Apple Vision Pro (AVP) hardware must not be modified to use the Developer Strap unless the authorizing official (AO) approves use on a case-by-case basis.

STIG ID: AVOS-26-015900  |  SRG: PP-MDF-993300 |  Severity: low (CAT III)  |  CCI: CCI-000366 |  Vulnerability Id: V-282826

Vulnerability Discussion

The Apple Developer Strap provides a USB connector on the AVP and is used to download content on the AVP from a Mac. The use of the Developer Strap without authorization is considered an unauthorized modification to the DOD-owned AVP.

The Developer Strap is sold by Apple only to registered Apple developers but can also be bought online. Data cannot be downloaded from the AVP to a connected Mac and does not currently provide access to an AVP enterprise network to the connected Mac.

Only unmanaged apps can be uploaded to an AVP via the Developer Strap. Unauthorized unmanaged apps can be downloaded to the AVP from the connected Mac.

SFR ID: FMT_MOF_EXT.1.2 #47

Check

Interview the site information system security officer and AVP users.

1. Determine if the AVP Developer Strap is used at the site. If it is, verify the AO has approved its use by reviewing approval documentation.

2. Verify AVP users are trained to not use the AVP developer Strap without AO approval (AVOS-26-011900).

If the AVP Developer Strap is used at the site without AO approval, this is a finding.

Fix

Train AVP users to not connect and use the Developer Strap unless the AO has approved its use for a specific use case (refer to AVOS-26-011900). AO use approval must be documented and detail specific use cases for which use is approved.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.