applications that incur personal cost.
8.
Unmanaged apps are prohibited from accessing, transmitting, storing, or processing non-
public DoD information, including CUI, in accordance with DoD Instruction 5200.48.
9.
Unmanaged applications shall
be
permitted only on mobile devices capable
of
segregating unmanaged and managed applications and data contained therein. AMDs that
do not support this capability are NOT authorized to access, transmit, store, or process
non-public DoD information.
10.
Unmanaged 'messaging apps,' including any app with a chat feature, regardless
of
the
primary function, are NOT authorized to access, transmit, process non-public DoD
information. This includes but is not limited to messaging, gaming, and social media
apps. (i.e., iMessage, WhatsApps, Signal). An Exception to Policy (E2P) request must be
submitted by the appropriate Component for use
of
an unmanaged messaging app that
is
critical to fulfilling mission operations at https://rmfks.osd.mil/dode2p.
11.
Mobility Service Providers have the option to use whitelisting for authorized unmanaged
apps ( e.g., only allowing an explicitly defined set
of
apps to be used on a mobile device)
or restricting installation for prohibited unmanaged apps (e.g., prohibiting the execution
of
explicitly defined applications).
12.
Each Component is responsible for establishing and communicating its policy regarding
acceptable use
of
unmanaged apps in accordance with the restrictions in this
memorandum.
13.
On government owned mobile devices, DoD Mobility Service Providers must prohibit
the installation and use
of
apps from app stores that are not native to the operating system
(i.e., 3rd party app stores) or controlled by the Government.
14.
Mobility Service Providers must adhere
to
all DoD orders and US Government Directives
that direct actions restricting the use
of
specific apps on government owned mobile
devices and AMDs, and where possible, prohibit internet traffic and access to prohibited
sites that pose a risk to non-public DoD information.
15.
In conjunction with their Mobility Service Provider, Components are responsible for
ensuring appropriate user agreements are signed. Components will monitor user
compliance with policy and user agreements, and appropriately enforce compliance.
16.
The DoD CIO will establish a process to develop and maintain a list
of
unauthorized apps
that are prohibited for installation and/or use on government owned mobile devices. DoD
Mobility Service Providers must establish a process to prohibit the installation and/or use
of
prohibited apps, and/or enforce an action to restrict a device not compliant with DoD
policy from accessing non-public DoD information.
17.
Within one year
of
the date
of
signature
of
this memorandum, all Mobility Service
Providers must implement an enterprise mobile security solution for all mobile devices,
herein referred to as Mobile Threat Defense (MTD), that has the following requirements
3