Merge pull request #644 from root3nl/ios_26

NLMAPGOV for iOS/iPadOS 26

Author: robertgendler

baselines/nlmapgov_base.yaml

@@ -0,0 +1,24 @@
+title: "iOS/iPadOS 26.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base)"
+description: |
+  This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base) security baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
+authors: |
+  *macOS Security Compliance Project*
+
+  |===
+  |Jordy Witteman|Root3
+  |Aron van den Herik|Root3
+  |===
+parent_values: "nlmapgov_base"
+profile:
+  - section: "ios"
+    rules:
+      - os_background_security_improvement_install_enable
+      - os_force_date_and_time_enable
+      - os_software_update_download_enforce
+      - os_software_update_install_enforce
+      - os_supervised_mdm_require
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_force_pin_enable

baselines/nlmapgov_plus.yaml

@@ -0,0 +1,57 @@
+title: "iOS/iPadOS 26.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus)"
+description: |
+  This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus) security baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
+authors: |
+  *macOS Security Compliance Project*
+
+  |===
+  |Jordy Witteman|Root3
+  |Aron van den Herik|Root3
+  |===
+parent_values: "nlmapgov_plus"
+profile:
+  - section: "icloud"
+    rules:
+      - icloud_keychain_disable
+      - icloud_managed_apps_store_data_disabled
+  - section: "ios"
+    rules:
+      - os_airdrop_unmanaged_destination_enable
+      - os_allow_documents_managed_sources_unmanaged_destinations_disable
+      - os_apple_watch_wrist_detection_enable
+      - os_authentication_password_autofill_enable
+      - os_background_security_improvement_install_enable
+      - os_background_security_improvement_removal_disable
+      - os_diagnostics_reports_disable
+      - os_disallow_enterprise_app_trust
+      - os_external_intelligence_integration_sign_in_disable
+      - os_force_date_and_time_enable
+      - os_force_encrypted_backups_enable
+      - os_install_configuration_profile_disable
+      - os_install_vpn_configuration_disable
+      - os_iphone_mirroring_disable
+      - os_limit_ad_tracking_enable
+      - os_mail_maildrop_disable
+      - os_mail_move_messages_disable
+      - os_marketplace_prevent
+      - os_on_device_dictation_enforce
+      - os_on_device_translation_enforce
+      - os_personalized_advertising_disable
+      - os_require_managed_pasteboard_enforce
+      - os_safari_cookies_set
+      - os_safari_force_fraud_warning_enable
+      - os_software_update_download_enforce
+      - os_software_update_install_enforce
+      - os_ssl_for_exchange_activesync_enable
+      - os_supervised_mdm_require
+      - os_unpaired_boot_disable
+      - os_untrusted_tls_disable
+      - os_usb_accessories_when_locked_disable
+      - os_web_distribution_app_installation_disable
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_force_pin_enable
+      - pwpolicy_minimum_length_enforce
+      - pwpolicy_simple_sequence_disable

includes/mscp-data.yaml

@@ -104,7 +104,15 @@ authors:
     names:
       - Henry Stamerjohann|Declarative IT GmbH
       - Allen Golbig|Jamf
-      - Bob Gendler|National Institute of Standards and Technology       
+      - Bob Gendler|National Institute of Standards and Technology
+  nlmapgov_base:
+    names:
+      - Jordy Witteman|Root3
+      - Aron van den Herik|Root3
+  nlmapgov_plus:
+    names:
+      - Jordy Witteman|Root3
+      - Aron van den Herik|Root3       
 titles:
   all_rules: All Rules
   800-53r5_high: NIST SP 800-53 Rev 5 High Impact
@@ -118,6 +126,9 @@ titles:
   ios_stig:  Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1  
   indigo_base: BSI indigo iOS 26.x Base Configuration
   indigo_high: BSI indigo iOS 26.x High Configuration
+  nlmapgov_base: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base)
+  nlmapgov_plus: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus)
 ddm:
-  supported_types: []
+  supported_types:
+    - com.apple.configuration.softwareupdate.settings
   services: []  

rules/icloud/icloud_keychain_disable.yaml

@@ -32,6 +32,8 @@ references:
       - 4.1
       - 4.8
       - 15.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -48,6 +50,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

rules/icloud/icloud_managed_apps_store_data_disabled.yaml

@@ -31,6 +31,8 @@ references:
       - 3.2.1.7 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 2.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -49,6 +51,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

rules/os/os_airdrop_unmanaged_destination_enable.yaml

@@ -31,6 +31,8 @@ references:
       - 3.2.1.23 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 3.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -49,6 +51,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml

@@ -30,6 +30,8 @@ references:
       - 3.2.1.21 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 3.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -48,6 +50,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

rules/os/os_apple_watch_wrist_detection_enable.yaml

@@ -24,6 +24,8 @@ references:
       - 3.2.1.27 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 3.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -40,6 +42,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: low
 supervised: false
 mobileconfig: true

rules/os/os_authentication_password_autofill_enable.yaml

@@ -24,6 +24,8 @@ references:
     - 3.2.1.26 (level 1 - Institutionally-Owned Devices)
     controls v8:
     - 3.3
+  bio:
+  - 8.27
 iOS:
 - "26.0"
 tags:
@@ -38,6 +40,7 @@ tags:
 - cnssi-1253_moderate
 - cnssi-1253_low
 - cnssi-1253_high
+- nlmapgov_plus
 supervised: true
 mobileconfig: true
 mobileconfig_info:

rules/os/os_background_security_improvement_install_enable.yaml

@@ -0,0 +1,24 @@
+id: os_background_security_improvement_install_enable
+title: Enforce Background Security Improvements are Automatically Installed using DDM.
+discussion: |
+  Background Security Improments _MUST_ be configured to enforce automatic installation and that the user cannot modify the setting within Settings.
+check: " "
+fix: |
+  This is implemented by Declarative Device Management (DDM).
+references:
+  bio:
+    - 8.08
+iOS:
+  - "26.0"
+tags:
+  - ios
+  - nlmapgov_base
+  - nlmapgov_plus
+supervised: true
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+  declarationtype: com.apple.configuration.softwareupdate.settings
+  ddm_key: RapidSecurityResponse
+  ddm_value:
+    Enable: true