View STIG - AirWatch MDM STIG V1R3

c

The AirWatch MDM Server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.

AC-5 - High - CCI-000037 - V-47299 - SV-60171r1_rule

RMF Control

AC-5

Severity

High

CCI

CCI-000037

Version

ARWA-01-000005

Vuln IDs

V-47299

Rule IDs

SV-60171r1_rule

Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. It is recommended that the following or similar roles be supported: - AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

Checks: C-50065r2_chk

Review the AirWatch MDM Server configuration to ensure there are accounts associated with the following roles: - AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs. If this separation of duties is not present, this is a finding. Ensure custom AirWatch roles: (1) click "Menu" from the console tool bar, (2) click "Administrators" under "Accounts" heading, (3) click "Roles" on left-hand tool bar, and (4) click on applicable role to check. Note: only Roles created due to organizational necessity will be created by the Administrator and can be checked in this fashion; not all Roles may be used at every organizational site.

Fix: F-51005r1_fix

Create and configure accounts to be aligned with the following roles: - AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs. Create custom AirWatch roles by clicking (1) "Menu" from the console tool bar, (2) selecting "Administrators" from under the "Accounts" heading from the drop-down menu, (3) click "Roles" on left-hand tool bar, and (4) click "Add Role" from the Roles page. (5) Fill out applicable Roles information, and (6) click "Save". (7) Click "Admin Accounts" on left-hand tool bar, and from "Administrators" screen, (8) click "Add User". (9) Fill out applicable user information, (10) click Roles tab, and (11) assign previously created customer role to this account. (12) Click "Save".

a

If the AirWatch MDM Server includes a mobile email management capability, the email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.

AC-19 - Low - CCI-000086 - V-47301 - SV-60173r1_rule

RMF Control

AC-19

Severity

Low

CCI

CCI-000086

Version

ARWA-03-000020

Vuln IDs

V-47301

Rule IDs

SV-60173r1_rule

HTML embedded in an email has the potential to host malicious code that may allow an attacker access to the user's end device and possibly the network to which it is attached. Requiring that all emails are viewed in plain text protects against malicious code that could be embedded in the HTML content of an email.

Checks: C-50067r2_chk

Ensure the mobile email server/client either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Talk to the site system administrator and have them confirm this capability exists in the AirWatch MDM Server. Also, review the AirWatch MDM Server configuration. If the mobile email client does not either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device, this is a finding. Samsung Knox MOS: To verify that HTML mail is deactivated from the administration console: (1) Click "Menu" on top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) locate and click on applicable email profile. Ensure settings under "Exchange Active Sync" section meet this requirement.

Fix: F-51007r1_fix

Configure the AirWatch MDM Server to either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. To establish Exchange Active Sync Profile denying HTML mail from the administration console: (1) Click "Menu" on top tool bar, and (2) click "Profiles" under "Profiles and Policies" heading. From the "Select a platform to start" page, (3) choose the operating system in which to create new profile. After selecting an Operating System, (4) fill out applicable information in "General" tab, and (5) click "Exchange ActiveSync" on the left-hand column. (6) Click "Configure", (7) fill in appropriate Exchange Server information, (8) and uncheck box labeled "Enable HTML Mail". (9) Click "Save and Assign".

b

The AirWatch MDM Server must support the transfer of audit logs to remote log or management servers.

AU-3 - Medium - CCI-000136 - V-47303 - SV-60175r1_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-000136

Version

ARWA-01-000027

Vuln IDs

V-47303

Rule IDs

SV-60175r1_rule

AirWatch MDM Server auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents. An important aspect of security is maintaining awareness of what users have tried to do with their devices and what activities and actions MDM administrators have made.

Checks: C-50069r2_chk

Ensure the audit logs can be transferred from the AirWatch MDM Server to a storage location other than the AirWatch MDM Server itself. The systems administrator of the device may demonstrate this capability using an audit management application or other means. Audit records will be logged on the device for various actions, especially those related to sensitive or potentially suspicious activities. The specific events to log and the information recorded for each will be a function of policy. If audit logs cannot be transferred on request or on a periodic schedule, this is a finding. To ensure the exporting of information to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and verify proper configuration information. (6) Check report output on external system to verify functionality.

Fix: F-51009r1_fix

Configure the AirWatch MDM Server to support the transfer of audit logs to remote log or management servers. To export auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server. (7) Click "Save" and then (8) click "Test Connection" button to verify connection to external auditing server.

a

The AirWatch MDM Server must utilize the integration of audit review, analysis, and reporting processes by an organizations central audit management system to support organizational processes for investigation and response to suspicious activities.

AU-6 - Low - CCI-000152 - V-47307 - SV-60179r1_rule

RMF Control

AU-6

Severity

Low

CCI

CCI-000152

Version

ARWA-03-000037

Vuln IDs

V-47307

Rule IDs

SV-60179r1_rule

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate collection of data for troubleshooting, forensics, etc. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting that data in a single, consolidated view achieves this objective.

Checks: C-50073r2_chk

Review the configuration settings to ensure the AirWatch MDM Server audit system supports the integration of audit review, analysis, and reporting processes by an organization's central audit management system to support organizational processes for investigation and response to suspicious activities. Review AirWatch MDM Server documentation and have the system administrator demonstrate the capability on the AirWatch MDM Server to transfer audit logs to a central audit system. If audit log information is not being transferred to a central audit management system, this is a finding. To ensure the exporting of information to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix: F-51013r1_fix

Configure the AirWatch MDM Server to provide audit log information to a central audit management system. To export auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".

b

The AirWatch MDM Server must centralize the review and analysis of audit records from multiple components within the server.

AU-6 - Medium - CCI-000154 - V-47309 - SV-60181r1_rule

RMF Control

AU-6

Severity

Medium

CCI

CCI-000154

Version

ARWA-02-000038

Vuln IDs

V-47309

Rule IDs

SV-60181r1_rule

Due to the numerous functions an AirWatch MDM Server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected. This can become very difficult to analyze manually; therefore, it is important to process them automatically and tailor the views of the data to only those events of interest based upon selectable criteria. Without the automation of log processing, based upon events of interest to security personnel, log files will not be viewed accurately and actions will not be taken when a significant event occurs on the system because it can be too overwhelming. Significant or meaningful events may be missed due to the sheer volume of data if logs are reviewed manually. Reducing the auditing capability to only those events that are significant aids in supporting near real-time audit review and analysis requirements and after-the-fact investigations of security incidents.

Checks: C-50075r2_chk

Review the configuration settings to ensure the AirWatch MDM Server audit system centralizes the review and analysis of audit records from multiple components within the server. If the AirWatch MDM Server cannot support the capability to centralize the review and analysis of audit records from multiple components within the server, this is a finding. To ensure the exporting of specific information collected by the AirWatch application to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix: F-51015r1_fix

Configure the AirWatch MDM Server to centralize the review and analysis of audit records from multiple components within the server. To export specific auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".

a

The AirWatch MDM Server must automatically process audit records for events of interest based upon selectable, event criteria.

AU-7 - Low - CCI-000158 - V-47313 - SV-60185r1_rule

RMF Control

AU-7

Severity

Low

CCI

CCI-000158

Version

ARWA-03-000041

Vuln IDs

V-47313

Rule IDs

SV-60185r1_rule

Due to the numerous functions an AirWatch MDM Server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, the more log data is collected. This can become very difficult to analyze manually; therefore, it is important to process them automatically and tailor the views of the data to only those events of interest based upon selectable criteria. Without the automation of log processing, based upon events of interest to security personnel, log files will not be viewed accurately and actions will not be taken when a significant event occurs on the system because it can be too overwhelming. Significant or meaningful events may be missed due to the sheer volume of data if logs are reviewed manually.

Checks: C-50079r2_chk

Review the configuration settings to ensure the AirWatch MDM Server audit feature automatically processes audit records for events of interest based upon selectable, event criteria. Review AirWatch MDM Server documentation and audit configuration. If the AirWatch MDM Server does not automatically process audit records for events of interest based upon selectable, event criteria, this is a finding. To verify this information is being recorded in the AirWatch system, access the Events page: from the administration console, click the (1) "Menu" button on top tool bar, and (2) click "Events" under "Reports and Analytics" heading. (3) From the "Events" menu, choose "Device Events" or "Console Events" as applicable, and (4) verify Events are being recorded by the AirWatch system. To verify the exporting of specific information collected by the AirWatch application to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix: F-51019r2_fix

Configure the AirWatch MDM Server to automatically process audit records for events of interest based upon selectable, event criteria audit records to be used by a report generation capability. To access an event log: (1) from the administration console, click the "Menu" button on top tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" or "Console Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs. To export specific auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".

b

The AirWatch MDM Server must be capable of scanning the hardware version of managed mobile devices and alert if unsupported versions are found.

CM-6 - Medium - CCI-000366 - V-47317 - SV-60189r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ARWA-01-000082

Vuln IDs

V-47317

Rule IDs

SV-60189r1_rule

Approved versions of devices have gone though all required phases of testing, approval, etc., and are able to support required security features. Using non-approved versions of mobile device hardware could compromise the security baseline of the mobile system, since some required security features may not be supported.

Checks: C-50083r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server is able to be configured to scan the version of the mobile device hardware and alert if unsupported versions are found. If the AirWatch MDM Server cannot be configured to scan the hardware version of managed mobile devices and alert if unsupported versions are found, this is a finding. To verify Hardware Version compliance policy is set to notify Administrators of infractions: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, (3) click on applicable compliance policy, and (4) validate that "Model" is listed in first drop-down menu, (5) "Is" or "Is Not" as applicable is listed in second drop-down menu, and (6) proper Hardware Version to specify is listed in third drop-down menu. (7) Click "Next". (8) Ensure "Notify" is listed in first drop-down menu, (9) that "Send Email to Administrator" is listed in second drop-down menu, and (10) email(s) of applicable administrators is (are) entered in box labeled "To:". (11) Click "Next". (12) Ensure appropriate information for Assignment of policy to particular platforms, groups, and/or users.

Fix: F-51023r2_fix

Use only AirWatch MDM Servers that are capable of scanning the hardware version of managed mobile devices and alert if unsupported versions are found. To define Hardware Version compliance policy to notify Administrators of infractions: (1) click "Add" from the console top toolbar, and (2) click "Compliance Policy" from the drop-down menu. From the Compliance Policy window, (3) choose "Model" in first drop-down menu, (4) "Is" or "Is Not" as applicable in second drop-down menu and (5) select Hardware Version to specify in third drop-down menu. (6) Click "Next". (7) Select "Notify" in first drop-down menu, (8) select "Send Email to Administrator" in second drop-down menu, and (9) enter email(s) of applicable administrators in box labeled "To:". (10) Click "Next". (11) Select appropriate information for Assignment of policy to particular platforms, groups, and/or users, and (12) click "Next". (13) Click "Finish and Activate".

b

The AirWatch MDM Server must configure the mobile device to prohibit the mobile device user from installing unapproved applications.

CM-6 - Medium - CCI-000370 - V-47319 - SV-60191r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000370

Version

ARWA-02-000181

Vuln IDs

V-47319

Rule IDs

SV-60191r1_rule

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

Checks: C-50085r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device to prohibit the mobile device user from installing unapproved applications. If this function is not present, this is a finding. Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in the "AirWatch Mobile Application Management Guide", page 35, "Enforcing Application Security and Compliance", and applicable items within this STIG. Apple iOS MOS: To verify Application blacklists on Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and (3) on left-hand tool bar click on "Application Groups". (4) Click on applicable group, and verify that correct information is set.

Fix: F-51025r2_fix

Configure the AirWatch MDM Server so the mobile device is configured to prohibit the mobile device user from installing unapproved applications. To set Application Blacklists in Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and on left-hand tool bar (3) click on "Application Groups". (4) Click "Add Group", and under drop-down box labeled "Type" choose "Blacklist". (5) Choose Android or iOS platform, and (6) add applicable applications. (7) Click "Next" to review summary and (8) click "Finish".

b

The AirWatch MDM Server must configure the mobile device to prohibit the mobile device user from installing unapproved applications.

CM-6 - Medium - CCI-000370 - V-47321 - SV-60193r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000370

Version

ARWA-02-000182

Vuln IDs

V-47321

Rule IDs

SV-60193r1_rule

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

Checks: C-50087r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device to prohibit the mobile device user from installing unapproved applications. If this function is not present, this is a finding. Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in the "AirWatch Samsung Management Guide" page 8 "Securing Samsung Devices" and page 17 "Configuring Samsung Devices", and applicable items within this STIG. Samsung Knox MOS: To verify Blacklist on specific Android device profile: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable Profile, and (4) on left-hand toolbar select "Application Control". (5) Ensure box "Prevent Installation of Blacklisted Apps" is checked. To verify access to public store on Samsung SAFE devices is blocked: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable profile, and (4) choose "Restrictions" in left-hand toolbar. (5) Under Application section ensure boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation" are unchecked.

Fix: F-51027r2_fix

Configure the AirWatch MDM Server so the mobile device is configured to prohibit the mobile device user from installing unapproved applications. To add Blacklist to specific Android device Profile: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and (6) on left-hand toolbar select "Application Control". (7) Click "Configure", (8) check box "Prevent Installation of Blacklisted Apps", and (9) click "Save and Publish". To block access to public store on Samsung SAFE devices: 1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and (6) choose "Restrictions" in left-hand toolbar. (7) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".

b

The AirWatch MDM Server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server).

CM-6 - Medium - CCI-000370 - V-47325 - SV-60197r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000370

Version

ARWA-02-000184

Vuln IDs

V-47325

Rule IDs

SV-60197r1_rule

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.

Checks: C-50091r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). If this function is not present, this is a finding. Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in applicable items within this STIG and the document: "AirWatch Mobile Application Management Guide", page 35, "Enforcing Application Security and Compliance", describing Application blacklisting/whitelisting and deployment control. To verify applications assigned to mobile devices: (1) In administration console click on "Menu" in top tool bar, and (2) click on "Applications" under "Catalog" heading. (3) Using tabs on top toolbar Administrator can choose "Internal", "Public", or "Purchased" applications, and verify applications assigned to devices.

Fix: F-51031r2_fix

Configure the AirWatch MDM Server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source. For Administration console: (1) In administration console click on "Menu" in top tool bar, and (2) click on "Applications" under "Catalog" heading. (3) Using tabs on top toolbar Administrator can choose "Internal", "Public", or "Purchased" applications, (4) load or search for application and, (5) assign to devices.

b

The AirWatch MDM Server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server).

CM-6 - Medium - CCI-000370 - V-47327 - SV-60199r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000370

Version

ARWA-02-000185

Vuln IDs

V-47327

Rule IDs

SV-60199r1_rule

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.

Checks: C-50093r3_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). If this function is not present, this is a finding. Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in the "AirWatch Samsung Management Guide" page 8 "Securing Samsung Devices" and page 17 "Configuring Samsung Devices", and applicable items within this STIG. Samsung Knox MOS: To verify installation of public applications on Samsung Knox devices is blocked: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable Profile, and (4) choose "Restrictions" in left-hand toolbar. (5) Under Application section ensure boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation" are unchecked.

Fix: F-51033r2_fix

Configure the AirWatch MDM Server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source. For Samsung Knox devices: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give Profile name and insert applicable information under General tab, and (6) choose "Restrictions" in left-hand toolbar. (7) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".

b

The AirWatch MDM Server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server).

CM-6 - Medium - CCI-000370 - V-47329 - SV-60201r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000370

Version

ARWA-02-000186

Vuln IDs

V-47329

Rule IDs

SV-60201r1_rule

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.

Checks: C-50095r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). If this function is not present, this is a finding. Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in "AirWatch iOS Management Guide" page 14 "Securing iOS Devices" and page 30 "Configuring iOS Devices" and applicable items within this STIG. Apple iOS MOS: To verify installation of public applications on iOS devices is blocked: from the console ensure that "Device" is selected from left hand tool bar (default screen upon logon), (1) click "Profiles", (2) click "List View", (3) click on applicable profile, and (4) choose "Restrictions" in left-hand toolbar (5) Under Device Functionality section, ensure box labeled "Allow installing public apps" is unchecked.

Fix: F-51035r2_fix

Configure the AirWatch MDM Server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source. For iOS devices: (1) click "Add" from the top tool bar, and (2) select "Profile" from the drop-down menu., and (3) select Apple iOS. (4) Give profile name under General tab, and (5) choose "Restrictions" in left-hand toolbar. (6) Under Device Functionality section, uncheck the box labeled "Allow installing public apps".

b

The AirWatch MDM Server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.

CM-6 - Medium - CCI-000370 - V-47331 - SV-60203r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000370

Version

ARWA-02-000187

Vuln IDs

V-47331

Rule IDs

SV-60203r1_rule

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the AirWatch MDM Server. In these cases, the ability for users to remove the application is needed as to ensure proper secure operations of the device.

Checks: C-50097r2_chk

Review the AirWatch MDM Server configuration to ensure there is administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. If this function is not present, this is a finding. To verify Required Application Lists on Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, on left-hand tool bar (3) click on "Application Groups", and (4) click on applicable "Required Applications" group, to verify that correct information is set.

Fix: F-51037r1_fix

Configure the AirWatch MDM Server so it has the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. To create Required Applications Groups in Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and on left-hand tool bar (3) click on "Application Groups", (4) click "Add Group", and under drop-down box labeled "Type" (5) choose "Blacklist". (6) Choose Android or iOS platform, and (7) add applicable applications. (8) Click "Next" to review summary and (9) click "Finish".

b

The AirWatch MDM Server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.

CM-6 - Medium - CCI-000370 - V-47333 - SV-60205r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000370

Version

ARWA-02-000188

Vuln IDs

V-47333

Rule IDs

SV-60205r1_rule

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the AirWatch MDM Server. In these cases, the ability for users to remove the application is needed as to ensure proper secure operations of the device.

Checks: C-50099r2_chk

Review the AirWatch MDM Server configuration to ensure there is administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. If this function is not present, this is a finding. To verify Required Applications list on specific Android device Profile: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable Profile, and on left-hand toolbar (4) select "Application Control". (5) Ensure box "Prevent Removal of Required Apps" is checked. Samsung Knox MOS: To verify access to public store on Samsung SAFE devices is blocked: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable profile, and (4) choose "Restrictions" in left-hand toolbar. (5) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".

Fix: F-51039r3_fix

Configure the AirWatch MDM Server so it has the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. To add blacklist to specific Android device Profile: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and on left-hand toolbar (5) select "Application Control". (6) Click "Configure", (7) check box "Prevent Installation of Blacklisted Apps", and (8) click "Save and Publish". To block access to public store on Samsung SAFE devices: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and (6) choose "Restrictions" in left-hand toolbar. (7) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".

c

The AirWatch MDM Server must be able to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices.

CM-6 - High - CCI-000372 - V-47335 - SV-60207r1_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000372

Version

ARWA-01-000150

Vuln IDs

V-47335

Rule IDs

SV-60207r1_rule

If the security policy has been modified in an unauthorized manner, IA is severely degraded and a variety of further attacks are possible. Detecting whether the security policy has been modified or disabled mitigates these risks.

Checks: C-50101r3_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. If this function is not present, this is a finding. To verify policies for the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy. On Rules tab, verify the correct rule set for the applicable policy to be applied. (4) On Actions tab, verify the correct Action type to take Actionable Result is set. (5) On Assignment tab, verify correct device types, users, or groups are assigned. (Note: for "jailbroken" or "rooted device" detection, verify "Compromised Status" and "Is Compromised" is selected on Rules tab.

Fix: F-51041r3_fix

Configure the AirWatch MDM Server to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab select the following: (1a) To Match "All" or "Any" of the entered Rules, (2a) Choose deviation to detect on devices, and (3a) click "Next". (3) On Actions tab, select the following: (a) Choose Action type to take (command), and (b) Actionable Result, and (c) click Next. (4) On Assignment tab select device types, users, or groups to assign Policy to, and (5) click "Next". (6) View Summary for accuracy, and (7) click Save and Assign. (Note: for "jailbroken" or "rooted device" detection, select "Compromised Status" and "Is Compromised" on Rules tab.

b

The AirWatch MDM Server must employ automated mechanisms to respond to unauthorized changes to the security policy or AirWatch MDM Server agent on managed mobile devices.

CM-6 - Medium - CCI-000374 - V-47337 - SV-60209r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000374

Version

ARWA-02-000190

Vuln IDs

V-47337

Rule IDs

SV-60209r1_rule

Uncoordinated or incorrect configuration changes to the AirWatch MDM Server managed components can potentially lead to compromises. Without automated mechanisms to respond to changes, changes can go unnoticed for a significant amount of time which could result in compromise.

Checks: C-50103r3_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can employ automated mechanisms to respond to unauthorized changes to the security policy or AirWatch MDM Server agent on managed mobile devices. If this function is not present, this is a finding. To verify policies for the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy. On Rules tab, verify the correct rule set for the applicable policy to be applied. (4) On Actions tab, verify the correct Action type to take Actionable Result is set. (5) On Assignment verify correct device types, users, or groups are assigned. (Note: for "jailbroken" or "rooted device" detection, verify "Compromised Status" and "Is Compromised" is selected on Rules tab.

Fix: F-51043r3_fix

Configure the AirWatch MDM Server to automatically respond to unauthorized changes to the security policy or AirWatch MDM Server agent on managed mobile devices. To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab select the following: (1a) to Match "All" or "Any" of the entered Rules, (2a) choose deviation to detect on devices, and (3a) click "Next". (3) On Actions tab, select the following: (a) choose Action type to take (command), and (b) Actionable Result, and (c) click "Next". (4) On Assignment tab select device types, users, or groups to assign Policy to, and (5) click "Next". (6) View Summary for accuracy, and (7) click "Save and Assign". (Note: for "jailbroken" or "rooted device" detection, select "Compromised Status" and "Is Compromised" on Rules tab.

b

The AirWatch MDM Server must uniquely identify mobile devices managed by the server prior to connecting to the device.

IA-3 - Medium - CCI-000778 - V-47339 - SV-60211r1_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-000778

Version

ARWA-02-000195

Vuln IDs

V-47339

Rule IDs

SV-60211r1_rule

When managed mobile devices connect to the AirWatch MDM Server, the security policy and possible sensitive DoD data will be pushed to the device. In addition, the device may be provided access to application and web servers on the DoD network. Therefore, strong authentication of the user on the device is required to ensure sensitive DoD data is not exposed and unauthorized access to the DoD network is not granted, exposing the network to malware and attack.

Checks: C-50105r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can uniquely identify mobile devices managed by the server prior to connecting to the device. If this function is not present, this is a finding. The AirWatch system meets this requirement both by inherent certificate technology, and also user authentication via integration with a STIG compliant Active Directory system upon device "Enrollment" (initial entry into DoD MDM system which initiates provisioning and access): AirWatch, upon native installation, activates a "Secure Channel" and generates root X.509 certificate to identify itself to devices and issue public keys to those devices for authentication. To verify that Secure Channel is active: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Advanced", and (5) click "Secure Channel Certificate". (6) Ensure Secure Channel is enabled for applicable platforms and certificate is uploaded. User utilizes User ID/Password combination via Active Directory to connect device to AirWatch system: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Enterprise Integration", and (5) click "Directory Services". (6) On "Server" tab, verify URL for Active Directory server, applicable encryption method and port, authentication type, and service account details (service account for AirWatch must be created with Read permissions to Active Directory). On "User" and "Group" tabs (6) verify applicable Domain and Base Domain Names are entered. To verify specific Active Directory User Accounts: (1) click "Menu" on top tool bar, (2) click "Users" under "Accounts" heading, (4) click applicable user, and check the account is set for "Directory" authentication. To verify device Enrollment (connection to AirWatch MDM Server from device) via Active Directory authentication is configured: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Devices and Users" on left-hand tool bar, (4) click "General", and (5) click "Enrollment". (6) Under Authentication tab, ensure box labeled "Directory" in Authentication Modes section is checked.

Fix: F-51045r2_fix

Configure the AirWatch MDM Server to authenticate through the Enterprise Authentication Mechanism. To install AirWatch Secure Channel, please refer to the "Directory Services Guide" page 4 for information on integrating Active Directory servers with the AirWatch system, and page 8 for information on creating AirWatch users utilizing Active Directory sync for installation instructions on host server and network. Typically installed during initial AirWatch installation. To enforce User ID/Password combination via Active Directory to connect device to AirWatch system: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Enterprise Integration", and (4) click "Directory Services". (5) On "Server" tab, enter URL for Active Directory server, applicable encryption method and port, authentication type, and service account details (service account for AirWatch must be created with Read permissions to Active Directory; see "Enrollment Overview Guide" page 7 for "Enabling Directory Service-Based Enrollment" and "Agent Security" page 2 for certificate authentication information for further information). On "User" and "Group" tabs (6) select applicable Domain and Base Domain Names. (7) Click "Save". To create Active Directory User Account: (1) click "Menu" on top tool bar, (2) click "Users" under "Accounts" heading, and (3) click "Add". (4) Select "Directory" as authentication type, and (5) enter user name, then, (6) click "Search User". (7) Click "Save" to add user account. To enable device Enrollment (connection to AirWatch MDM Server from device) via Active Directory authentication: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Devices and Users" on left-hand tool bar, (4) click "General", and (5) click "Enrollment". (6) Under Authentication tab, check box labeled "Directory" in Authentication Modes section. (7) Click "Save".

b

The AirWatch MDM Server device integrity validation component must employ automated mechanisms to detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials in accordance with the organization-defined frequency.

RA-5 - Medium - CCI-001069 - V-47341 - SV-60213r1_rule

RMF Control

RA-5

Severity

Medium

CCI

CCI-001069

Version

ARWA-01-000177

Vuln IDs

V-47341

Rule IDs

SV-60213r1_rule

Unauthorized software poses a risk to the device because it could potentially perform malicious functions, including but not limited to gathering sensitive information, searching for other system vulnerabilities, or modifying log entries. A mechanism to detect unauthorized software and notify officials of its presence assists in the task of removing such software to eliminate the risks it poses to the device and the networks to which the device attaches.

Checks: C-50107r1_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component can detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials. If this function is not present, this is a finding. To verify Required Application Lists on Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, on left-hand tool bar (3) click on "Application Groups", (4) click on applicable "Required Applications" Group, and verify that correct information is set. To verify policies for detecting illegal application via the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify. On Rules tab verify the correct rule set for the applicable policy to be applied (first drop-down box should read "Application List", second should read "Contains..." or "Does Not Contain..." and refer to Blacklist/Whitelist/Required application group). (4) Click "Next". (5) On Actions tab, verify the correct Action type to take Actionable Result is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment verify correct device types, users, or groups are assigned.

Fix: F-51047r2_fix

Configure the AirWatch MDM Server device integrity validation component to detect and report the presence of unauthorized software. To create Required Applications Groups in Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and on left-hand tool bar (3) click on "Application Groups", (4) click "Add Group", and under drop-down box labeled "Type" choose "Blacklist". (5) Choose Android or iOS platform, and (6) add applicable applications. (7) Click "Next" to review summary, and click "Finish". To establish application group policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to Match "All" or "Any" of the entered Rules, (4) in first drop-down box select "Application List", (5) denote group rule (if MOS contains/does not contain Whitelisted/ Blacklisted/ Required applications), and (6) click "Next". (7) On Actions tab, (8) select "Notify" in first drop-down box, (9) select "Send Email to Administrator" in second drop-down box, and (10) enter in applicable email addresses for notification in "To:" box. (11) Click "Next". On Assignment tab (12) select device types, users, or groups to assign Policy to, and (13) click "Next". (14) View Summary for accuracy, and (15) click "Save and Assign".

b

The AirWatch MDM Server must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

SC-10 - Medium - CCI-001133 - V-47343 - SV-60215r1_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

ARWA-03-000185

Vuln IDs

V-47343

Rule IDs

SV-60215r1_rule

If communication’s sessions remain open for extended periods of time even when unused, there is the potential for an adversary to highjack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability.

Checks: C-50109r2_chk

Review the AirWatch MDM Server configuration to verify the system terminates network connections after an organization-defined time period of inactivity. If communications are not terminated at the end of a session or after an organization-defined time period of inactivity, this is a finding. To verify the session Timeout: (1) click "Menu" on top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Admin", (4) click "Console Security", click "Session Management", and (5) verify the fields under forced timeout and idle timeout are set to 15 minutes.

Fix: F-51049r2_fix

Configure the AirWatch MDM Server to terminate network connections at the end of the session or after the organization-defined time period of inactivity. To adjust the session Timeout: (1) click "Menu" on top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Admin", (4) click "Console Security", (5) click "Session Management", and (6) configure the fields under forced timeout and idle timeout to 15 minutes. (7) Click "Save".

b

The AirWatch MDM Server must ensure authentication of both mobile device AirWatch MDM Server agent and server during the entire session.

SC-23 - Medium - CCI-001184 - V-47345 - SV-60217r1_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-001184

Version

ARWA-02-000226

Vuln IDs

V-47345

Rule IDs

SV-60217r1_rule

AirWatch MDM Server can be prone to man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of SSL Mutual Authentication authenticity of the data cannot be guaranteed.

Checks: C-50111r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server ensures authentication of both mobile device AirWatch MDM Server agent and server during the entire session. If it does not, this is a finding. AirWatch, upon native installation, activates a "Secure Channel" and generates root X.509 certificate to identify itself to devices and issue public keys to those devices for authentication. To verify Secure Channel is active: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Advanced", and (5) click "Secure Channel Certificate". (6) Ensure Secure Channel is enabled for applicable platforms and certificate is uploaded.

Fix: F-51051r2_fix

Configure the AirWatch MDM Server to authenticate both the mobile device AirWatch MDM Server agent and server during the entire session. To install AirWatch Secure Channel, please see "On-Premise Architecture Guide", page 26, "Appendix B - SSL Certificate Setup" for information on applying procured SSL certificates to the AirWatch MDM Server. To enable SSL encryption: follow the applicable STIG detailing Microsoft server procedures for procuring and binding SSL Certificates.

b

The AirWatch MDM Server must notify when it detects unauthorized changes to security configuration of managed mobile devices.

SI-4 - Medium - CCI-001265 - V-47347 - SV-60219r1_rule

RMF Control

SI-4

Severity

Medium

CCI

CCI-001265

Version

ARWA-01-000235

Vuln IDs

V-47347

Rule IDs

SV-60219r1_rule

Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event.

Checks: C-50113r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server notifies when it detects unauthorized changes to security configuration of managed mobile devices. If the AirWatch MDM Server does not notify in this case, this is a finding. To verify policies for detecting device changes via the Compliance Engine are set to notify properly, use the following procedure: 1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify. (4) On Rules tab verify the correct rule set for the applicable policy to be applied. (5) Click "Next". (6) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (7) On Assignment tab verify correct device types, users, or groups are assigned.

Fix: F-51053r2_fix

Use an AirWatch MDM Server that can perform required actions after receiving security related alerts. To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box select applicable rule to be set, and (5) click "Next". (6) On Actions tab, (7) select "Notify" in first drop-down box, (8) select "Send Email to Administrator" in second drop-down box, and (9) enter in applicable email addresses for notification in "To:" box. (10) Click "Next". (11) On Assignment tab select device types, users, or groups to assign Policy to, and (12) click "Next". (13) View Summary for accuracy, and (14) click "Save and Assign".

c

The AirWatch MDM Server must perform required actions when a security related alert is received.

SI-4 - High - CCI-001265 - V-47349 - SV-60221r1_rule

RMF Control

SI-4

Severity

High

CCI

CCI-001265

Version

ARWA-01-000236

Vuln IDs

V-47349

Rule IDs

SV-60221r1_rule

Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. Types of actions the AirWatch MDM Server must be able to perform after a security alert include: log the alert, send email to a system administrator, wipe the managed mobile device, lock the mobile device account on the AirWatch MDM Server, disable the security container, wipe the security container, and delete any unapproved application. Security alerts include any alert from the MDIS or MAM component of the AirWatch MDM Server.

Checks: C-50115r2_chk

Review the AirWatch MDM Server configuration to determine if it has the capability to perform required actions after receiving a security related alert. If the AirWatch MDM Server cannot perform required actions after receiving a security related alert, this is a finding. This requirement is met by setting appropriate Actions to be taken by the automated Compliance Engine component: To verify policies for detecting device changes via the Compliance Engine are set to notify properly, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify. (4) On Rules tab verify the correct rule set for the applicable policy to be applied. (5) Click "Next". (6) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (7) On Assignment tab verify correct device types, users, or groups are assigned.

Fix: F-51055r2_fix

Use an AirWatch MDM Server that can perform required actions after receiving security related alerts. To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box select applicable rule to be set, and (5) click "Next". (6) On Actions tab, select appropriate action to take. (7) Click "Next". (8) On Assignment tab select device types, users, or groups to assign Policy to, and (9) click "Next". (10) View Summary for accuracy, and (11) click "Save and Assign".

b

The AirWatch MDM Server device integrity validation component must include the capability to notify an organization-defined list of response personnel who are identified by name and/or by role notifications of suspicious events.

SI-4 - Medium - CCI-001266 - V-47351 - SV-60223r1_rule

RMF Control

SI-4

Severity

Medium

CCI

CCI-001266

Version

ARWA-01-000237

Vuln IDs

V-47351

Rule IDs

SV-60223r1_rule

Integrity checking applications are by their nature, designed to monitor and detect defined events occurring on the system. When the integrity checking mechanism finds an anomaly, it must notify personnel in order to ensure the proper action is taken based upon the integrity issues found. If notification is not performed, the issue may continue or worsen to allow intruders into the system.

Checks: C-50117r1_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component includes the capability to notify an organization-defined list of response personnel who are identified by name and/or by role notifications of suspicious events. If this function is not configured, this is a finding. To verify policies for detecting device changes via the Compliance Engine are set to notify properly, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify on Rules tab the correct rule set for the applicable policy to be applied. (4) Click "Next". (5) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix: F-51057r2_fix

Configure the AirWatch MDM Server device integrity validation component to provide the capability to notify an organization-defined list of response personnel who are identified by name and/or by role notifications of suspicious events. To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box, select applicable rule to be set, and (5) click "Next". (6) On Actions tab, (7) select "Notify" in first drop-down box, (8) select "Send Email to Administrator" in second drop-down box, and (9) enter in applicable email addresses for notification in "To:" box. (10) Click "Next". (11) On Assignment tab select device types, users, or groups to assign Policy to, and (12) click "Next". (13) View Summary for accuracy, and (14) click "Save and Assign".

c

The AirWatch MDM Server device integrity validation component must use automated mechanisms to alert security personnel when the device has been jailbroken or rooted.

SI-4 - High - CCI-001274 - V-47353 - SV-60225r1_rule

RMF Control

SI-4

Severity

High

CCI

CCI-001274

Version

ARWA-01-000238

Vuln IDs

V-47353

Rule IDs

SV-60225r1_rule

Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. The ability of an AirWatch MDM Server to detect "jailbreaking" or rooting of the device mitigates the potential for these breaches to have further consequences to the enterprise. "Jailbreaking"/rooting refers to a mobile device where the security mechanisms of the hardware and OS of the device have been bypassed so the user has root access.

Checks: C-50119r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component uses automated mechanisms to alert security personnel when the device has been "jailbroken" or rooted. If this function is not configured, this is a finding. To verify Compliance Policy is set to detect "Jailbroken" or Rooted devices: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on the hyperlinked compliance policy title, and verify in presented menu that on the tab titled "Rules" that the appropriate setting is selected in the first drop-down box (for detecting "jailbroken"/rooted devices, this should read "Compromised Status"). (4) Click "Next". (5) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix: F-51059r2_fix

Configure the AirWatch MDM Server device integrity validation component to use automated mechanisms to alert security personnel when the device has been "jailbroken" or rooted. To set Compliance Policy for "Jailbroken" or Rooted device detection with notification action: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) select "Compromised Status" in first drop-down box, and (5) "Is Compromised" in second drop-down box. (6) Click the "Next" button. (7) On Actions tab, (8) select "Notify" in first drop-down box, (9) select "Send Email to Administrator" in second drop-down box, and (10) enter in applicable email addresses for notification in "To:" box. (11) Click "Next". (12) On Assignment tab, select device types, users, or groups to assign Policy to, and (13) click "Next". (14) View Summary for accuracy, and (15) click "Save and Assign".

c

The AirWatch MDM Server device integrity validation component must identify the affected mobile device, severity of the finding, and provide a recommended mitigation.

SI-7 - High - CCI-001297 - V-47355 - SV-60227r1_rule

RMF Control

SI-7

Severity

High

CCI

CCI-001297

Version

ARWA-01-000246

Vuln IDs

V-47355

Rule IDs

SV-60227r1_rule

One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur.

Checks: C-50121r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component identifies the affected mobile device, severity of the finding, and provide a recommended mitigation. If this function is not configured, this is a finding. Ensure Compliance detection for various Policies are properly set: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on the hyperlinked compliance policy title, and verify in presented menu that on the tab titled "Rules" that the appropriate setting is selected in the first drop-down box (for detecting "jailbroken"/rooted devices, this should read "Compromised Status"). (4) Click "Next". (5) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix: F-51061r2_fix

Configure the AirWatch MDM Server device integrity validation component to identify the affected mobile device, severity of the finding, and provide a recommended mitigation. To set Compliance Policies: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box select applicable rule to be set, and (5) click "Next". (6) On Actions tab, select appropriate action to take (Administrator is able set escalation of Actions based on internal risk level decision). (7) Click "Next". (8) On Assignment tab, select device types, users, or groups to assign Policy to, and (9) click "Next". (10) View Summary for accuracy, and (11) click "Save and Assign".

b

The AirWatch MDM Server device integrity validation component must base recommended mitigations for findings on the identified risk level of the finding.

SI-7 - Medium - CCI-001297 - V-47357 - SV-60229r1_rule

RMF Control

SI-7

Severity

Medium

CCI

CCI-001297

Version

ARWA-01-000247

Vuln IDs

V-47357

Rule IDs

SV-60229r1_rule

One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur.

Checks: C-50123r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component bases recommended mitigations for findings on the identified risk level of the finding. If this function is not configured, this is a finding. Ensure Compliance detection escalations for various Policies are properly set: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on the hyperlinked compliance policy title, and verify in presented menu that on the tab titled "Rules" that the appropriate setting is selected in the first drop-down box (for detecting "jailbroken"/rooted devices, this should read "Compromised Status"). (4) Click "Next". (5) On Actions tab, verify the correct Action to take is selected (Administrator is able to set escalation of Actions based on internal risk level decision). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix: F-51063r3_fix

Configure the AirWatch MDM Server device integrity validation component to base recommended mitigations for findings on the identified risk level of the finding. To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box, select applicable rule to be set, and (5) click "Next". (6) On Actions tab, select appropriate action to take (Administrator is able to set escalation of Actions based on internal risk level decision). (7) Click "Next". (8) On Assignment tab, select device types, users, or groups to assign Policy to, and (9) click "Next". (10) View Summary for accuracy, and (11) click "Save and Assign".

b

The AirWatch MDM Server must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.

AU-9 - Medium - CCI-001348 - V-47359 - SV-60231r1_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001348

Version

ARWA-02-000258

Vuln IDs

V-47359

Rule IDs

SV-60231r1_rule

Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media other than the system being audited on an organizationally-defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.

Checks: C-50125r2_chk

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server backs up audit records on an organization-defined frequency onto a different system or media other than the system being audited. If the AirWatch MDM Server does not back up audit records on an organization-defined frequency onto a different system or media other than the system being audited, this is a finding. To verify the exporting of specific information collected by the AirWatch application to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix: F-51065r3_fix

Configure the AirWatch MDM Server to back up audit records on an organization-defined frequency onto a different system or media other than the system being audited. To export auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".

b

The AirWatch MDM Server must record an event in the audit log each time the server makes a security relevant configuration change on a managed mobile device.

CM-5 - Medium - CCI-000347 - V-48041 - SV-60913r1_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-000347

Version

ARWA-02-000079

Vuln IDs

V-48041

Rule IDs

SV-60913r1_rule

Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Security-relevant configuration changes, if not authorized, are a breach of system security and might indicate a broader attack is occurring. Recording security-relevant changes in the audit logs mitigates the risk that unauthorized changes will go undetected.

Checks: C-50477r1_chk

Inspect the audit logs to ensure security relevant configuration changes are being recorded. Make several security relevant configuration changes and verify these were recorded in the audit log. If any of the security relevant changes do not appear in the log, this is a finding. To access event log: From the administration console, (1) click the "Menu" button on top of the tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs.

Fix: F-51653r1_fix

Configure the AirWatch MDM Server to record an event in the device audit log each time there is a security relevant configuration change. To access the Device event log: From the administration console, (1) click the "Menu" button on top of the tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs.

c

AirWatch MDM server versions that are no longer supported by the vendor for security updates must not be installed on a system.

High - V-63317 - SV-77807r1_rule

RMF Control

Severity

High

CCI

Version

ARWA-04-000100

Vuln IDs

V-63317

Rule IDs

SV-77807r1_rule

AirWatch MDM server versions (6.5 and earlier versions) that are no longer supported by AirWatch by VMware for security updates are not evaluated or updated for vulnerabilities, leaving them open to potential attack. Organizations must transition to a supported AirWatch MDM server version to ensure continued support. System Administrator

Checks: C-64051r1_chk

On the AirWatch MDM server management console, determine the version of the AirWatch MDM server. If the AirWatch MDM server version is 6.5 or earlier, this is a finding.

Fix: F-69235r1_fix

Upgrade the AirWatch MDM server to a supported version.

AirWatch MDM STIG

Compare

View

Checks: C-50065r2_chk

Fix: F-51005r1_fix

Checks: C-50067r2_chk

Fix: F-51007r1_fix

Checks: C-50069r2_chk

Fix: F-51009r1_fix

Checks: C-50073r2_chk

Fix: F-51013r1_fix

Checks: C-50075r2_chk

Fix: F-51015r1_fix

Checks: C-50079r2_chk

Fix: F-51019r2_fix

Checks: C-50083r2_chk

Fix: F-51023r2_fix

Checks: C-50085r2_chk

Fix: F-51025r2_fix

Checks: C-50087r2_chk

Fix: F-51027r2_fix

Checks: C-50091r2_chk

Fix: F-51031r2_fix

Checks: C-50093r3_chk

Fix: F-51033r2_fix

Checks: C-50095r2_chk

Fix: F-51035r2_fix

Checks: C-50097r2_chk

Fix: F-51037r1_fix

Checks: C-50099r2_chk

Fix: F-51039r3_fix

Checks: C-50101r3_chk

Fix: F-51041r3_fix

Checks: C-50103r3_chk

Fix: F-51043r3_fix

Checks: C-50105r2_chk

Fix: F-51045r2_fix

Checks: C-50107r1_chk

Fix: F-51047r2_fix

Checks: C-50109r2_chk

Fix: F-51049r2_fix

Checks: C-50111r2_chk

Fix: F-51051r2_fix

Checks: C-50113r2_chk

Fix: F-51053r2_fix

Checks: C-50115r2_chk

Fix: F-51055r2_fix

Checks: C-50117r1_chk

Fix: F-51057r2_fix

Checks: C-50119r2_chk

Fix: F-51059r2_fix

Checks: C-50121r2_chk

Fix: F-51061r2_fix

Checks: C-50123r2_chk

Fix: F-51063r3_fix

Checks: C-50125r2_chk

Fix: F-51065r3_fix

Checks: C-50477r1_chk

Fix: F-51653r1_fix

Checks: C-64051r1_chk

Fix: F-69235r1_fix