AirWatch MDM STIG

Developed by AirWatch in coordination with DISA for the DoD.

Details

Version / Release: V1R2

Published: 2014-08-08

Updated At: 2018-09-23 01:26:16

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-60171r1_rule ARWA-01-000005 CCI-000037 HIGH The AirWatch MDM Server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account. Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes t
    SV-60173r1_rule ARWA-03-000020 CCI-000086 LOW If the AirWatch MDM Server includes a mobile email management capability, the email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. HTML embedded in an email has the potential to host malicious code that may allow an attacker access to the user's end device and possibly the network to which it is attached. Requiring that all emails are viewed in plain text protects against malicious c
    SV-60175r1_rule ARWA-01-000027 CCI-000136 MEDIUM The AirWatch MDM Server must support the transfer of audit logs to remote log or management servers. AirWatch MDM Server auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents. An important aspect of security is main
    SV-60179r1_rule ARWA-03-000037 CCI-000152 LOW The AirWatch MDM Server must utilize the integration of audit review, analysis, and reporting processes by an organizations central audit management system to support organizational processes for investigation and response to suspicious activities. Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate collectio
    SV-60181r1_rule ARWA-02-000038 CCI-000154 MEDIUM The AirWatch MDM Server must centralize the review and analysis of audit records from multiple components within the server. Due to the numerous functions an AirWatch MDM Server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected. This can become very difficult to analyze
    SV-60185r1_rule ARWA-03-000041 CCI-000158 LOW The AirWatch MDM Server must automatically process audit records for events of interest based upon selectable, event criteria. Due to the numerous functions an AirWatch MDM Server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, the more log data is collected. This can become very difficult to anal
    SV-60189r1_rule ARWA-01-000082 CCI-000366 MEDIUM The AirWatch MDM Server must be capable of scanning the hardware version of managed mobile devices and alert if unsupported versions are found. Approved versions of devices have gone though all required phases of testing, approval, etc., and are able to support required security features. Using non-approved versions of mobile device hardware could compromise the security baseline of the mobile s
    SV-60191r1_rule ARWA-02-000181 CCI-000370 MEDIUM The AirWatch MDM Server must configure the mobile device to prohibit the mobile device user from installing unapproved applications. The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose p
    SV-60193r1_rule ARWA-02-000182 CCI-000370 MEDIUM The AirWatch MDM Server must configure the mobile device to prohibit the mobile device user from installing unapproved applications. The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose p
    SV-60197r1_rule ARWA-02-000184 CCI-000370 MEDIUM The AirWatch MDM Server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downlo
    SV-60199r1_rule ARWA-02-000185 CCI-000370 MEDIUM The AirWatch MDM Server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downlo
    SV-60201r1_rule ARWA-02-000186 CCI-000370 MEDIUM The AirWatch MDM Server must configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downlo
    SV-60203r1_rule ARWA-02-000187 CCI-000370 MEDIUM The AirWatch MDM Server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downlo
    SV-60205r1_rule ARWA-02-000188 CCI-000370 MEDIUM The AirWatch MDM Server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downlo
    SV-60207r1_rule ARWA-01-000150 CCI-000372 HIGH The AirWatch MDM Server must be able to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. If the security policy has been modified in an unauthorized manner, IA is severely degraded and a variety of further attacks are possible. Detecting whether the security policy has been modified or disabled mitigates these risks.
    SV-60209r1_rule ARWA-02-000190 CCI-000374 MEDIUM The AirWatch MDM Server must employ automated mechanisms to respond to unauthorized changes to the security policy or AirWatch MDM Server agent on managed mobile devices. Uncoordinated or incorrect configuration changes to the AirWatch MDM Server managed components can potentially lead to compromises. Without automated mechanisms to respond to changes, changes can go unnoticed for a significant amount of time which could
    SV-60211r1_rule ARWA-02-000195 CCI-000778 MEDIUM The AirWatch MDM Server must uniquely identify mobile devices managed by the server prior to connecting to the device. When managed mobile devices connect to the AirWatch MDM Server, the security policy and possible sensitive DoD data will be pushed to the device. In addition, the device may be provided access to application and web servers on the DoD network. Therefore
    SV-60213r1_rule ARWA-01-000177 CCI-001069 MEDIUM The AirWatch MDM Server device integrity validation component must employ automated mechanisms to detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials in accordance with the organization-defined frequency. Unauthorized software poses a risk to the device because it could potentially perform malicious functions, including but not limited to gathering sensitive information, searching for other system vulnerabilities, or modifying log entries. A mechanism to
    SV-60215r1_rule ARWA-03-000185 CCI-001133 MEDIUM The AirWatch MDM Server must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. If communication’s sessions remain open for extended periods of time even when unused, there is the potential for an adversary to highjack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions aft
    SV-60217r1_rule ARWA-02-000226 CCI-001184 MEDIUM The AirWatch MDM Server must ensure authentication of both mobile device AirWatch MDM Server agent and server during the entire session. AirWatch MDM Server can be prone to man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of SSL Mutual Authentication authenticity of the data cannot be guaranteed.
    SV-60219r1_rule ARWA-01-000235 CCI-001265 MEDIUM The AirWatch MDM Server must notify when it detects unauthorized changes to security configuration of managed mobile devices. Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficie
    SV-60221r1_rule ARWA-01-000236 CCI-001265 HIGH The AirWatch MDM Server must perform required actions when a security related alert is received. Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficie
    SV-60223r1_rule ARWA-01-000237 CCI-001266 MEDIUM The AirWatch MDM Server device integrity validation component must include the capability to notify an organization-defined list of response personnel who are identified by name and/or by role notifications of suspicious events. Integrity checking applications are by their nature, designed to monitor and detect defined events occurring on the system. When the integrity checking mechanism finds an anomaly, it must notify personnel in order to ensure the proper action is taken base
    SV-60225r1_rule ARWA-01-000238 CCI-001274 HIGH The AirWatch MDM Server device integrity validation component must use automated mechanisms to alert security personnel when the device has been jailbroken or rooted. Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. The ability of an AirWatch MDM Server to detect
    SV-60227r1_rule ARWA-01-000246 CCI-001297 HIGH The AirWatch MDM Server device integrity validation component must identify the affected mobile device, severity of the finding, and provide a recommended mitigation. One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions
    SV-60229r1_rule ARWA-01-000247 CCI-001297 MEDIUM The AirWatch MDM Server device integrity validation component must base recommended mitigations for findings on the identified risk level of the finding. One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions
    SV-60231r1_rule ARWA-02-000258 CCI-001348 MEDIUM The AirWatch MDM Server must back up audit records on an organization-defined frequency onto a different system or media than the system being audited. Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media other than the system being audited on an organizationally-defined frequency helps to assure
    SV-60913r1_rule ARWA-02-000079 CCI-000347 MEDIUM The AirWatch MDM Server must record an event in the audit log each time the server makes a security relevant configuration change on a managed mobile device. Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Security-relevant configuration changes, if not authorized, are