Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the Good Mobility Suite configuration to determine if separation of administrator duties has been implemented by assigning a specific role to each administrator account. Otherwise, this is a finding.
Configure the Good Mobility Suite to implement separation of administrator duties by requiring a specific role to be assigned to each administrator account. - Launch the Good Mobile Control Web console, select the roles tab. - Validate that administrative users are assigned to different roles based upon job function as defined by local policy. Service Administrator - Service account super-user Administrator - Server administrator Helpdesk - Add/remove users Self-service - Users take action on their own devices - DO NOT USE
Review the Good Mobility Suite configuration to determine if alerts are accepted from the mobile operating system when the mobile OS has detected integrity check failures. Otherwise, this is a finding.
Configure the Good Mobility Suite server to accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. -Good Logs are Saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to Configure required Alerts/Notification.
Review the Good Mobility Suite configuration to determine if it has the capability to perform required actions after receiving a security-related alert. Otherwise, this is a finding.
Use a Good Mobility Suite that can perform required actions after receiving security related alerts. -Launch the Good Mobile Control Web console and click on the Policies tab -Select a policy set to review and click on the policy -On the left tab, select Compliance Manager under Mobile Device Management and click Add Rule - Select the Compliance Rule - Under Failure Action, select the appropriate action
Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite detects and reports the version of the operating system, device drivers, and application software for managed mobile devices. Otherwise, this is a finding.
Configure the Good Mobility Suite server to detect and report the version of the operating system, device drivers, and application software for managed mobile devices. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on iOS Configuration -Verify all checkboxes are checked on the General tab
Review the Good Mobility Suite server configuration to verify the mobile email client that supports retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. Otherwise, this is a finding.
Configure the Good Mobility Suite server to retrieve encryption certificates not stored in the local trust anchor store for S/MIME purposes. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save
Review the Good Mobility Suite server configuration to verify the mobile email client provides a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Otherwise, this is a finding.
Configure the Good Mobility Suite server to provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save and proceed to the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
Review the Good Mobility Suite server configuration to verify the mobile email client that provides the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.
Configure the Good Mobility Suite server to provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
Review the Good Mobility Suite server configuration to verify the mobile email client provides the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.
Configure the Good Mobility Suite to provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
Review the Good Mobility Suite server configuration to verify the mobile email client sets the Smart Card or Certificate Store Password caching timeout period to 120 minutes. Otherwise, this is a finding.
Configure the Good Mobility Suite to set the Smart Card or Certificate Store Password caching timeout period to 120 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Re-challenge for password every is checked and set to 120 minutes
Review the Good Mobility Suite server configuration to verify the mobile email client S/MIME feature is fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. Otherwise, this is a finding.
Configure the Good Mobility Suite email client to utilize DoD PKI and CAC/PIV. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
Review the Good Mobility Suite server configuration to verify the mobile email client provides S/MIME v3 (or later version) encryption of email. Otherwise, this is a finding.
Configure the Good Mobility Suite server to provide S/MIME v3 (or later version) encryption of email. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save and proceed to the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
Review the Good Mobility Suite server configuration to determine whether the email client restricts contact list data elements transferred to the phone application. Otherwise, this is a finding.
Configure the Good Mobility Suite to restrict contact list data elements transferred to the phone application. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Messaging tab -Verify Enable access to Good Contacts is checked -Click on Choose Fields to select the fields to sync - Name and Phone Number
Review the Good Mobility Suite server configuration to determine whether the capability to disable the copying of data stored inside the security container to an unsecured area outside the container has been disabled. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable the copying of data stored inside the security container to an unsecured area outside the container. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Messaging tab -Verify Do not allow data to be copied from the Good application is unchecked -Select the File Handling tab and make sure Enable importing to Good only is selected -Verify Exceptions to importing/exporting between Good and 3rd party is checked and Trust only these external applications is selected
Review the Good Mobility Suite server configuration to determine whether there is a list of approved applications that must be installed on the mobile device and cannot be removed by the user. Otherwise, this is a finding.
Configure the Good Mobility Suite to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Application Management tab -Verify Required applications have been assigned under Enterprise Applications and are marked as Managed under the 'Type' field -Click Save
Review the Good Mobility Suite server configuration to determine if the mobile device agent prohibits the download of software from a DoD non-approved source. Otherwise, this is a finding.
Configure the Good Mobility Suite mobile device agent to prohibit the download of software from a DoD non-approved source. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked
Review the Good Mobility Suite server configuration to determine if the mobile device user is prohibited from installing unapproved applications on the mobile device. Otherwise, this is a finding.
Configure the Good Mobility Suite to prohibit the mobile device user from installing unapproved applications on the mobile device. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked
Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite application white list for managed mobile devices is set to "Deny All" by default when no applications are listed. Otherwise, this is a finding.
Configure the Good Mobility Suite application white list for managed mobile devices to "Deny All" by default when no applications are listed. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Compliance Manager tab -Verify An iOS rule Exists with the 'Application Exceptions' rule type and is set to enabled -select Edit for the iOS rule -Verify Trust only these applications is Selected -verify only allowed applications are added to the "Apps Selected' list
Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite agent prohibits the download of applications on mobile operating system devices without administrator control. If this function is not present, this is a finding.
Configure the Good Mobility Suite so the Good Mobility Suite agent is configured to prohibit the download of applications on mobile operating system devices without system administrator control. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the iOS Management tab -Verify Enable iOS Configuration is checked -select the Restrictions under iOS Management tab -Verify Allow use of iTunes Music Store is Unchecked
Review the Good Mobility Suite server policy configuration to determine whether iOS Force encrypted backups has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to enable iOS Force encrypted backups. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Require iTunes backups to be encrypted is checked
Review the Good Mobility Suite server policy configuration to determine whether iOS Allow diagnostic data to be sent to Apple has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow diagnostic data to be sent to Apple. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow diagnostic data to be sent to Apple is unchecked
Review the Good Mobility Suite server policy configuration to determine whether iOS Auto-fill has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Auto-fill. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Auto-fill is unchecked
Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from unmanaged apps in managed apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from unmanaged apps in managed apps. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow "Open In" from unmanaged to managed is unchecked
Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from managed apps in unmanaged apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from managed apps in unmanaged apps. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow "Open In" from managed to unmanaged is unchecked
Review the Good Mobility Suite server policy configuration to determine whether iOS Touch ID to unlock device has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Touch ID to unlock device. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow fingerprint unlock is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the iOS Today View in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS Today View in lock screen. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow lock screen Today View is unchecked
Review the Good Mobility Suite server policy configuration to determine whether iOS Airdrop has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Airdrop. This setting can only be enforced by User-Based Enforcement.
Review the Good Mobility Suite server policy configuration to determine whether the iOS notification center in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS notification center in lock screen. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow lock screen notifications view is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the use of iOS voice dialing has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS voice dialing. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow voice dialing is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the use of iOS Siri while the device is locked has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Siri while the device is locked. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Siri While device is locked is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the use of iOS force limited ad tracking has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to enable iOS force limited ad tracking. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Force limit ad tracking is checked
Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud documents and data has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud documents and data. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow document syncing is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud backup has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud backup. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow iCloud backup is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud keychain sync has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud keychain. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow iCloud keychain sync is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS photo streams. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Photo Stream is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS shared photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS shared photo streams. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Shared Photo Stream is unchecked
Review the Good Mobility Suite server policy configuration to determine whether the ability to take iOS screenshots has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable iOS screenshots. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow screen capture is unchecked
Review the Good Mobility Suite configuration to determine if the mobile email server/client either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Otherwise, this is a finding.
Configure the Good Mobility Suite to either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Verify that the following registry entry exists on servers running the Good GMM/ Good Link Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\sync] "HtmlEmail"=0
Review the Good Mobility Suite mobile device account configuration to verify the audit logs can be transferred from managed mobile devices to the Good Mobility Suite. Have the system administrator show the logs of managed mobile devices on the Good Mobility Suite and whether audit logs are being transferred on request or on a period schedule. Otherwise, this is a finding.
Configure the Good Mobility Suite to transfer audit logs from managed mobile devices to the Good Mobility Suite. -Good Logs are saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to configure required Alerts/Notification. - To Enable Good Mobile Messaging Server Diagnostic Logging, the following 3 Registry entries must be configured as String Values. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\diagnostics "cachesize" = 0 "encrypt" = 0 "expand" = 1
Review the Good Mobility Suite configuration to verify the mobile email client notifies the user if it cannot verify the revocation status of the certificate. Otherwise, this is a finding.
Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. Otherwise, this is a finding.
Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate issued from an untrusted certificate authority. Otherwise, this is a finding.
Configure the Good Mobility Suite to alert the user if it receives a public-key certificate issued from an untrusted certificate authority. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the email client provides users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. Otherwise, this is a finding.
Configure the Good Mobility Suite to provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an invalid public-key certificate. Otherwise, this is a finding.
Configure the Good Mobility Suite to alert the user if it receives an invalid public-key certificate. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. Otherwise, this is a finding.
Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client does not accept certificate revocation information without verifying its authenticity. Otherwise, this is a finding.
Configure the Good Mobility Suite to not accept certificate revocation information without verifying its authenticity. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. Otherwise, this is a finding.
Configure the Good Mobility Suite verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. Otherwise, this is a finding.
Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate with a non-FIPS approved algorithm. Otherwise, this is a finding.
Configure the Good Mobility Suite to alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. Otherwise, this is a finding.
Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an unverified public-key certificate. Otherwise, this is a finding.
Configure the Good Mobility Suite to alert the user if it receives an unverified public-key certificate. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to determine whether there is administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. Otherwise, this is a finding.
Configure the Good Mobility Suite so it has the administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. Enable iOS MDM Profile 1. Select each security policy iOS devices are assigned to, and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule. -Verify "Enable MDM profile" is checked. -Verify "Enable remote full device wipe" is checked.
Review the Good Mobility Suite server policy configuration to determine if the minimum password length for the device unlock password is at least 4 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite server policy rule to enable a device unlock password with a minimum length of 4 characters. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify require passcode is checked and minimum length is set to 4
Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout to 15 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Auto-lock is checked and set to the appropriate value
Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout grace period is set to be immediate. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout grace period to be immediate. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Grace Period checkbox is checked and its dropdown menu set to Immediate
Review the Good Mobility Suite server policy configuration to determine whether the mobile device user's access to an application store or repository has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite server policy rule to disable the mobile device user's access to an application store or repository. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked and set to the appropriate value
Review the Good Mobility Suite server policy configuration to determine whether access to specific web sites has been blocked. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite server policy rule to block access to specific web sites. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left tab, select Good Mobile Access (Secure Browser) -Populate the Approved DoD Proxy settings applicable to your Network -Click on Policies Tab -Select the policy set for the smart phone and click on Good Mobile Access (Secure Browser) -Check Enable access to the Intranet, click on Edit and add routeall.gmm.good, click ok and click Save. At this point the Secure Browser will utilize your DoD proxy settings.
Review the Good Mobility Suite server policy configuration to determine the display of a warning banner on the mobile device is being forced. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite server policy rule to force the display of a warning banner on the mobile device. -Create a Notepad text file, and enter the following and then save as disclaimer.xml (DO NOT DEVIATE FROM BELOW CONTENT) : <disclaimer> <dtext value="I've read & consent to terms in IS user agreem't."/> </disclaimer> -Launch the Good Mobile Control Web console and click on the Policies tab -Select a policy set to review and click on the policy -On the left tab, select Compliance Manager and click Add Rule -Select iOS as the Rule Platform - Under Check to run select custom - Enter a Name and Description for your Rule - Under Perform Checks select Rule file and upload your Disclaimer.xml - Click Okay to save the rule to compliance manger - Select the newly created rule and click enable - Click Save to save the Policy
Review the Good Mobility Suite server policy configuration to determine whether the number of incorrect password attempts before a data wipe procedure is initiated is set to 10. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite server policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated to 10. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Maximum Failed Attempts checkbox is checked and its dropdown menu set to a value of 10 or less
Review the Good Mobility Suite server policy configuration to determine whether a Good Mobility Suite Agent password has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to enable a Good Mobility Suite Agent password. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Password-protected (with or without soft token and S/MIME) is selected
Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent password is at least 6 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to set the minimum Good Mobility Suite agent password length of six or more characters. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Require minimum length is checked and is set to 6 characters
Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to set the Good Mobility Suite agent inactivity timeout to 15 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Require password when idle for is checked and is set to 15 minutes
Review the Good Mobility Suite server policy configuration to determine whether the automatic removal of the iOS configuration profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable the automatic removal of the iOS configuration profile. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the General Tab -Verify Automatically Remove Profile is set to Never
Review the Good Mobility Suite server policy configuration to determine whether the use of simple values within the iOS Good Mobility Server agent password has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Configure the centrally managed Good Mobility Suite security policy rule to disable the use of simple values within the iOS Good Mobility Server agent password. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Allow Simple Value is unchecked
Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if the certificate uses an unverified CRL. Otherwise, this is a finding.
Configure the Good Mobility Suite to alert the user if the certificate uses an unverified CRL. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. Otherwise, this is a finding.
Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked
Determine if any version of Good for Enterprise server is installed at the site. BlackBerry stopped supporting all versions of this server on 30 September 2017. If any version of Good for Enterprise server is installed at the site, this is a finding. Exception: This requirement is Not Applicable for sites that have a valid extended service agreement with BlackBerry for service on the Good for Enterprise product. This exception is valid until the end of the service agreement or until 31 August 2018, whichever occurs first. CCI-000370
Remove all versions of Good for Enterprise server installed at the site.