Apple iOS/iPadOS 18 must disable app installation from a website.

STIG ID: AIOS-18-015000  |  SRG: PP-MDF-993300 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-268066

Vulnerability Discussion

Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DOD data accessible by these unauthorized/malicious applications.

SFRID: FMT_MOF_EXT.1.2 #47

Check

This check procedure is performed on both the device management tool and the iPhone and iPad.

Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS management tool, verify "Allow app installation from website" is unchecked.

On the iPhone and iPad device:
1. Open the Settings app.
2. Tap "General".
3. Tap "VPN & Device Management".
4. Tap the Configuration Profile from the iOS management tool containing the restrictions policy.
5. Tap "Restrictions".
6. Verify "Web app distribution not allowed" is not listed.

If "Allow app installation from website" is not disabled in the management tool, this is a finding.

Fix

Install a configuration profile to disable app installation from a website.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.