AirWatch MDM STIG

V1R2 2014-08-08       U_AirWatch_MDM_V1R2_Manual-xccdf.xml
V1R3 2015-11-30       U_Airwatch_MDM_STIG_V1R3_Manual-xccdf.xml
Developed by AirWatch in coordination with DISA for the DoD.
Comparison
All 28
No Change 28
Updated 0
Added 0
Removed 0
V-47299 No Change
Findings ID: ARWA-01-000005 Rule ID: SV-60171r1_rule Severity: high CCI: CCI-000037

Discussion

Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
It is recommended that the following or similar roles be supported:
- AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

Checks

Review the AirWatch MDM Server configuration to ensure there are accounts associated with the following roles:

- AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

If this separation of duties is not present, this is a finding.

Ensure custom AirWatch roles: (1) click "Menu" from the console tool bar, (2) click "Administrators" under "Accounts" heading, (3) click "Roles" on left-hand tool bar, and (4) click on applicable role to check. Note: only Roles created due to organizational necessity will be created by the Administrator and can be checked in this fashion; not all Roles may be used at every organizational site.

Fix

Create and configure accounts to be aligned with the following roles:

- AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

Create custom AirWatch roles by clicking (1) "Menu" from the console tool bar, (2) selecting "Administrators" from under the "Accounts" heading from the drop-down menu, (3) click "Roles" on left-hand tool bar, and (4) click "Add Role" from the Roles page. (5) Fill out applicable Roles information, and (6) click "Save". (7) Click "Admin Accounts" on left-hand tool bar, and from "Administrators" screen, (8) click "Add User". (9) Fill out applicable user information, (10) click Roles tab, and (11) assign previously created customer role to this account. (12) Click "Save".
V-47301 No Change
Findings ID: ARWA-03-000020 Rule ID: SV-60173r1_rule Severity: low CCI: CCI-000086

Discussion

HTML embedded in an email has the potential to host malicious code that may allow an attacker access to the user's end device and possibly the network to which it is attached. Requiring that all emails are viewed in plain text protects against malicious code that could be embedded in the HTML content of an email.

Checks

Ensure the mobile email server/client either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Talk to the site system administrator and have them confirm this capability exists in the AirWatch MDM Server. Also, review the AirWatch MDM Server configuration. If the mobile email client does not either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device, this is a finding.

Samsung Knox MOS: To verify that HTML mail is deactivated from the administration console: (1) Click "Menu" on top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) locate and click on applicable email profile. Ensure settings under "Exchange Active Sync" section meet this requirement.

Fix

Configure the AirWatch MDM Server to either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.

To establish Exchange Active Sync Profile denying HTML mail from the administration console: (1) Click "Menu" on top tool bar, and (2) click "Profiles" under "Profiles and Policies" heading. From the "Select a platform to start" page, (3) choose the operating system in which to create new profile. After selecting an Operating System, (4) fill out applicable information in "General" tab, and (5) click "Exchange ActiveSync" on the left-hand column. (6) Click "Configure", (7) fill in appropriate Exchange Server information, (8) and uncheck box labeled "Enable HTML Mail". (9) Click "Save and Assign".
V-47303 No Change
Findings ID: ARWA-01-000027 Rule ID: SV-60175r1_rule Severity: medium CCI: CCI-000136

Discussion

AirWatch MDM Server auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents. An important aspect of security is maintaining awareness of what users have tried to do with their devices and what activities and actions MDM administrators have made.

Checks

Ensure the audit logs can be transferred from the AirWatch MDM Server to a storage location other than the AirWatch MDM Server itself. The systems administrator of the device may demonstrate this capability using an audit management application or other means. Audit records will be logged on the device for various actions, especially those related to sensitive or potentially suspicious activities. The specific events to log and the information recorded for each will be a function of policy. If audit logs cannot be transferred on request or on a periodic schedule, this is a finding.

To ensure the exporting of information to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and verify proper configuration information. (6) Check report output on external system to verify functionality.

Fix

Configure the AirWatch MDM Server to support the transfer of audit logs to remote log or management servers.

To export auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server. (7) Click "Save" and then (8) click "Test Connection" button to verify connection to external auditing server.
V-47307 No Change
Findings ID: ARWA-03-000037 Rule ID: SV-60179r1_rule Severity: low CCI: CCI-000152

Discussion

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate collection of data for troubleshooting, forensics, etc. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting that data in a single, consolidated view achieves this objective.

Checks

Review the configuration settings to ensure the AirWatch MDM Server audit system supports the integration of audit review, analysis, and reporting processes by an organization's central audit management system to support organizational processes for investigation and response to suspicious activities. Review AirWatch MDM Server documentation and have the system administrator demonstrate the capability on the AirWatch MDM Server to transfer audit logs to a central audit system. If audit log information is not being transferred to a central audit management system, this is a finding.

To ensure the exporting of information to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix

Configure the AirWatch MDM Server to provide audit log information to a central audit management system.

To export auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".
V-47309 No Change
Findings ID: ARWA-02-000038 Rule ID: SV-60181r1_rule Severity: medium CCI: CCI-000154

Discussion

Due to the numerous functions an AirWatch MDM Server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, more log data is collected. This can become very difficult to analyze manually; therefore, it is important to process them automatically and tailor the views of the data to only those events of interest based upon selectable criteria. Without the automation of log processing, based upon events of interest to security personnel, log files will not be viewed accurately and actions will not be taken when a significant event occurs on the system because it can be too overwhelming. Significant or meaningful events may be missed due to the sheer volume of data if logs are reviewed manually. Reducing the auditing capability to only those events that are significant aids in supporting near real-time audit review and analysis requirements and after-the-fact investigations of security incidents.

Checks

Review the configuration settings to ensure the AirWatch MDM Server audit system centralizes the review and analysis of audit records from multiple components within the server. If the AirWatch MDM Server cannot support the capability to centralize the review and analysis of audit records from multiple components within the server, this is a finding.

To ensure the exporting of specific information collected by the AirWatch application to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix

Configure the AirWatch MDM Server to centralize the review and analysis of audit records from multiple components within the server.

To export specific auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".
V-47313 No Change
Findings ID: ARWA-03-000041 Rule ID: SV-60185r1_rule Severity: low CCI: CCI-000158

Discussion

Due to the numerous functions an AirWatch MDM Server implementation processes, log files can become extremely large because of the volume of data. The more processes that are logged, the more log data is collected. This can become very difficult to analyze manually; therefore, it is important to process them automatically and tailor the views of the data to only those events of interest based upon selectable criteria. Without the automation of log processing, based upon events of interest to security personnel, log files will not be viewed accurately and actions will not be taken when a significant event occurs on the system because it can be too overwhelming. Significant or meaningful events may be missed due to the sheer volume of data if logs are reviewed manually.

Checks

Review the configuration settings to ensure the AirWatch MDM Server audit feature automatically processes audit records for events of interest based upon selectable, event criteria. Review AirWatch MDM Server documentation and audit configuration. If the AirWatch MDM Server does not automatically process audit records for events of interest based upon selectable, event criteria, this is a finding.

To verify this information is being recorded in the AirWatch system, access the Events page: from the administration console, click the (1) "Menu" button on top tool bar, and (2) click "Events" under "Reports and Analytics" heading. (3) From the "Events" menu, choose "Device Events" or "Console Events" as applicable, and (4) verify Events are being recorded by the AirWatch system.

To verify the exporting of specific information collected by the AirWatch application to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix

Configure the AirWatch MDM Server to automatically process audit records for events of interest based upon selectable, event criteria audit records to be used by a report generation capability.

To access an event log: (1) from the administration console, click the "Menu" button on top tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" or "Console Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs.

To export specific auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".
V-47317 No Change
Findings ID: ARWA-01-000082 Rule ID: SV-60189r1_rule Severity: medium CCI: CCI-000366

Discussion

Approved versions of devices have gone though all required phases of testing, approval, etc., and are able to support required security features. Using non-approved versions of mobile device hardware could compromise the security baseline of the mobile system, since some required security features may not be supported.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server is able to be configured to scan the version of the mobile device hardware and alert if unsupported versions are found. If the AirWatch MDM Server cannot be configured to scan the hardware version of managed mobile devices and alert if unsupported versions are found, this is a finding.

To verify Hardware Version compliance policy is set to notify Administrators of infractions: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, (3) click on applicable compliance policy, and (4) validate that "Model" is listed in first drop-down menu, (5) "Is" or "Is Not" as applicable is listed in second drop-down menu, and (6) proper Hardware Version to specify is listed in third drop-down menu. (7) Click "Next". (8) Ensure "Notify" is listed in first drop-down menu, (9) that "Send Email to Administrator" is listed in second drop-down menu, and (10) email(s) of applicable administrators is (are) entered in box labeled "To:". (11) Click "Next". (12) Ensure appropriate information for Assignment of policy to particular platforms, groups, and/or users.

Fix

Use only AirWatch MDM Servers that are capable of scanning the hardware version of managed mobile devices and alert if unsupported versions are found.

To define Hardware Version compliance policy to notify Administrators of infractions: (1) click "Add" from the console top toolbar, and (2) click "Compliance Policy" from the drop-down menu. From the Compliance Policy window, (3) choose "Model" in first drop-down menu, (4) "Is" or "Is Not" as applicable in second drop-down menu and (5) select Hardware Version to specify in third drop-down menu. (6) Click "Next". (7) Select "Notify" in first drop-down menu, (8) select "Send Email to Administrator" in second drop-down menu, and (9) enter email(s) of applicable administrators in box labeled "To:". (10) Click "Next". (11) Select appropriate information for Assignment of policy to particular platforms, groups, and/or users, and (12) click "Next". (13) Click "Finish and Activate".

V-47319 No Change
Findings ID: ARWA-02-000181 Rule ID: SV-60191r1_rule Severity: medium CCI: CCI-000370

Discussion

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device to prohibit the mobile device user from installing unapproved applications. If this function is not present, this is a finding.

Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in the "AirWatch Mobile Application Management Guide", page 35, "Enforcing Application Security and Compliance", and applicable items within this STIG.

Apple iOS MOS:
To verify Application blacklists on Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and (3) on left-hand tool bar click on "Application Groups". (4) Click on applicable group, and verify that correct information is set.

Fix

Configure the AirWatch MDM Server so the mobile device is configured to prohibit the mobile device user from installing unapproved applications.

To set Application Blacklists in Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and on left-hand tool bar (3) click on "Application Groups". (4) Click "Add Group", and under drop-down box labeled "Type" choose "Blacklist". (5) Choose Android or iOS platform, and (6) add applicable applications. (7) Click "Next" to review summary and (8) click "Finish".
V-47321 No Change
Findings ID: ARWA-02-000182 Rule ID: SV-60193r1_rule Severity: medium CCI: CCI-000370

Discussion

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device to prohibit the mobile device user from installing unapproved applications. If this function is not present, this is a finding.

Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in the "AirWatch Samsung Management Guide" page 8 "Securing Samsung Devices" and page 17 "Configuring Samsung Devices", and applicable items within this STIG.

Samsung Knox MOS:
To verify Blacklist on specific Android device profile: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable Profile, and (4) on left-hand toolbar select "Application Control". (5) Ensure box "Prevent Installation of Blacklisted Apps" is checked.

To verify access to public store on Samsung SAFE devices is blocked: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable profile, and (4) choose "Restrictions" in left-hand toolbar. (5) Under Application section ensure boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation" are unchecked.

Fix

Configure the AirWatch MDM Server so the mobile device is configured to prohibit the mobile device user from installing unapproved applications.

To add Blacklist to specific Android device Profile: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and (6) on left-hand toolbar select "Application Control". (7) Click "Configure", (8) check box "Prevent Installation of Blacklisted Apps", and (9) click "Save and Publish".

To block access to public store on Samsung SAFE devices: 1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and (6) choose "Restrictions" in left-hand toolbar. (7) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".
V-47325 No Change
Findings ID: ARWA-02-000184 Rule ID: SV-60197r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). If this function is not present, this is a finding.

Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in applicable items within this STIG and the document: "AirWatch Mobile Application Management Guide", page 35, "Enforcing Application Security and Compliance", describing Application blacklisting/whitelisting and deployment control.

To verify applications assigned to mobile devices: (1) In administration console click on "Menu" in top tool bar, and (2) click on "Applications" under "Catalog" heading. (3) Using tabs on top toolbar Administrator can choose "Internal", "Public", or "Purchased" applications, and verify applications assigned to devices.

Fix

Configure the AirWatch MDM Server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source.

For Administration console: (1) In administration console click on "Menu" in top tool bar, and (2) click on "Applications" under "Catalog" heading. (3) Using tabs on top toolbar Administrator can choose "Internal", "Public", or "Purchased" applications, (4) load or search for application and, (5) assign to devices.
V-47327 No Change
Findings ID: ARWA-02-000185 Rule ID: SV-60199r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). If this function is not present, this is a finding.

Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in the "AirWatch Samsung Management Guide" page 8 "Securing Samsung Devices" and page 17 "Configuring Samsung Devices", and applicable items within this STIG.

Samsung Knox MOS:
To verify installation of public applications on Samsung Knox devices is blocked: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable Profile, and (4) choose "Restrictions" in left-hand toolbar. (5) Under Application section ensure boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation" are unchecked.

Fix

Configure the AirWatch MDM Server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source.

For Samsung Knox devices: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give Profile name and insert applicable information under General tab, and (6) choose "Restrictions" in left-hand toolbar. (7) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".
V-47329 No Change
Findings ID: ARWA-02-000186 Rule ID: SV-60201r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device agent to prohibit the download of software from a DoD non-approved source (e.g., DoD operated mobile device application store or AirWatch MDM Server). If this function is not present, this is a finding.

Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in "AirWatch iOS Management Guide" page 14 "Securing iOS Devices" and page 30 "Configuring iOS Devices" and applicable items within this STIG.

Apple iOS MOS:
To verify installation of public applications on iOS devices is blocked: from the console ensure that "Device" is selected from left hand tool bar (default screen upon logon), (1) click "Profiles", (2) click "List View", (3) click on applicable profile, and (4) choose "Restrictions" in left-hand toolbar (5) Under Device Functionality section, ensure box labeled "Allow installing public apps" is unchecked.

Fix

Configure the AirWatch MDM Server so the mobile device agent is configured to prohibit the download of software from a DoD non-approved source.

For iOS devices: (1) click "Add" from the top tool bar, and (2) select "Profile" from the drop-down menu., and (3) select Apple iOS. (4) Give profile name under General tab, and (5) choose "Restrictions" in left-hand toolbar. (6) Under Device Functionality section, uncheck the box labeled "Allow installing public apps".
V-47331 No Change
Findings ID: ARWA-02-000187 Rule ID: SV-60203r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the AirWatch MDM Server. In these cases, the ability for users to remove the application is needed as to ensure proper secure operations of the device.

Checks

Review the AirWatch MDM Server configuration to ensure there is administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. If this function is not present, this is a finding.

To verify Required Application Lists on Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, on left-hand tool bar (3) click on "Application Groups", and (4) click on applicable "Required Applications" group, to verify that correct information is set.

Fix

Configure the AirWatch MDM Server so it has the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.

To create Required Applications Groups in Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and on left-hand tool bar (3) click on "Application Groups", (4) click "Add Group", and under drop-down box labeled "Type" (5) choose "Blacklist". (6) Choose Android or iOS platform, and (7) add applicable applications. (8) Click "Next" to review summary and (9) click "Finish".
V-47333 No Change
Findings ID: ARWA-02-000188 Rule ID: SV-60205r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the AirWatch MDM Server. In these cases, the ability for users to remove the application is needed as to ensure proper secure operations of the device.

Checks

Review the AirWatch MDM Server configuration to ensure there is administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. If this function is not present, this is a finding.

To verify Required Applications list on specific Android device Profile: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable Profile, and on left-hand toolbar (4) select "Application Control". (5) Ensure box "Prevent Removal of Required Apps" is checked.

Samsung Knox MOS:
To verify access to public store on Samsung SAFE devices is blocked: (1) click "Menu" from top tool bar, (2) click "Profiles" under "Profiles and Policies" heading, (3) click on applicable profile, and (4) choose "Restrictions" in left-hand toolbar. (5) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".

Fix

Configure the AirWatch MDM Server so it has the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.

To add blacklist to specific Android device Profile: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and on left-hand toolbar (5) select "Application Control". (6) Click "Configure", (7) check box "Prevent Installation of Blacklisted Apps", and (8) click "Save and Publish".

To block access to public store on Samsung SAFE devices: (1) click "Add" from the top tool bar, (2) select "Profile" from the drop-down menu, and (3) select "Android". (4) Choose "Device" or "Container" (Knox), (5) give profile name and insert applicable information under General tab, and (6) choose "Restrictions" in left-hand toolbar. (7) Under Application section uncheck boxes labeled "Allow Google Play", "Allow YouTube", and "Allow Non-Market App Installation".
V-47335 No Change
Findings ID: ARWA-01-000150 Rule ID: SV-60207r1_rule Severity: high CCI: CCI-000372

Discussion

If the security policy has been modified in an unauthorized manner, IA is severely degraded and a variety of further attacks are possible. Detecting whether the security policy has been modified or disabled mitigates these risks.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. If this function is not present, this is a finding.

To verify policies for the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy. On Rules tab, verify the correct rule set for the applicable policy to be applied. (4) On Actions tab, verify the correct Action type to take Actionable Result is set. (5) On Assignment tab, verify correct device types, users, or groups are assigned.

(Note: for "jailbroken" or "rooted device" detection, verify "Compromised Status" and "Is Compromised" is selected on Rules tab.

Fix

Configure the AirWatch MDM Server to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices.

To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab select the following: (1a) To Match "All" or "Any" of the entered Rules, (2a) Choose deviation to detect on devices, and (3a) click "Next". (3) On Actions tab, select the following: (a) Choose Action type to take (command), and (b) Actionable Result, and (c) click Next. (4) On Assignment tab select device types, users, or groups to assign Policy to, and (5) click "Next". (6) View Summary for accuracy, and (7) click Save and Assign.

(Note: for "jailbroken" or "rooted device" detection, select "Compromised Status" and "Is Compromised" on Rules tab.
V-47337 No Change
Findings ID: ARWA-02-000190 Rule ID: SV-60209r1_rule Severity: medium CCI: CCI-000374

Discussion

Uncoordinated or incorrect configuration changes to the AirWatch MDM Server managed components can potentially lead to compromises. Without automated mechanisms to respond to changes, changes can go unnoticed for a significant amount of time which could result in compromise.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can employ automated mechanisms to respond to unauthorized changes to the security policy or AirWatch MDM Server agent on managed mobile devices. If this function is not present, this is a finding.

To verify policies for the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy. On Rules tab, verify the correct rule set for the applicable policy to be applied. (4) On Actions tab, verify the correct Action type to take Actionable Result is set. (5) On Assignment verify correct device types, users, or groups are assigned.

(Note: for "jailbroken" or "rooted device" detection, verify "Compromised Status" and "Is Compromised" is selected on Rules tab.

Fix

Configure the AirWatch MDM Server to automatically respond to unauthorized changes to the security policy or AirWatch MDM Server agent on managed mobile devices.

To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab select the following: (1a) to Match "All" or "Any" of the entered Rules, (2a) choose deviation to detect on devices, and (3a) click "Next". (3) On Actions tab, select the following: (a) choose Action type to take (command), and (b) Actionable Result, and (c) click "Next". (4) On Assignment tab select device types, users, or groups to assign Policy to, and (5) click "Next". (6) View Summary for accuracy, and (7) click "Save and Assign".

(Note: for "jailbroken" or "rooted device" detection, select "Compromised Status" and "Is Compromised" on Rules tab.
V-47339 No Change
Findings ID: ARWA-02-000195 Rule ID: SV-60211r1_rule Severity: medium CCI: CCI-000778

Discussion

When managed mobile devices connect to the AirWatch MDM Server, the security policy and possible sensitive DoD data will be pushed to the device. In addition, the device may be provided access to application and web servers on the DoD network. Therefore, strong authentication of the user on the device is required to ensure sensitive DoD data is not exposed and unauthorized access to the DoD network is not granted, exposing the network to malware and attack.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can uniquely identify mobile devices managed by the server prior to connecting to the device. If this function is not present, this is a finding.

The AirWatch system meets this requirement both by inherent certificate technology, and also user authentication via integration with a STIG compliant Active Directory system upon device "Enrollment" (initial entry into DoD MDM system which initiates provisioning and access):

AirWatch, upon native installation, activates a "Secure Channel" and generates root X.509 certificate to identify itself to devices and issue public keys to those devices for authentication. To verify that Secure Channel is active: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Advanced", and (5) click "Secure Channel Certificate". (6) Ensure Secure Channel is enabled for applicable platforms and certificate is uploaded.

User utilizes User ID/Password combination via Active Directory to connect device to AirWatch system: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Enterprise Integration", and (5) click "Directory Services". (6) On "Server" tab, verify URL for Active Directory server, applicable encryption method and port, authentication type, and service account details (service account for AirWatch must be created with Read permissions to Active Directory). On "User" and "Group" tabs (6) verify applicable Domain and Base Domain Names are entered.

To verify specific Active Directory User Accounts: (1) click "Menu" on top tool bar, (2) click "Users" under "Accounts" heading, (4) click applicable user, and check the account is set for "Directory" authentication.

To verify device Enrollment (connection to AirWatch MDM Server from device) via Active Directory authentication is configured: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Devices and Users" on left-hand tool bar, (4) click "General", and (5) click "Enrollment". (6) Under Authentication tab, ensure box labeled "Directory" in Authentication Modes section is checked.

Fix

Configure the AirWatch MDM Server to authenticate through the Enterprise Authentication Mechanism.

To install AirWatch Secure Channel, please refer to the "Directory Services Guide" page 4 for information on integrating Active Directory servers with the AirWatch system, and page 8 for information on creating AirWatch users utilizing Active Directory sync for installation instructions on host server and network. Typically installed during initial AirWatch installation.

To enforce User ID/Password combination via Active Directory to connect device to AirWatch system: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Enterprise Integration", and (4) click "Directory Services". (5) On "Server" tab, enter URL for Active Directory server, applicable encryption method and port, authentication type, and service account details (service account for AirWatch must be created with Read permissions to Active Directory; see "Enrollment Overview Guide" page 7 for "Enabling Directory Service-Based Enrollment" and "Agent Security" page 2 for certificate authentication information for further information). On "User" and "Group" tabs (6) select applicable Domain and Base Domain Names. (7) Click "Save".

To create Active Directory User Account: (1) click "Menu" on top tool bar, (2) click "Users" under "Accounts" heading, and (3) click "Add". (4) Select "Directory" as authentication type, and (5) enter user name, then, (6) click "Search User". (7) Click "Save" to add user account.

To enable device Enrollment (connection to AirWatch MDM Server from device) via Active Directory authentication: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Devices and Users" on left-hand tool bar, (4) click "General", and (5) click "Enrollment". (6) Under Authentication tab, check box labeled "Directory" in Authentication Modes section. (7) Click "Save".
V-47341 No Change
Findings ID: ARWA-01-000177 Rule ID: SV-60213r1_rule Severity: medium CCI: CCI-001069

Discussion

Unauthorized software poses a risk to the device because it could potentially perform malicious functions, including but not limited to gathering sensitive information, searching for other system vulnerabilities, or modifying log entries. A mechanism to detect unauthorized software and notify officials of its presence assists in the task of removing such software to eliminate the risks it poses to the device and the networks to which the device attaches.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component can detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials. If this function is not present, this is a finding.

To verify Required Application Lists on Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, on left-hand tool bar (3) click on "Application Groups", (4) click on applicable "Required Applications" Group, and verify that correct information is set.

To verify policies for detecting illegal application via the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify. On Rules tab verify the correct rule set for the applicable policy to be applied (first drop-down box should read "Application List", second should read "Contains..." or "Does Not Contain..." and refer to Blacklist/Whitelist/Required application group). (4) Click "Next". (5) On Actions tab, verify the correct Action type to take Actionable Result is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment verify correct device types, users, or groups are assigned.

Fix

Configure the AirWatch MDM Server device integrity validation component to detect and report the presence of unauthorized software.

To create Required Applications Groups in Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and on left-hand tool bar (3) click on "Application Groups", (4) click "Add Group", and under drop-down box labeled "Type" choose "Blacklist". (5) Choose Android or iOS platform, and (6) add applicable applications. (7) Click "Next" to review summary, and click "Finish".

To establish application group policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to Match "All" or "Any" of the entered Rules, (4) in first drop-down box select "Application List", (5) denote group rule (if MOS contains/does not contain Whitelisted/ Blacklisted/ Required applications), and (6) click "Next". (7) On Actions tab, (8) select "Notify" in first drop-down box, (9) select "Send Email to Administrator" in second drop-down box, and (10) enter in applicable email addresses for notification in "To:" box. (11) Click "Next". On Assignment tab (12) select device types, users, or groups to assign Policy to, and (13) click "Next". (14) View Summary for accuracy, and (15) click "Save and Assign".


V-47343 No Change
Findings ID: ARWA-03-000185 Rule ID: SV-60215r1_rule Severity: medium CCI: CCI-001133

Discussion

If communication’s sessions remain open for extended periods of time even when unused, there is the potential for an adversary to highjack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability.

Checks

Review the AirWatch MDM Server configuration to verify the system terminates network connections after an organization-defined time period of inactivity. If communications are not terminated at the end of a session or after an organization-defined time period of inactivity, this is a finding.

To verify the session Timeout: (1) click "Menu" on top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Admin", (4) click "Console Security", click "Session Management", and (5) verify the fields under forced timeout and idle timeout are set to 15 minutes.

Fix

Configure the AirWatch MDM Server to terminate network connections at the end of the session or after the organization-defined time period of inactivity.

To adjust the session Timeout: (1) click "Menu" on top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "Admin", (4) click "Console Security", (5) click "Session Management", and (6) configure the fields under forced timeout and idle timeout to 15 minutes. (7) Click "Save".
V-47345 No Change
Findings ID: ARWA-02-000226 Rule ID: SV-60217r1_rule Severity: medium CCI: CCI-001184

Discussion

AirWatch MDM Server can be prone to man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of SSL Mutual Authentication authenticity of the data cannot be guaranteed.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server ensures authentication of both mobile device AirWatch MDM Server agent and server during the entire session. If it does not, this is a finding.

AirWatch, upon native installation, activates a "Secure Channel" and generates root X.509 certificate to identify itself to devices and issue public keys to those devices for authentication. To verify Secure Channel is active: (1) click "Menu" from top tool bar, (2) click "System Configuration" under "Configuration" heading, (3) click "System" on left-hand tool bar, (4) click "Advanced", and (5) click "Secure Channel Certificate". (6) Ensure Secure Channel is enabled for applicable platforms and certificate is uploaded.

Fix

Configure the AirWatch MDM Server to authenticate both the mobile device AirWatch MDM Server agent and server during the entire session.

To install AirWatch Secure Channel, please see "On-Premise Architecture Guide", page 26, "Appendix B - SSL Certificate Setup" for information on applying procured SSL certificates to the AirWatch MDM Server.

To enable SSL encryption: follow the applicable STIG detailing Microsoft server procedures for procuring and binding SSL Certificates.
V-47347 No Change
Findings ID: ARWA-01-000235 Rule ID: SV-60219r1_rule Severity: medium CCI: CCI-001265

Discussion

Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server notifies when it detects unauthorized changes to security configuration of managed mobile devices. If the AirWatch MDM Server does not notify in this case, this is a finding.

To verify policies for detecting device changes via the Compliance Engine are set to notify properly, use the following procedure: 1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify. (4) On Rules tab verify the correct rule set for the applicable policy to be applied. (5) Click "Next". (6) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (7) On Assignment tab verify correct device types, users, or groups are assigned.

Fix

Use an AirWatch MDM Server that can perform required actions after receiving security related alerts.

To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box select applicable rule to be set, and (5) click "Next". (6) On Actions tab, (7) select "Notify" in first drop-down box, (8) select "Send Email to Administrator" in second drop-down box, and (9) enter in applicable email addresses for notification in "To:" box. (10) Click "Next". (11) On Assignment tab select device types, users, or groups to assign Policy to, and (12) click "Next". (13) View Summary for accuracy, and (14) click "Save and Assign".
V-47349 No Change
Findings ID: ARWA-01-000236 Rule ID: SV-60221r1_rule Severity: high CCI: CCI-001265

Discussion

Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. Types of actions the AirWatch MDM Server must be able to perform after a security alert include: log the alert, send email to a system administrator, wipe the managed mobile device, lock the mobile device account on the AirWatch MDM Server, disable the security container, wipe the security container, and delete any unapproved application. Security alerts include any alert from the MDIS or MAM component of the AirWatch MDM Server.

Checks

Review the AirWatch MDM Server configuration to determine if it has the capability to perform required actions after receiving a security related alert. If the AirWatch MDM Server cannot perform required actions after receiving a security related alert, this is a finding.

This requirement is met by setting appropriate Actions to be taken by the automated Compliance Engine component:

To verify policies for detecting device changes via the Compliance Engine are set to notify properly, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify. (4) On Rules tab verify the correct rule set for the applicable policy to be applied. (5) Click "Next". (6) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (7) On Assignment tab verify correct device types, users, or groups are assigned.

Fix

Use an AirWatch MDM Server that can perform required actions after receiving security related alerts.

To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box select applicable rule to be set, and (5) click "Next". (6) On Actions tab, select appropriate action to take. (7) Click "Next". (8) On Assignment tab select device types, users, or groups to assign Policy to, and (9) click "Next". (10) View Summary for accuracy, and (11) click "Save and Assign".
V-47351 No Change
Findings ID: ARWA-01-000237 Rule ID: SV-60223r1_rule Severity: medium CCI: CCI-001266

Discussion

Integrity checking applications are by their nature, designed to monitor and detect defined events occurring on the system. When the integrity checking mechanism finds an anomaly, it must notify personnel in order to ensure the proper action is taken based upon the integrity issues found. If notification is not performed, the issue may continue or worsen to allow intruders into the system.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component includes the capability to notify an organization-defined list of response personnel who are identified by name and/or by role notifications of suspicious events. If this function is not configured, this is a finding.

To verify policies for detecting device changes via the Compliance Engine are set to notify properly, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy to verify on Rules tab the correct rule set for the applicable policy to be applied. (4) Click "Next". (5) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix

Configure the AirWatch MDM Server device integrity validation component to provide the capability to notify an organization-defined list of response personnel who are identified by name and/or by role notifications of suspicious events.

To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box, select applicable rule to be set, and (5) click "Next". (6) On Actions tab, (7) select "Notify" in first drop-down box, (8) select "Send Email to Administrator" in second drop-down box, and (9) enter in applicable email addresses for notification in "To:" box. (10) Click "Next". (11) On Assignment tab select device types, users, or groups to assign Policy to, and (12) click "Next". (13) View Summary for accuracy, and (14) click "Save and Assign".
V-47353 No Change
Findings ID: ARWA-01-000238 Rule ID: SV-60225r1_rule Severity: high CCI: CCI-001274

Discussion

Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. The ability of an AirWatch MDM Server to detect "jailbreaking" or rooting of the device mitigates the potential for these breaches to have further consequences to the enterprise.

"Jailbreaking"/rooting refers to a mobile device where the security mechanisms of the hardware and OS of the device have been bypassed so the user has root access.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component uses automated mechanisms to alert security personnel when the device has been "jailbroken" or rooted. If this function is not configured, this is a finding.

To verify Compliance Policy is set to detect "Jailbroken" or Rooted devices: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on the hyperlinked compliance policy title, and verify in presented menu that on the tab titled "Rules" that the appropriate setting is selected in the first drop-down box (for detecting "jailbroken"/rooted devices, this should read "Compromised Status"). (4) Click "Next". (5) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix

Configure the AirWatch MDM Server device integrity validation component to use automated mechanisms to alert security personnel when the device has been "jailbroken" or rooted.

To set Compliance Policy for "Jailbroken" or Rooted device detection with notification action: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) select "Compromised Status" in first drop-down box, and (5) "Is Compromised" in second drop-down box. (6) Click the "Next" button. (7) On Actions tab, (8) select "Notify" in first drop-down box, (9) select "Send Email to Administrator" in second drop-down box, and (10) enter in applicable email addresses for notification in "To:" box. (11) Click "Next". (12) On Assignment tab, select device types, users, or groups to assign Policy to, and (13) click "Next". (14) View Summary for accuracy, and (15) click "Save and Assign".
V-47355 No Change
Findings ID: ARWA-01-000246 Rule ID: SV-60227r1_rule Severity: high CCI: CCI-001297

Discussion

One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component identifies the affected mobile device, severity of the finding, and provide a recommended mitigation. If this function is not configured, this is a finding.

Ensure Compliance detection for various Policies are properly set: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on the hyperlinked compliance policy title, and verify in presented menu that on the tab titled "Rules" that the appropriate setting is selected in the first drop-down box (for detecting "jailbroken"/rooted devices, this should read "Compromised Status"). (4) Click "Next". (5) On Actions tab, verify the correct Action to take is set (for notification, first drop-down box should read "Notify", second should read "Send Email to Administrator", and third should list applicable email addresses). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix

Configure the AirWatch MDM Server device integrity validation component to identify the affected mobile device, severity of the finding, and provide a recommended mitigation.

To set Compliance Policies: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box select applicable rule to be set, and (5) click "Next". (6) On Actions tab, select appropriate action to take (Administrator is able set escalation of Actions based on internal risk level decision). (7) Click "Next". (8) On Assignment tab, select device types, users, or groups to assign Policy to, and (9) click "Next". (10) View Summary for accuracy, and (11) click "Save and Assign".
V-47357 No Change
Findings ID: ARWA-01-000247 Rule ID: SV-60229r1_rule Severity: medium CCI: CCI-001297

Discussion

One of the most significant indicators of an IA attack is modification of operating system files, device drivers, or security enforcement mechanisms. An integrity verification capability or tool detects unauthorized modifications to files or permissions and either prevents further operation or reports its findings so an appropriate response can occur.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server device integrity validation component bases recommended mitigations for findings on the identified risk level of the finding. If this function is not configured, this is a finding.

Ensure Compliance detection escalations for various Policies are properly set: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on the hyperlinked compliance policy title, and verify in presented menu that on the tab titled "Rules" that the appropriate setting is selected in the first drop-down box (for detecting "jailbroken"/rooted devices, this should read "Compromised Status"). (4) Click "Next". (5) On Actions tab, verify the correct Action to take is selected (Administrator is able to set escalation of Actions based on internal risk level decision). (6) On Assignment tab, verify correct device types, users, or groups are assigned.

Fix

Configure the AirWatch MDM Server device integrity validation component to base recommended mitigations for findings on the identified risk level of the finding.

To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab, (3) select to match "All" or "Any" of the entered Rules, (4) in first drop-down box, select applicable rule to be set, and (5) click "Next". (6) On Actions tab, select appropriate action to take (Administrator is able to set escalation of Actions based on internal risk level decision). (7) Click "Next". (8) On Assignment tab, select device types, users, or groups to assign Policy to, and (9) click "Next". (10) View Summary for accuracy, and (11) click "Save and Assign".
V-47359 No Change
Findings ID: ARWA-02-000258 Rule ID: SV-60231r1_rule Severity: medium CCI: CCI-001348

Discussion

Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media other than the system being audited on an organizationally-defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.

Checks

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server backs up audit records on an organization-defined frequency onto a different system or media other than the system being audited. If the AirWatch MDM Server does not back up audit records on an organization-defined frequency onto a different system or media other than the system being audited, this is a finding.

To verify the exporting of specific information collected by the AirWatch application to an external auditing or reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) verify proper configuration information. (7) Check report output on external system to verify functionality.

Fix

Configure the AirWatch MDM Server to back up audit records on an organization-defined frequency onto a different system or media other than the system being audited.

To export auditing information to external reporting system: click the (1) "Menu" button from top tool bar, (2) click on "System Configuration" under "Configuration" heading, (3) click on "System" on left-hand tool bar, (4) click on "Enterprise Integration", (5) click on "Syslog", and (6) enter in information for applicable destination logging server in box labeled "Message Content". (7) Click "Save".
V-48041 No Change
Findings ID: ARWA-02-000079 Rule ID: SV-60913r1_rule Severity: medium CCI: CCI-000347

Discussion

Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Security-relevant configuration changes, if not authorized, are a breach of system security and might indicate a broader attack is occurring. Recording security-relevant changes in the audit logs mitigates the risk that unauthorized changes will go undetected.

Checks

Inspect the audit logs to ensure security relevant configuration changes are being recorded. Make several security relevant configuration changes and verify these were recorded in the audit log. If any of the security relevant changes do not appear in the log, this is a finding.

To access event log: From the administration console, (1) click the "Menu" button on top of the tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs.

Fix

Configure the AirWatch MDM Server to record an event in the device audit log each time there is a security relevant configuration change.

To access the Device event log: From the administration console, (1) click the "Menu" button on top of the tool bar, and (2) click "Events" under "Reports and Analytics" heading. From the "Events" menu, (3) click the "Device Events" button. (4) Filter events by clicking on the "Date Range," "Severity," "Category," or "Module" drop-down menus and define parameters, or use the search box located to the right of the drop-down filters to search the event logs.