of managed app data to locally connected systems.	MDM	AirWatch - DISA Apple iOS 12 v2r1
AIOS-12-004100 - Apple iOS must not allow backup to remote systems (iCloud).	MDM	AirWatch - DISA Apple iOS 12 v2r1
AIOS-12-004100 - Apple iOS must not allow backup to remote systems (iCloud).	MDM	MobileIron - DISA Apple iOS 12 v2r1
AIOS-12-004200 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization).	MDM	AirWatch - DISA Apple iOS 12 v2r1
AIOS-12-004200 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization).	MDM	MobileIron - DISA Apple iOS 12 v2r1
AIOS-13-001900 - Apple iOS/iPadOS must not display notifications (calendar information) when the device is locked.	MDM	AirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-001900 - Apple iOS/iPadOS must not display notifications (calendar information) when the device is locked.	MDM	MobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-004000 - Apple iOS/iPadOS must not allow backup of managed app data to locally connected systems.	MDM	AirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-004000 - Apple iOS/iPadOS must not allow backup of managed app data to locally connected systems.	MDM	MobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-004100 - Apple iOS/iPadOS must not allow backup to remote systems (iCloud).	MDM	AirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-004100 - Apple iOS/iPadOS must not allow backup to remote systems (iCloud).	MDM	MobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-004200 - Apple iOS/iPadOS must not allow backup to remote systems (iCloud document and data synchronization).	MDM	MobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-004200 - Apple iOS/iPadOS must not allow backup to remote systems (iCloud document and data synchronization).	MDM	AirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-14-001100 - The mobile operating system whitelist must be configured to not include applications with the following characteristics: voice dialing application if available when MD is locked.	MDM	AirWatch - DISA Apple iOS/iPadOS 14 v1r3
AIOS-14-001100 - The mobile operating system whitelist must be configured to not include applications with the following characteristics: voice dialing application if available when MD is locked.	MDM	MobileIron - DISA Apple iOS/iPadOS 14 v1r3
GOOG-11-001100 - Google Android 11 allow list must be configured to not include applications with the following characteristics:	MDM	AirWatch - DISA Google Android 11 COPE v2r1
GOOG-11-001100 - Google Android 11 allow list must be configured to not include applications with the following characteristics:	MDM	AirWatch - DISA Google Android 11 COBO v2r1
GOOG-11-001100 - Google Android 11 allow list must be configured to not include applications with the following characteristics:	MDM	MobileIron - DISA Google Android 11 COBO v2r1
GOOG-11-001100 - Google Android 11 allow list must be configured to not include applications with the following characteristics:	MDM	MobileIron - DISA Google Android 11 COPE v2r1
HONW-09-001100 - The Honeywell Mobility Edge Android Pie device whitelist must be configured to not include applications with the following characteristics:	MDM	AirWatch - DISA Honeywell Android 9.x COBO v1r2
HONW-09-001100 - The Honeywell Mobility Edge Android Pie device whitelist must be configured to not include applications with the following characteristics:	MDM	MobileIron - DISA Honeywell Android 9.x COBO v1r2
HONW-09-001100 - The Honeywell Mobility Edge Android Pie device whitelist must be configured to not include applications with the following characteristics:	MDM	AirWatch - DISA Honeywell Android 9.x COPE v1r2
HONW-09-001100 - The Honeywell Mobility Edge Android Pie device whitelist must be configured to not include applications with the following characteristics:	MDM	MobileIron - DISA Honeywell Android 9.x COPE v1r2
KNOX-07-001100 - The Samsung Android 7 with Knox must be configured to enforce an application installation policy. Disable Google Play.	MDM	MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001100 - The Samsung Android 7 with Knox must be configured to enforce an application installation policy. Disable Google Play.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001200 - The Samsung Android 7 with Knox must be configured to enforce an application installation policy. Disable unknown sources.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001200 - The Samsung Android 7 with Knox must be configured to enforce an application installation policy. Disable unknown sources.	MDM	MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001400 - The Samsung Android 7 with Knox must be configured to enforce an application installation policy.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001400 - The Samsung Android 7 with Knox must be configured to enforce an application installation policy.	MDM	MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers.	MDM	MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001700 - The Samsung whitelist must be configured to not include applications that Transmit MD diagnostic data to non-DoD servers.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001700 - The Samsung whitelist must be configured to not include applications that Transmit MD diagnostic data to non-DoD servers.	MDM	MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001800 - The Samsung whitelist must be configured to not include applications with Voice assistant available when MD is locked.	MDM	MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001800 - The Samsung whitelist must be configured to not include applications with Voice assistant available when MD is locked.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001900 - The Samsung whitelist must be configured to not include applications with Voice dialing application when MD is locked.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-001900 - The Samsung whitelist must be configured to not include applications with Voice dialing application when MD is locked.	MDM	MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1
KNOX-07-002000 - The Samsung whitelist must be configured to not include applications that Allows synchronization of data.	MDM	AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1

Detections

Analytics

800-53|CM-11b.

Title

Description

Reference Item Details

Audit Items