Apple iOS/iPadOS 26 must implement the management setting: disable Camera.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278851	PP-MDF-993300	AIOS-26-018100	SV-278851r1156608_rule	2025-12-01	1

Description
There are three possible use cases regarding camera use on a DOD iPhone or iPad: 1. Disable use of the camera devicewide – both unmanaged and managed use. 2. Allow camera use – both unmanaged and managed. In this case, the requirement is Not Applicable. 3. Disable camera use for unmanaged camera apps (e.g., iPhone camera app) but allow camera use for an approved managed camera app (e.g., Microsoft OneDrive). Authorizing official (AO) approval is required before the Apple device camera can be enabled for a specific user or group of users, or for a specific managed camera app, based on a risk assessment of the operational environment. Camera use may lead to the exposure of sensitive DOD information in some operational environment. SFR ID: FMT_SMF.1.1 #47

Description

There are three possible use cases regarding camera use on a DOD iPhone or iPad: 1. Disable use of the camera devicewide – both unmanaged and managed use. 2. Allow camera use – both unmanaged and managed. In this case, the requirement is Not Applicable. 3. Disable camera use for unmanaged camera apps (e.g., iPhone camera app) but allow camera use for an approved managed camera app (e.g., Microsoft OneDrive). Authorizing official (AO) approval is required before the Apple device camera can be enabled for a specific user or group of users, or for a specific managed camera app, based on a risk assessment of the operational environment. Camera use may lead to the exposure of sensitive DOD information in some operational environment. SFR ID: FMT_SMF.1.1 #47

ℹ️ Check
This is a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the AO has not approved the use of Apple device camera). If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures: There are three possible use cases regarding camera use on a DOD iPhone or iPad: 1. Disable use of the camera devicewide – both unmanaged and managed use. 2. Allow camera use – both unmanaged and managed. In this case, the requirement is Not Applicable. 3. Disable camera use for unmanaged camera apps (e.g., iPhone camera app) but allow camera use for an approved managed camera app (e.g., Microsoft OneDrive). These check procedures are performed on the device management tool. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. Use Case #1: In the iOS/iPadOS management tool, verify "Allow Camera" is unchecked. If the AO has not approved Apple device camera use and "Allow camera" is listed in the management tool, this is a finding. Use Case #3: In the iOS/iPadOS management tool, verify "Allow Camera" is unchecked and "allowedCameraRestrictionBundleIDs" is configured with the Bundle ID of the approved managed camera app. If the AO has not approved Apple device camera use for unmanaged apps but has approved a specific managed camera app, and "Allow camera" is listed in the management tool or "allowedCameraRestrictionBundleIDs" is not configured with the approved managed camera app, this is a finding.

ℹ️ Check

This is a supervised-only control. If the iPhone or iPad being reviewed is not supervised by the MDM, this control is automatically a finding (if the AO has not approved the use of Apple device camera). If the iPhone or iPad being reviewed is supervised by the MDM, follow these procedures: There are three possible use cases regarding camera use on a DOD iPhone or iPad: 1. Disable use of the camera devicewide – both unmanaged and managed use. 2. Allow camera use – both unmanaged and managed. In this case, the requirement is Not Applicable. 3. Disable camera use for unmanaged camera apps (e.g., iPhone camera app) but allow camera use for an approved managed camera app (e.g., Microsoft OneDrive). These check procedures are performed on the device management tool. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. **Use Case #1: In the iOS/iPadOS management tool, verify "Allow Camera" is unchecked. If the AO has not approved Apple device camera use and "Allow camera" is listed in the management tool, this is a finding. **Use Case #3: In the iOS/iPadOS management tool, verify "Allow Camera" is unchecked and "allowedCameraRestrictionBundleIDs" is configured with the Bundle ID of the approved managed camera app. If the AO has not approved Apple device camera use for unmanaged apps but has approved a specific managed camera app, and "Allow camera" is listed in the management tool or "allowedCameraRestrictionBundleIDs" is not configured with the approved managed camera app, this is a finding.

✔️ Fix
There are three possible use cases regarding camera use on a DOD iPhone or iPad: a. Disable use of the camera devicewide – both unmanaged and managed use. b. Allow camera use – both unmanaged and managed. c. Disable camera use for unmanaged camera apps (e.g., iPhone camera app) but allow camera use for an approved managed camera app (e.g., Microsoft OneDrive). Procedure 1. Determine if the site AO has approved the use of Apple device cameras or the use of device cameras only with managed apps. Look for a document showing approval for a specific user or group of users and a list of approved managed camera apps (e.g., Microsoft OneDrive). 2. If the use of the camera is not approved for both unmanaged and managed apps, configure "Allow Camera" to "Disable". 3. If camera use is approved for all users and use cases (unmanaged and managed apps), this requirement is not applicable. 4. If camera use is not approved for unmanaged camera apps (e.g., iPhone camera app) but is approved for a managed camera app (e.g., Microsoft OneDrive), configure "Allow Camera" to "Disable" and "allowedCameraRestrictionBundleIDs" with the AO approved managed camera app ID. Refer to the DOD Mobility Unclassified Capability (DMUC) "iOS & iPadOS Microsoft OneDrive Photo and Video Capture Quick Reference Guide" for information on how to implement a managed photo and video capture and storage solution for work-related media. Configuration Profile Keys: allowCamera, allowedCameraRestrictionBundleIDs

✔️ Fix

There are three possible use cases regarding camera use on a DOD iPhone or iPad: a. Disable use of the camera devicewide – both unmanaged and managed use. b. Allow camera use – both unmanaged and managed. c. Disable camera use for unmanaged camera apps (e.g., iPhone camera app) but allow camera use for an approved managed camera app (e.g., Microsoft OneDrive**). Procedure 1. Determine if the site AO has approved the use of Apple device cameras or the use of device cameras only with managed apps. Look for a document showing approval for a specific user or group of users and a list of approved managed camera apps (e.g., Microsoft OneDrive). 2. If the use of the camera is not approved for both unmanaged and managed apps, configure "Allow Camera" to "Disable". 3. If camera use is approved for all users and use cases (unmanaged and managed apps), this requirement is not applicable. 4. If camera use is not approved for unmanaged camera apps (e.g., iPhone camera app) but is approved for a managed camera app (e.g., Microsoft OneDrive), configure "Allow Camera" to "Disable" and "allowedCameraRestrictionBundleIDs" with the AO approved managed camera app ID. **Refer to the DOD Mobility Unclassified Capability (DMUC) "iOS & iPadOS Microsoft OneDrive Photo and Video Capture Quick Reference Guide" for information on how to implement a managed photo and video capture and storage solution for work-related media. Configuration Profile Keys: allowCamera, allowedCameraRestrictionBundleIDs